Dynamic Access Control
As mentioned before, Dynamic Access Control (DAC) was introduced in Windows Server 2012. There are some requirements to support DAC in an enterprise. You need to have at least one Windows Server 2012 Domain Controller and the Active Directory Forest Functional Level (FFL) must be at least Windows 2003. Also, before you can start using the benefits of DAC, the Kerberos Key Distribution Center (KDC) support for claims, compound authentication and Kerberos armoring setting must be enabled on all Domain Controllers.
Note
The details of DAC can be found at http://blogs.technet.com/b/windowsserver/archive/2012/05/22/introduction-to-windows-server-2012-dynamic-access-control.aspx.
On a higher level, the following steps are required to configure and implement a DAC mechanism in an Active Directory environment:
- Enable KDC support
- Create claim type
- Create resource properties
- Create Central Access Rule (CAR)
- Create Central Access Policy (CAP)
- Deploy Central Access Policy using GPO
- Configure...
