What’s new in Active Directory 2012

More than a month after the official release of Windows 2012 I wanted to give an overview of the most asked question you will hear in the next years : “What’s new in AD 2012”

Recycle Bin GUI : you remember this big improvement in AD 2008 R2 ? That was great ! The only problem was that you had to activate it via Powershell command use Ldp.exe to use it ! WHY ?
Years later Microsoft finally built a GUI !

To activate it go in he AD Administrative Center and :

Enable Recycle Bin

Try to create a user, delete it go select the “Tree view” go to Deleted Objects and see what’s in there !

Restore AD object


Fine Grained Password Policy GUI : Another win2008R2 “revolution” ! But once again it turned into low adoption because because you had to use a “not so familiar tool” called AdsiEdit !

So now still on the AD Administrative center, select the tree view, go under system / Password Setting Container just right click and Create a new Password Settings :

Password policy 1

Complete all required field and if need apply to groups or users !

Password policy 2

Easy !

Dynamic access control : This brand new feature allows you to create access rules based on user and/or device claims.
For example : Allow access to shared folder named “Finance” to only people which Departement field in AD is set to Finance.
I’ll write an article on this !

But basically all is done here :

Dynamic Access Control 1


Windows Powershell History Viewer : This great feature allows you to see which poweshell command is created when you do an action in the GUI.
Basically it can really help you to learn the command and build your own scripts.

Dynamic Access Control 2


Windows PowerShell Cmdlets for Active Directory Replication and Topology : this is a new set of Cmdlet all is here :

Active Directory-Based Activation (ADBA) : This is replacing KMS server. All computer who have GVLK licence when they join the domain are automatically activated. This role is domain base and so hosted by every domain controller. But it only work with windows 8 and windows 2012.

Flexible Authentication Secure Tunneling (FAST) : also named Kerberos Armoring and definning in RDC 6113. It provide a secure channel between the client and the KDC.
This is required if you want to use claims within Dynamic Access Control.

More : http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2012/09/05/new-features-in-active-directory-domain-services-in-windows-server-2012-part-11-kerberos-armoring-fast.aspx

Virtualisation safe tech : Active Directory is now fully with virtualization tech (At least HyperV). It allows you to clone and copy a DC to deploy it easily and quickly. You can also now safely create snapshot of your domain controllers. The technology that allow these features is VM Generation ID. Of course it’s implemented in HyperV and Microsoft also provided API to VMware and Citrix.

Easy deployment : Microsoft simply shot ADPREP and Dcpromo ! All is now integrated in a wizard. You can therefore deploy a new windows 2012 DC it will prepare forest or domain automatically. Awesome !

Off-premises Domain join : You can now using directAccess join your computer to the domain over internet.

Kerberos Constrained Delegation across domains : KCD permits interaction between multi-tier server using service accoun on behalf of users. It was before limited to domain and is now extanded.

GMSAs – Group Managed Service Accounts : MSA has been introduced with windows 2008 R2 allows admins to create administrative accounts which password reset automatically such as computers password. In windows 2012 GMSAs extend this administrative accounts to clustered or load balanced services.

Other technical :

Install From Media defrag is still default but no more mandatory (should be included in the command line)
Dcpromo retry bug fixed
RID Improvments (from 1 to 2 billion, event warning on consumption)


Source :



Leave a Reply

Your email address will not be published. Required fields are marked *