Dynamic Access Control in Windows 2012, enhances the authorization model introducing features below which were not part of ACEs
Windows Server 2012 AD DS addresses these challenges by introducing:
- A new claims-based authorization platform that enhances, not replaces, the existing model, which includes:
- User-claims and device-claims
- User + device claims (also known as compound identity)
- New central access policies (CAP) model
- Use of file-classification information in authorization decisions
- Easier access-denied remediation experience
- Access policies and audit policies can be defined flexibly and simply:
- IF resource.Confidentiality = high THEN audit.Success WHEN user.EmployeeType = vendor
- One or more Windows Server 2012 domain controllers
- Windows Server 2012 file server
- Enable the claims-policy in the Default Domain Controllers Policy
- Windows Server 2012 Active Directory Administrative Center
- For device-claims, compound ID must be switched on at the target service account by using Group Policy or editing the object directly
For more information about Dynamic Access Control see the Dynamic Access Control section of the technical library.
source – https://technet.microsoft.com/library/hh831477.aspx#BKMK_adfs_win8
Improvements and new features are broadly classified into four major categories:
4VDuMP (Mnemonic 2 remember)- Virtualisation, DeploymentUpgradation,Management,addsPlatformchanges
- Virtualization – greater support for the capabilities of public and private clouds through virtualization-safe technologies and the rapid deployment of virtual domain controllers through cloning.
- Simplified deployment and upgrade preparation – dcpromo and adprep have been replaced with a new streamlined domain controller promotion wizard that is integrated with Server Manager and built on Windows PowerShell. It validates prerequisites, automates forest and domain preparation, requires only a single set of logon credentials, and it can remotely install AD DS on a target server.
- Simplified management – Dac,Daodj, adfs, ADBA,gMSA,
- Dynamic Access Control
- DirectAccess Offline Domain Join
- Active Directory Federation Services (AD FS)
- Windows PowerShell History Viewer
- Active Directory Recycle Bin User Interface
- Fine-Grained Password Policy User Interface
- Active Directory Replication and Topology Windows PowerShell cmdlets
- Active Directory Based Activation (AD BA)
- Group Managed Service Accounts (gMSA)
- AD DS Platform Changes –
- AD DS Claims in AD FS
- Relative ID (RID) Improvements
- Deferred Index Creation
- Kerberos Enhancements
Answer – 7
Resources Number of IPs
Private Network,i,e Heart Beat (one per node) 2
Public Network (one per node) 2
MSDTC (if involved) 1
Windows Cluster Name 1
SQL Server Cluster Name (FCI) 2
- Storage (if iSCSI targets are used, Not required with HBA – 1 IP per node
- In case for installing a Multi-instance Failover Cluster, then it should have additional SQL Server Cluster names and IP addresses.
More info @ – https://social.msdn.microsoft.com/Forums/sqlserver/en-US/19c144cb-d1c3-4789-bbe4-da899478384f/how-many-ips-are-required-for-sql-server-2008-r2-cluster-installation-on-windows-cluster-2008r2?forum=sqldisasterrecovery
- Cluster OS Rolling Upgrade: Enables you to upgrade your server clusters from Windows Server 2012 R2 to Windows Server 2016 while continuing to provide service to your users
- Nano Server
- Containers – existed almost entirely in the Linux/UNIX open-source world. They allow you to isolate applications and services in an agile, easy-to-administer way. Windows Server 2016 offers two different types of “containerized” Windows Server instances: Windows Server Container and Hyper-V Containers (Detail in notes)
- Linux Secure Boot – can now deploy Linux VMs under Windows Server 2016 Hyper-V with no trouble without having to disable the otherwise stellar Secure Boot feature
- ReFS – is stable and intended as a high-performance, high-resiliency file system intended for use with Storage Spaces Direct (discussed next in this article) and Hyper-V workloads.
- Storage Spaces Direct – to create redundant and flexible disk storage. allow failover cluster nodes to use their local storage inside this cluster, avoiding the previous necessity of a shared storage fabric.
- ADFS v4 – support for OpenID Connect-based authentication, multi-factor authentication (MFA), and what Microsoft calls “hybrid conditional access
- Nested Virtualization support – capability of a virtual machine to itself host virtual machines
- Hyper-V Hot-Add Virtual Hardware – adjust the allocated RAM, add vNIC
- PowerShell Direct – PS remoting commands now have -VM* parameters that allows us to send PowerShell directly into the Hyper-V host’s VMs!
- Shielded VMs – The new Host Guardian Service server role, which hosts the shielded VM feature allows much deeper, fine-grained control over Hyper-V VM access.
- remotely administered server operating system optimized for private clouds and datacenters
- Similar to Windows Server in Server Core mode, but significantly smaller, has no local logon capability
- only supports 64-bit applications, tools, and agents.
Nano Server is ideal for a number of scenarios:
- As a “compute” host for Hyper-V virtual machines, either in clusters or not
- As a storage host for Scale-Out File Server.
- As a DNS server
- As a web server running Internet Information Services (IIS)
- As a host for applications that are developed using cloud application patterns and run in a container or virtual machine guest operating system
Windows Server Container. This container type is intended for low-trust workloads where you don’t mind that container instances running on the same server may share some common resources
Hyper-V Container. This isn’t a Hyper-V host or VM. Instead, its a “super isolated” containerized Windows Server instance that is completely isolated from other containers and potentially from the host server. Hyper-V containers are appropriate for high-trust workloads
Functional Level – determine the available Active Directory Domain Services (AD DS) domain or forest capabilities.
- determine which Windows Server operating systems you can run on domain controllers in the domain or forest.
- cannot set the domain functional level to a value that is lower than the forest functional level.
- can set the domain functional level to a value that is higher than the forest functional level.
A file system is the overall structure in which files are named, stored, and organized. Windows Server 2003 uses the following types of file systems:
1) FAT is a table that the operating system uses to locate files on a disk. Due to fragmentation, a file may be divided into many sections that are scattered around the disk, and FAT keeps track of these pieces.
2) FAT32 is a derivative of the FAT file system. FAT32 supports smaller cluster sizes and larger volumes than FAT, which results in more efficient space allocation on FAT32 volumes.
3) NTFS is an advanced file system that provides performance, security, reliability, and advanced features that are not found in any version of FAT. If a system fails, NTFS uses its log file and checkpoint information to restore the consistency of the file system.
There are more Files Systems as below:
- ReFS – Resilient File System (ReFS), codenamed “Protogon”, is a new file system in Windows Server 2012 initially intended for file servers that improves on NTFS in some respects. Major new features of ReFS include below:
a) Improved reliability for on-disk structures– Metadata and file data are organized into tables similar to a relational database
b) Built-in resilience– allocates new chunks for every update transaction and uses large IO batches. do not need to periodically run error-checking tools such as CHKDSK when using ReFS.
c) Compatibility with existing APIs and technologies– supports many existing Windows and NTFS features such as BitLocker encryption, Access Control Lists, USN Journal, change notifications, symbolic links, junction points, mount points, reparse points, volume snapshots, file IDs, and oplock. ReFS seamlessly integrates with Storage Spaces, a storage virtualization layer that allows data mirroring and striping, as well as sharing storage pools between machines
Virtual Machine File System is VMware, Inc’s cluster file system. It is used by VMware ESX Server and the company’s flagship server virtualization suite, vSphere (and predecessor VMware Infrastructure). It was developed and is used to store virtual machine disk images, including snapshots. Multiple servers can read/write the same filesystem simultaneously, while individual virtual machine files are locked. VMFS volumes can be logically “grown” (non-destructively increased in size) by spanning multiple VMFS volumes together. It is not mandatory to use VMFS with VMware; an alternative is NFS.