Digging into the Windows Servers 2012 R2 AD Schema Changes

Posted on by
Reply

After I download any new server OS release, the first place I go is to take a look at the AD schema. Conveniently, this doesn’t require me to install the OS (and I can even peruse it while I’m getting the OS setup). You can find the AD schema LDF files on each server ISO at:

\support\adprep\

I do something like this:

E:\support\adprep>copy sch57.ldf+sch58.ldf+sch59.ldf+sch60.ldf+sch61.ldf
+sch62.ldf+sch63.ldf+sch64.ldf+sch65.ldf+sch66.ldf+sch67.ldf+sch68.ldf+sch69.ldf
c:\ws12r2schema.ldf

And then I’ve got a single file with all the schema for a given release to browse.

I’m probably a schema geek for doing this, but I always find that I learn about new features and things Microsoft and no one else hasn’t yet written about before everyone else does. 😉

Each AD schema version number corresponds to a separate LDF file used to update the AD schema. Over the 6 server OS releases that included schema, they amounted to 56 files.

2000: 13
2003: 30
2003R2: 31
2008: 44
2008R2: 47
2012: 56
2012R2 (preview): 69

So this is one of the bigger jumps, which in the past has only happened with a major OS release, not an R2 release.

Of course, what’s really interesting is what is in each of those LDF files. A given file might have only a single schema change or it might have dozens.

OK, that’s enough babble about the background, now let’s jump into the new schema!

From a big picture perspective, almost all of the changes are to support the BYOD enhancements you may have heard Microsoft talk about at TechEd 2013. These include a device objectclass (msDS-Device) to support the workplace join functionality, as well as various other classes to support the infrastructure behind that workplace join functionality.

Here’s a redacted excerpt of the new msDS-Device class:

dn: CN=ms-DS-Device,CN=Schema,CN=Configuration,DC=X
ldapDisplayName: msDS-Device
systemMustContain: 1.2.840.113556.1.4.2248
systemMustContain: 1.2.840.113556.1.4.2252
systemMustContain: 1.2.840.113556.1.2.13
systemMustContain: 1.2.840.113556.1.4.867
systemMayContain: 1.2.840.113556.1.4.2249
systemMayContain: 1.2.840.113556.1.4.2250
systemMayContain: 1.2.840.113556.1.4.2251
systemMayContain: 1.2.840.113556.1.4.2257
systemMayContain: 1.2.840.113556.1.4.2258
systemMayContain: 1.2.840.113556.1.4.2262
systemMayContain: 1.2.840.113556.1.4.2263
systemMayContain: 1.2.840.113556.1.4.2270
systemMayContain: 1.2.840.113556.1.4.2271
systemMayContain: 1.2.840.113556.1.4.2273

Pretty ugly, huh?

Well, that’s really just a set of optional attributes and required attributes. That means these attributes …

Required:
msDS-IsEnabled: This attribute is used to enable or disable the user-device
msDS-DeviceID: This attribute stores the ID of the device.
displayName
altSecurityIdentities: Likely that this contains a X509 certificate.

Optional:
msDS-DeviceOSType: This attribute is used to track the type of device based on the OS.
msDS-DeviceOSVersion: This attribute is used to track the OS version of the device.
msDS-DevicePhysicalIDs: This attribute is used to store identifiers of the physical device.
msDS-DeviceObjectVersion: This attribute is used to identify the schema version of the device.
msDS-RegisteredOwner: Single valued binary attribute containing the primary SID referencing the first user to register the device. The value is not removed during de-registration, but could be managed by an administrator.
msDS-ApproximateLastLogonTimeStamp: The approximate time a user last logged on with from the device.
msDS-RegisteredUsers: Contains the list of users that have registered the device. Users in this list have all of the features provided by the “Company Portal” app. And they have SSO to company resources.
msDS-IsManaged: This attribute is used to indicate the device is managed by a on-premises MDM.
msDS-CloudIsManaged: This attribute is used to indicate the device is managed by a cloud MDM.
msDS-CloudAnchor: This attribute is used by the DirSync engine to indicate the object SOA and to maintain the relationship between the on-premises and cloud object.

There’s lot of interesting details there, including the fact that multiple users can be registered for the same device, and the last two attributes imply that you will be able to workplace join a device to either your on-premise AD or your Azure Active Directory and a future unreleased version the Azure DirSync will sync devices between AD-DS and AAD. This would represent a change in the nature of the Azure DirSync product, which currently claims it doesn’t sync any objects back to on-premise and only does a handful of attributes back when you enable Exchange hybrid. Note that you wouldn’t know this without looking at the schema
closely.

Related to the BYOD enhancements a lot of the changes are to provide a new authentication policy feature, which hasn’t gotten much, if any, demo time in TechEd sessions.

I find that class pretty interesting, so here’s a partially redacted excerpt of it with some further simplification to make it easier to read:

dn: CN=ms-DS-AuthN-Policy,CN=Schema,CN=Configuration,DC=X
adminDescription: An instance of this class defines authentication policy behaviors for assigned principals.
systemmaycontain: msDS-UserAllowedToAuthenticateTo
systemmaycontain: msDS-UserAllowedToAuthenticateFrom
systemmaycontain: msDS-UserTGTLifetime
systemmaycontain: msDS-ComputerAllowedToAuthenticateTo
systemmaycontain: msDS-ComputerTGTLifetime
systemmaycontain: msDS-ServiceAllowedToAuthenticateTo
systemmaycontain: msDS-ServiceAllowedToAuthenticateFrom
systemmaycontain: msDS-ServiceTGTLifetime
systemmaycontain: msDS-UserAuthNPolicyBL
systemmaycontain: msDS-ComputerAuthNPolicyBL
systemmaycontain: msDS-ServiceAuthNPolicyBL
systemmaycontain: msDS-AssignedAuthNPolicyBL
systemmaycontain: msDS-AuthNPolicyEnforced

Note that there appear to be multiple new authentication controls here, which personally make me very eager to discover the details.

One gem in those controls is it appears that there is now support for *per user* Kerberos ticket lifetimes. This would be useful for combatting pass the ticket Kerberos attacks (like pass the hash), where you might give sensitive accounts (think domain admins) a much lower ticket lifetime than other accounts.

Other gems in the schema are 4 new extended rights supported by AD:

dn: CN=DS-Set-Owner,CN=Extended-Rights,CN=Configuration,DC=X
displayName: Set Owner of an object during creation.

dn: CN=DS-Bypass-Quota,CN=Extended-Rights,CN=Configuration,DC=X
displayName: Bypass the quota restrictions during creation.

dn: CN=DS-Read-Partition-Secrets,CN=Extended-Rights,CN=Configuration,DC=X
displayName: Read secret attributes of objects in a Partition

dn: CN=DS-Write-Partition-Secrets,CN=Extended-Rights,CN=Configuration,DC=X
displayName: Write secret attributes of objects in a Partition

I’m not sure what to make of these yet (I have a few thoughts), but they are intriguing.

One thing that is always interesting to carefully note is when an existing class is modified. This is especially true when the user class or the granddaddy of all the classes, top, is modified. And in this case, the top objectclass is modified:

dn: cn=Top,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemamodify
add: systemMayContain
systemMayContain: msds-memberTransitive
# This constructed attribute transitively expands the linked attribute “member”
systemMayContain: msds-memberOfTransitive
# This constructed attribute transitively expands the linked attribute “isMemberOfDL”
systemMayContain: msDS-parentdistname
# No help text, but probably the object’s parent DN
systemMayContain: msDS-ReplValueMetaDataExt
# No help text, your guess is as good as mine

I’m not sure what to make of these changes, but since the member attribute is a highly controlled attribute in my AD environment, I’m glad to know about this, so I can dig deeper to uncover what this is all about.

Well, that’s it for now. I’ll probably keep digging into the new schema to see if I can’t find any more gems like these, but even if I stop here, I have some great details to help guide my explorations of the WS2012R2 Preview and I know something about a future Azure DirSync release that most everyone else doesn’t yet know.

Azure and Microsoft cloud developments announced at TechEd 2013

Posted on by
Reply

Here’s a round-up of various new developments announced at TechEd 2013:

-Azure Active Authentication is being launched. This is the PhoneFactor acquisition re-branded and deployed as part of the Azure Active Directory ecosystem. See http://blog.phonefactor.com/2013/06/03/phonefactor-windows-azure-active-authentication/ for something about that. I believe you can deploy this today via the Azure Service portal (with some kind of subscription required), and Office 365 plans to roll it out in the next 3 months. O365 will require it for all “admin” accounts with a free license for them, and they are still working out the licensing details for other O365 users. I haven’t yet heard any plans to allow this service to be integrated with on-premise solutions, but it was a question at one of the sessions and the speaker noted they were thinking about that.

-Azure Authentication Library is being launched. This is a new library that allows you to easily integrate your on-premise or cloud based web application with Azure Active Directory. See http://www.cloudidentity.com/blog/2013/04/22/windows-azure-authentication-library-aal-for-windows-store-a-deep-dive/ for something about that. Note support for OAuth2.

-BYOD enhancements for AD-DS and Azure Active Directory (AAD). Later this year, AAD and WS2012R2 will provide a way for you to “workplace join” personally owned devices from iOS to Android based. On premise, a new component in ADFS facilitates this and issues a long-lived certificate to the device which provides a SSO like experience to the device user. There is good support for deprovisioning the device, with additional selective wipe capabilities dependent on various other Microsoft product integrations. One of those integration points is Microsoft InTune in concert with SCCM. InTune is a cloud-based device management service. We own InTune licenses, but don’t yet have any service leveraging it …

-Along with the BYOD enhancement, Microsoft is enabling per SP multifactor support in ADFS. 3rd party providers can leverage a new multi-factor authentication (MFA) provider capability in ADFS to integrate their authentication methods. As an example of this, SafeNet has been working with Microsoft to provide one of these MFA providers using their hardware/software OTP, SMS, and GrIDSure options as a strong authentication as a service via a cloud based service. Whether cloud-based multi-factor services emerge might be something interesting to keep an eye on.

-I expect most folks saw that Microsoft slashed Azure VM rates 8 days ago to match Amazon EC2 rates, as well as announcing they won’t charge for stopped VMs, and moving to a per-minute charge model. Microsoft had several sessions promoting using Azure VMs for pre-prod/product evaluation/development purposes because you don’t sink costs into a physical on-premise box–and you only pay for the actual time you need the VM.

-Microsoft revealed a strategy to provide a consistent management interface for private cloud and Azure based services. For those that missed it, back in January Microsoft released the Azure Services for Windows  Server, so you can deploy private cloud capabilities on-premise just like Microsoft’s. Last week, this release was renamed the “Azure pack” and a number of enhancements were revealed that will come with Windows Server 2012 R2 planned for release this year. Among the various announcements are System Center capabilities that make it very easy to migrate VMs between on-premise HyperV and Azure, and enhancements to the HyperV Replica features that include using Azure as a HA failover for your on-premise HyperV VMs.

Lots more, but my memory is running dry. 😉

I expect that we’ll learn more details about these new capabilities in a couple weeks when Microsoft holds its annual conference for developers and the Windows 8.1, Windows Server 2012 R2, and System Center preview bits are likely to be released.

 

Windows Azure Active Directory (WAAD)

Posted on by
Reply

Over the past month, Microsoft has been more forthcoming about some of the massive investment they’ve been making in the form of their cloud-based Active Directory. I heard a bit about this a month ago at The Experts Conference from the Microsoft Identity GM Uday Hegde, most notably with a focus on the market trends that Microsoft is reacting to and anticipating with this. Here are a plethora of links to read more about what Microsoft is up to:

 

John Shewchuk’s blog post on Reimagining Active Directory for the Social Enterprise (part 1):

http://blogs.msdn.com/b/windowsazure/archive/2012/05/23/reimagining-active-directory-for-the-social-enterprise-part-1.aspx

 

Kim Cameron’s blog post on IDMaaS (Identity Management as a service):

http://www.identityblog.com/?p=1205

 

Mary Jo Foley and John Fontana’s Take:

http://www.zdnet.com/blog/microsoft/microsoft-finally-goes-public-with-windows-azure-active-directory-details/12795

http://www.zdnet.com/blog/identity/microsoft-unveils-ad-azure-strategy-id-management-reset/507

Windows Server 8 Features via AD Schema Analysis

Posted on by
Reply

So I finally got around to looking more closely at the Windows Server 8 bits given out at Build. One of the first things I do when I look at a new MS server OS is look at the AD schema files. I’m sure that sounds pretty geeky and tedious to others, but I find that it gives me a really quick overview of most of the new features and some of the details associated with them, so I know what to look for (and what to hope for). Sometimes I find gems that I really like but which don’t make it into slide decks or announcements because they aren’t flashy enough or didn’t require much MS investment–and there are plenty of examples of that in this new set of schema files.

Of course, this OS is not even at beta level yet, so it’s hard to know what will be cut or added, but even so, it paints an interesting picture. And I figure this info is of broad interest, so here are my notes from perusing the new schema files:

  • *Lots* of stuff to support CBAC, including cross-forest
  • Stuff to support integrating KMS with AD (called KDS), especially storing various keys in AD, but also storing configuration settings. Details here may have implications on those of us who run KMS (especially if that KMS serves more than one forest).
  • Stuff to represent TPM as a new object type, link to computer objects, and other new TPM functionality. Maybe a refactor of how they do AD integrated bitlocker–or maybe this is only to support the new UEFI boot which I heard they had to make some changes to support.
  • Stuff to support DNS zone signing, including storage of NSEC keys in AD, and storage of some DNS settings in AD. Haven’t heard of this yet.
  • Stuff to help with DC virtualization, including an attribute to support VM snapshot resumption detection and a controlAccessRight that to allow a DC to clone itself.
  • An attribute to support ‘act on behalf of’ access checks. Might be only for CBAC, but maybe it’s to help with cross-forest Kerberos delegation. Unclear.
  • Stuff to support scan repository/secure print devices. Looks like it’s trying to make it easy for a vendor to design their product to join AD and store certs there to secure their device. Hadn’t heard of this yet.
  • An attribute (and backlink) to store whether a computer is a user (or group’s) primary computer. Haven’t heard of this yet. Nice gem. 🙂
  • A controlAccessRight for “validated write to MS DS additional DNS Host Name”. Not sure what this is yet.
  • Stuff to support managed password data for a group managed service account, including what looks like a custom access control mechanism.
  • New attributes to store geo coordinates in, including longitude, latitude, and altitude. Haven’t heard of this yet.

Enjoy!