What’s New in Windows Server 2012
AD-DS in Windows Server 2012 allows you to deploy replica virtual domain controllers by “cloning” existing virtual domain controllers. You can promote a single virtual domain controller by using the domain controller promotion interface in Server Manager, and then rapidly deploy additional virtual domain controllers within the same domain, through cloning.
The process of cloning involves creating a copy of an existing virtual domain controller, authorizing the source domain controller to be cloned in AD-DS, and running Windows PowerShell cmdlets to create a configuration file that contains detailed promotion instructions (name, IP address, Domain Name System [DNS] servers, and so on). Or you can leave the configuration file empty, which allows the system to automatically fill in the information.
DAC: In Windows Server 2012, you can apply data governance across your file servers to control who can access information and to audit who has accessed information. Dynamic Access Control lets you:
- Identify data by using automatic and manual classification of files. For example, you could tag data in file servers across the organization.
- Control access to files by applying safety-net policies that use central access policies. For example, you could define who can access health information within the organization.
- Audit access to files by using central audit policies for compliance reporting and forensic analysis. For example, you could identify who accessed highly sensitive information.
- Apply Rights Management Services (RMS) protection by using automatic RMS encryption for sensitive Microsoft Office documents. For example, you could configure RMS to encrypt all documents that contain Health Insurance Portability and Accountability Act (HIPAA) information.
The Dynamic Access Control feature set is based on infrastructure investments that can be used further by partners and line-of-business applications, and the features can provide great value for organizations that use Active Directory. This infrastructure includes:
- A new authorization and audit engine for Windows that can process conditional expressions and central policies.
- Kerberos authentication support for user claims and device claims.
- Improvements to the File Classification Infrastructure (FCI).
- RMS extensibility support so partners can provide solutions that encrypt non-Microsoft files.
- One or more Windows Server 2012 domain controllers
- Windows Server 2012 file server
- Enable the claims-policy in the Default Domain Controllers Policy
- Windows Server 2012 Active Directory Administrative Center
- For device-claims, compound ID must be switched on at the target service account by using Group Policy or editing the object directly
Offline Domain Joining: The offline domain-join feature that was added to AD DS in Windows Server 2008 R2 effectively allows client computers to be joined to a domain without requiring network connectivity to a domain controller, but the client computer could not also be preconfigured for DirectAccess as part of the domain join.
Windows Server 2012 AD DS provides the following improvements:
- Extends offline domain-join by allowing the blob to accommodate DirectAccess prerequisites
- Group Policies
- What does this mean?
- A computer can now be domain-joined over the Internet if the domain is DirectAccess enabled
- Getting the blob to the non-domain-joined machine is an offline process and the responsibility of the administrator
- Windows Server 2012 domain controllers
PowerShell History Reviewer : To minimize the learning investment, Windows Server 2012 includes the new Windows PowerShell History Viewer. The benefits include:
- Allow administrators to view the Windows PowerShell commands executed when using the Active Directory Administrative Center. For example:
- The administrator adds a user to a group
- The UI displays the equivalent Windows PowerShell for Active Directory command
- The administrator copies the resulting syntax and integrates it into a script
- Reduces Windows PowerShell learning-curve
- Increases confidence in scripting
- Further enhances Windows PowerShell discoverability
- Windows Server 2012 Active Directory Administrative Center
AD Recycle Bin Interface: The Active Directory Recycle Bin feature introduced with Windows Server® 2008 R2 provided an architecture permitting complete object recovery. Scenarios that require object recovery by using the Active Directory Recycle Bin are typically high-priority, such as recovery from accidental deletions, for example, resulting in failed logons or work stoppages. But the absence of a rich, graphical user interface complicated its usage and slowed recovery.
To address this challenge, Windows Server 2012 AD DS has a user interface for the Active Directory Recycle Bin that provides the following advantages:
- Simplifies object recovery through the inclusion of aDeleted Objects node in the Active Directory Administrative Center (ADAC)
- Deleted objects can now be recovered within the graphical user interface
- Reduces recovery-time by providing a discoverable, consistent view of deleted object
- Recycle Bin requirements must be met:
- Windows Server 2008 R2 forest functional level
- Recycle Bin optional-feature must be enabled
- Windows Server 2012 Active Directory Administrative Center
- Objects requiring recovery must have been deleted within Deleted Object Lifetime (DOL)
- By default, DOL is set to 180 days
Fine-Grained Password Policy User Interface
The Fine-Grained Password Policy (FGPP) introduced with Windows Server 2008 provided more precise management of password-policies. In order to leverage the feature, administrators had to manually create password-settings objects (PSOs). It proved difficult to ensure that the manually defined policy-values behaved as desired, which resulted in time-consuming, trial and error administration.
In Windows Server 2012:
- Creating, editing and assigning PSOs now managed through the Active Directory Administrative Center
- Greatly simplifies management of password-settings objects
- FGPP requirements must be met:
- Windows Server® 2008 domain functional level
- Windows Server 2012 Active Directory Administrative Center
Active Directory Replication and Topology Windows PowerShell cmdlets
Administrators require a variety of tools to manage Active Directory’s site topology
- Active Directory Sites and Services
The usage of multiple tools results in an inconsistent experience that is difficult to automate.
Using Windows Server 2012 AD DS, administrators can:
- Manage replication and site-topology with Windows PowerShell
- Create and manage sites, site-links, site-link bridges, subnets and connections
- Replicate objects between domain controllers
- View replication metadata on object attributes
- View replication failures
- Take advantage of a consistent and easily scriptable experience
- Compatible and interoperable with other Windows PowerShell cmdlets
- Active Directory Web Service (also known as Active Directory Management Gateway for Windows Server 2003 or Windows Server 2008)
- Windows Server 2012 domain controller or Windows Server 2012 with the Role Administration Tools (RSAT) for AD DS and AD LDS installed
AD based Activation : In Windows Server 2012, the Active Directory-based activation provides the following improvements:
- Uses your existing Active Directory infrastructure to activate your clients
- No additional machines required
- No RPC requirement; uses LDAP exclusively
- Includes RODCs
- Beyond installation and service-specific requirements, no data is written back to the directory
- Activating initial CSVLK (customer-specific volume license key) requires:
- One-time contact with Microsoft Activation Services over the Internet (identical to retail activation)
- Key entered using volume activation server role or using command line.
- Repeat the activation process for additional forests up to 6 times by default
- Activation-object maintained in configuration partition
- Represents proof of purchase
- Computers can be member of any domain in the forest
- All Windows 8 computers will automatically activate
- Activating initial CSVLK (customer-specific volume license key) requires:
- Only Windows 8 computers can leverage AD BA
- KMS and AD BA can coexist
- You still need KMS if you require down-level volume-licensing
- Requires Windows Server 2012 Active Directory schema, not Windows Server 2012 domain controllers
Group Managed Service Accounts (gMSA)
Managed Service Accounts (MSAs) were introduced with Windows Server 2008 R2. Clustered or load-balanced services that needed to share a single security-principal were unsupported. As a result, MSAs were not able to be used in many desirable scenarios.
Windows Server 2012 includes the following changes:
- Introduces a new security principal type known as a gMSA
- Services running on multiple hosts can run under the same gMSA account
- One or more Windows Server 2012 domain controllers required
- gMSAs can authenticate against any domain controllers that run any version of Windows Server
- Passwords computed by Group Key Distribution Service (GKDS) running on all Windows Server 2012 domain controllers
- Windows Server 2012 hosts using gMSAs obtain password and password-updates from GKDS
- Password retrieval limited to authorized computers
- Password-change interval defined at gMSA account creation (30 days by default)
- Like MSAs, gMSAs are supported only by the Windows Service Control Manager (SCM) and IIS application pools
- Windows Server 2012 Active Directory schema updated in forests containing gMSAs
- One or more Windows Server 2012 domain controllers to provide password computation and retrieval
- Only services running on Windows Server 2012 can use gMSAs
What’s new in DHCP in Windows Server 2012 R2
In Windows Server 2012 R2, DHCP offers enhanced support in the following areas.
|Feature/functionality||New or improved||Description|
|DNS registration enhancements||New||You can use DHCP policies to configure conditions based on the fully qualified domain name (FQDN) of DHCP clients, and to register workgroup computers using a guest DNS suffix.|
|DNS PTR registration options||New||You can enable DNS registration of address (A) and pointer (PTR) records, or just enable registration of A records.|
This feature provides the ability to have two DHCP servers serve IP addresses and option configuration to the same subnet or scope, providing for continuous availability of DHCP service to clients. The two DHCP servers replicate lease information between them, allowing one server to assume responsibility for servicing of clients for the entire subnet when the other server is unavailable. It is also possible to configure failover in a load-balancing configuration with client requests distributed between the two servers in a failover relationship
What’s new in DNS Server?
Enhanced support for DNSSEC includes changes to online signing for file-backed zones, and enhanced signing key management support:
- In Windows Server 2012 R2, the Key Master role is introduced for file-backed multi-master zones.
The Key Master is an authoritative DNS server that generates and manages signing keys for a zone that is protected with DNSSEC. The Key Master role was introduced in Windows Server 2012 for Active Directory-integrated zones.
DNSSEC is enhanced to enable isolation of the key management process from primary DNS servers which are not the key masters of a zone. The entire process of signing key generation, storage, rollover, retirement, and deletion can be initiated only from the Key Master while the other primary servers can continue the zone signing by accessing these keys.
DNSSEC key separation is accomplished by enabling generation and storage of keys on a cryptographic next-generation (CNG) compliant offline storage module
Dynamic DNS Forwarders
When you add more than one forwarder in the settings for a DNS Server in Windows Server 2012 R2, the DNS service reorders the list of servers in the list of forwarders based on response time of each server in the list. The reordering and response checking operations are enabled by default in Windows Server 2012 R2.
Shared virtual hard disk
Hyper-V in Windows Server 2012 R2 enables clustering virtual machines by using shared virtual hard disk (VHDX) files.
This feature is used to build a high availability infrastructure, and it is especially important for private cloud deployments and cloud-hosted environments that manage large workloads. Shared virtual hard disks enable multiple virtual machines to access the same virtual hard disk (VHDX) file, which provides shared storage for use by Windows Failover Clustering.. The shared virtual hard disk files can be hosted on Cluster Shared Volumes (CSV) or on Server Message Block (SMB)-based Scale-Out File Server file shares.
This feature is new in Windows Server 2012 R2. It was not possible to cluster virtual machines by using a shared virtual hard disk in previous releases of Windows Server.
Resize virtual hard disk
Hyper-V storage has been updated to support resizing virtual hard disks while the virtual machine is running.
Resizing virtual hard disks while the virtual machine is running enables an administrator to perform configuration and maintenance operations on the virtual hard disks while the associated virtual machine is online or the virtual hard disk data disk is in use.
Online virtual hard disk resizing is only available for VHDX files that are attached to a SCSI controller. The virtual hard disk size can be increased or decreased through the user interface while virtual hard disk is in use.
Hyper-V live migration has been updated with the following capabilities.
Hyper-V live migration has been updated to allow the administrator to select the optimal performance options when moving virtual machines to a different server.
In larger scale deployments, such as private cloud deployments or cloud hosting providers, this update can reduce overhead on the network and CPU usage in addition to reducing the amount of time for a live migration. Hyper-V administrators can configure the appropriate live migration performance options based on their environment and requirements.
Cross-version live migrations
Hyper-V live migration has been updated to support migrating Hyper-V virtual machines in Windows Server 2012 to Hyper-V in Windows Server 2012 R2.
Upgrading to a new version of Windows Server no longer requires downtime to the virtual machines.
Hyper-V administrators can move Hyper-V virtual machines in Windows Server 2012 to Hyper-V in Windows Server 2012 R2. Moving a virtual machine to a down-level server running Hyper-V is not supported.
When moving a virtual machine, the specified destination server can now be a computer running Windows Server 2012 R2. This applies to a move that is initiated in Hyper-V Manager or when using the Move-VM Windows PowerShell cmdlet.
Failover Clustering and Hyper-V
Using Windows Failover Clustering with Hyper-V enables virtual network adapter protection and virtual machine storage protection.
Hyper-V has been enhanced to detect physical storage failures on storage devices that are not managed by Windows Failover Clustering (SMB 3.0 file shares). Storage failure detection can detect the failure of a virtual machine boot disk or any additional data disks associated with the virtual machine. If such an event occurs, Windows Failover Clustering ensures that the virtual machine is relocated and restarted on another node in the cluster. This eliminates situations where unmanaged storage failures would not be detected and where virtual machine resources may become unavailable.
Hyper-V and Windows Failover Clustering are enhanced to detect network connectivity issues for virtual machines. If the physical network assigned to the virtual machine suffers a failure (such as a faulty switch port or network adapter, or a disconnected network cable), the Windows Failover Cluster will move the virtual machine to another node in the cluster to restore network connectivity.
Hyper-V Replica adds the following new features in Windows Server 2012 R2:
- You can configure extended replication. In extended replication, your Replica server forwards information about changes that occur on the primary virtual machines to a third server (the extended Replica server). After a planned or unplanned failover from the primary server to the Replica server, the extended Replica server provides further business continuity protection. As with ordinary replication, you configure extended replication by using Hyper-V Manager, Windows PowerShell, or WMI.
- The frequency of replication, which previously was a fixed value, is now configurable. You can also access recovery points for 24 hours. Previous versions had access to recovery points for only 15 hours.
As part of Microsoft’s continuing commitment to making Hyper-V the best all-around virtual platform for hosting providers, there are now more built-in Linux Integration Services for newer distributions and more Hyper-V features are supported for Linux virtual machines
Automatic Virtual Machine Activation
Automatic Virtual Machine Activation (AVMA) lets you install virtual machines on a computer where Windows Server 2012 R2 is properly activated without having to manage product keys for each individual virtual machine, even in disconnected environments. AVMA binds the virtual machine activation to the licensed virtualization server and activates the virtual machine when it starts. AVMA also provides real-time reporting on usage, and historical data on the license state of the virtual machine. Reporting and tracking data is available on the virtualization server.
Whats new in GPO
Windows Server 2012 R2 expands support for IPv6 in Group Policy. This expanded support encompasses printers, item-level targeting, and VPN networks.
In Windows Server 2012 R2, when Group Policy gets the latest version of a policy from the domain controller, it writes that policy to a local store. Then if Group Policy is running in synchronous mode the next time the computer reboots, it reads the most recently downloaded version of the policy from the local store, instead of downloading it from the network. This reduces the time it takes to process the policy. Consequently, the boot time is shorter in synchronous mode. This is especially important if you have a latent connection to the domain controller, for example, with DirectAccess or for computers that are off premises. This behavior is controllable by a new policy called Configure Group Policy Caching.
Remote Group Policy update
In Windows Server 2012, you can refresh Group Policy settings, including security settings that are set on a group of remote computers, by using the functionality that is added to the context menu for an organizational unit (OU) in the Group Policy Management Console (GPMC). This functionality schedules a task on all computers in a selected OU, which refreshes the computer and user Group Policy settings.
What’s new in WDS
ARM architecture and support
WDS can now deploy images to ARM clients, which is a CPU architecture that is specially engineered for low-cost, low-power consumption devices such as tablets, cell phones, GPS units, portable game consoles, network routers, and media players.
Note: PXE boot is not currently supported by the network drivers on ARM clients.
WDS infrastructure for custom deployments
New features that offer the ability to control all aspects of the deployment process.
The improvements include a variety of configuration options that allow administrators to more tightly control the deployment payload (such as images and driver packages) that is sent to client computers. These improvements include the following:
- Install image filters, which are similar to the set of driver group filters.
- Support for boot and install image priority to influence the ordering of these images as they appear in Boot Manager and WDS client image selection menus.
- The Expected Deployment Results Wizard, which allows administrators to view deployment information such as the set of matching driver groups that would be sent to a prestaged device.
- Ability to control which clients are able to boot from the PXE server.
- Control over the boot parameters of PXE clients including boot program, prompt policy, and boot.wim instance.
- Ability to control the WIM and VHD images that are deployed to the client.
- More control over the drivers that are deployed to the client.
- Control over the unattend file(s) that are used to customize the setup experience for the client.
- Lower-level WDSUTIL commands that allow administrators to set custom metadata tags and values on deployment payload and prestaged devices that get matched to directly influence the deployment process.
WDSclient.exe is a new standalone client that can perform Dynamic Driver Provisioning (DDP) queries, direct VHD application, and metadata queries.
Standalone server mode
Standalone server mode removes the dependency on Active Directory.
Starting in Windows Server 2012, Windows Deployment Services can be installed in a Standalone server mode. This removes the dependency on Active Directory. You still require DHCP, DNS and sufficient permissions to install and configure Windows Deployment Services. In this scenario, a local store is used to retain information about pre-staged devices.
Trivial File Transfer Protocol
Trivial File Transfer Protocol (TFTP) enhancements result in improved performance.
TFTP (Trivial File Transfer Protocol) has been enhanced and delivers improved results in performance.
You use the Windows Deployment Services Trivial File Transfer Protocol (TFTP) server to download the files that are needed to do a network boot using the Pre-Boot Execution Environment (PXE). PXE technology is a standard created by Intel that establishes a common and consistent set of pre-boot services within the boot firmware. The end goal is to enable a client to do a network boot and receive a network boot program (NBP) from a network boot server.
What’s new in RDS:
In Windows Server 2012 R2, Session Shadowing enables you to remotely monitor or control an active session of another user on a Remote Desktop Session Host (RD Session Host) server. The current version includes integration with Server Manager and Remote Desktop Connection (mstsc.exe).
Quick reconnect for remote desktop clients
In Windows Server 2012 R2 Quick Reconnect improves connection performance enabling users to reconnect to their existing virtual desktops, RemoteApp programs, and session-based desktops more quickly. The connection process for RemoteApp programs has been redesigned for Windows® 8.1 and Windows Server 2012 R2 clients, to be more informative and user friendly.
Virtual Desktop Infrastructure (VDI) deployment
Remote Desktop Services introduced a VDI deployment in Windows Server 2008 R2. In Windows Server 2012, Remote Desktop Services includes new ways to efficiently configure and manage your virtual desktops. Some of the enhancements include:
- Unified central experience– Deploy VDI quickly, and then manage your pooled and personal virtual desktop deployments through a new unified central experience.
- Automated and simple single-image management– Take advantage of automated ways to deploy and manage pooled virtual desktops with a virtual desktop template.
- User personalization– Preserve user personalization settings for pooled virtual desktop deployments by using user profile disks.
- Less expensive storage– Use inexpensive local storage with live migration functionality between host computers for pooled virtual desktops. Personal virtual desktops can use the less expensive SMB central storage.
Centralized Resource Publishing
Remote Desktop Services in Windows Server 2012 enables you to publish and manage resources, such as RemoteApp programs, session-based desktops, and virtual desktops, from a centralized console. Using this new publishing feature, you can get an historic view of resources assigned to end users, change published resources for any given collection, and edit properties of published resources.
In addition to the centralized console, you can now configure a RemoteApp and Desktop Connection URL by using Group Policy, and then give users access to the URL automatically through an email address.
What’s new in RAS
Multi-tenant site-to-site VPN Gateway
With Windows Server 2012 R2, hosts can deploy multi-tenant site-to-site (S2S) gateways to provide cross-premises connectivity from networks at the tenant sites to virtual networks that are dedicated per tenant in the host’s network. The virtual network of the tenant could be built on top of Hyper-V Network Virtualization or VLAN at the hoster. A single gateway instance is capable of serving multiple tenants with overlapping IP address spaces, maximizing efficiency for the host as compared to deploying separate gateway instance per tenant. The Routing and Remote Access (RRAS) gateway is a software-only solution that can be deployed in multiple instances of multi-tenant RRAS servers to balance the load.
Multi-tenant Remote Access VPN Gateway
With Windows Server 2012, hosts can allow transparent VPN access to virtual machines that are replicated in the cloud even after a failure when the entire site of the tenant goes down. Windows Server 2012 reduces the CAPEX and OPEX for hosts with a single RRAS gateway that can service multiple tenants with overlapping IP address spaces. The RRAS gateway is a software-only solution that can be deployed in multiple instances of multi-tenant RRAS servers to balance the load.
In Windows Server 2012, Border Gateway Protocol (BGP) enables dynamic distribution and learning of routes by using site-to-site (S2S) RRAS interfaces. This feature enables hosts (primarily infrastructure-as-a-service (IaaS) providers) to deploy BGP on a multi-tenant RRAS S2S gateway, so that the gateway can learn what packets need to be routed to the Internet, tenant premises, and tenant virtual network at the host, and then route them accordingly. A RRAS gateway with BGP enabled can also be deployed by enterprises at their premises edge to distribute internal routes to other edge gateways (of the same enterprise in physical or virtual networks) over secure tunnels.
Web Application Proxy is a new Remote Access role service in Windows Server 2012 R2. Web Application Proxy provides reverse proxy functionality for web applications inside your corporate network to allow users on any device to access them from outside the corporate network.
SSL VPN plug-in from non-Microsoft vendors
Windows 8.1 for x86, amd64 (and ARM in Windows RT 8.1) support the SSL VPN plug-in from the following non-Microsoft VPN vendors:
- Dell SonicWall, Inc.
- Juniper Networks, Inc.
- F5 Networks, Inc.
- Checkpoint Software Technologies, Ltd.
Site-to-site IKEv2 IPsec tunnel mode VPN
Cross-premise connectivity is a feature in Windows Server 2012 R2 and Windows Server 2012 that provides the network connectivity to enable service hosting providers to migrate their applications and infrastructure to the cloud. This feature includes a site-to site Internet Key Exchange version 2 (IKEv2) tunnel-mode VPN connectivity solution and management interface. Windows Server 2008 R2 introduced IKEv2 support in RRAS for VPN connections. An IKEv2 VPN provides resilience to the VPN client when the client moves from one network to another or when it switches from a wireless to a wired connection. The use of IKEv2 and IPsec allows support for strong authentication and encryption methods. RRAS in Windows Server 2012 R2 and Windows Server 2012 provides added feature enhancements to enable IKEv2 for site-to-site VPN connections.
Windows PowerShell 5.0
Windows Powershell 5.0 have hundreds of new cmdlets which helps IT Administrator to perform tasks more quickly.