Windows Server 2008 – New Active Directory Features

Windows Server 2008 – New Active Directory FeaturesWindows Server 2008 Active Directory Directory Services

New developments for Active Directory in Windows Server 2008, include a Read-only domain controller (RODC), reducing domain controller reboots, and separating the domain administrator from the local machine administrator accounts. 

Windows Server 2008 Active Directory Topics


The Five Active Directory Roles

While ‘Role’ is normally such an insignificant word, in Windows Server 2008 Microsoft has elevated ‘Role’ to the status of a keyword.  The most important association for the word ‘Role’ is to invoke the correct installation wizard, who then installs all the necessary sub-components associated with that role.

1) AD DS – Active Directory, Directory Services.

This is the main Active Directory database for user and computer objects.  AD DS is a descendant of Active Directory in Windows 2000 –> 2003 –> 2008.  Remember the two sides of AD DS, the physical data store and the logical, forest, domains, OUs and sites.

2) AD CS – The Certificate Services (CS) specializes in managing digital certificates (PKI).  Security is the key, the idea is to protect data in these scenarios: S/Mime for email, SSL for websites, smartcard logon via VPN and for encrypting files (EFS).  Naturally, integrates with the above AD DS.

3) AD RMS – Rights Management Solution.  Can be used to protect documents sent in emails.  Users must first have an AD DS account.  Services using RMS must also be registered in Active Directory.

4) AD FS – Federation Services

Federation manages trust relationships between different organizations.  Also provides single sign on for web based applications, for example, online retailers.

5) AD LDS – Active Directory Lightweight Directory Services

This is like the ADAM (Active Directory Application Mode) service of Windows Server 2003.  Only use AD LDS for applications that cannot use the regular AD DS, for example where there are security worries, or you just need to test LDAP features.  Unlike the other roles, AD LDS is an alternative to the main Active Directory and not an extension.

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM)Review of Orion NPM v12 v12

SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

Perhaps the NPM’s best feature is the way it suggests solutions to network problems.  Its second best feature is the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you give this Network Performance Monitor a try.

Download your free trial of SolarWinds Network Performance Monitor.

How to Install an Active Directory Role

Firstly, with Active Directory you always need to plan.  I am assuming that you haveinstalled a member server.  Now is the time to ask smart questions such as, ‘Is this a brand new forest?’  or, ‘Is this an additional domain controller in an existing domain’.

Secondly, the mechanics are easy.  The new method of installing active directory in Windows Server 2008 is to use ‘Add roles’.  For this feature, call for the Server Manager and then scroll down to ‘Add roles’. 

The Active Directory wizard will guide you through all the options so that you can make smart choices for your situation.  New choices include, specifying a DNS server, setting the server as a Global Catalog, selecting the Read-only Domain Controller option.  At his time you may also want to select a site for your DC, and more importantly, set the Function Levels for the domain, or even the entire forest.

If you are familiar with command line program called dcpromo, then you will be used to the planning tree, new domain / child domain /new forest.  Just go to the command line as you did in Windows Server 2003 and type dcpromo.

Be aware that you can still create answer files for dcpromo.  This is useful if you are creating multiple domain controllers with similar specification.

Read only Domain Controller (RODC)

The goal of a Read-only DC (RODC) is to reduce physical security requirements and simplified local operations.  At first sight this sounds like a return to the BDC.  While this indeed is a read-only copy of the Active Directory database, its rationale is different from the old NT 4 BDC.  The RODC philosophy is don’t install features that a small office does not require.

All the features that Microsoft has put into a read-only DC is to turn their vision of a branch office model into reality.  The model requires that of local domain controller that can service users’ logon requests, but without the need for an administrator out at the branch.  A read-only DC, which can authentication clients from it’s own site, is much less vulnerable to attack from hackers.

One crucial decision is how to control password caching on the RODC.  The benefits of caching are clear, faster second and subsequent logons and the ability to logon if the WAN link to the normal Domain Controllers is down.  However, there is a security liability of caching the password of important accounts, for example the Administrator or your Financial Director.  Your biggest security worry with the RODC is if it was stolen, what could a hacker do with unlimited time to crack cached accounts and passwords in the SAM database.

As usual, Microsoft has thought through the problem and come with the answer in the form of a Password Replication Policy.  In a nutshell this policy determines which accounts can have their password’s cached.

When you setup the RODC, specify which account passwords to allow or deny from being cached on an RODC. This configuration page appears only if you select the ‘Use advanced mode installation’ check box.

Guy Recommends 3 Free Active Directory ToolsDownload Solarwinds Active Directory Administration Tool

SolarWinds have produced three Active Directory add-ons.  These free utilities have been approved by Microsoft, and will help to manage your domain by:

  1. Seeking and zapping unwanted user accounts.
  2. Finding inactive computers.
  3. Bulk-importing new users.  Give this AD utility a try, it’s free!

Download your FREE Active Directory administration tools.

Re-startable AD (Active Directory)

Windows Server 2008’s re-startable AD will continue the trend to reduce domain controller reboots.  This restart facility is particularly welcome after you apply security updates to Domain Controllers.  Re-startable Active Directory is implemented as a normal Windows service that can be stopped and started as required.  Not only will this reduces the need for reboots, but it also it simplifies offline actions such as defragging the AD database.

The secret to restarting Active Directory is to remember that it has a corresponding service, which you can start and stop via the Computer Management snap-in. 

You may wish to check which services depend on AD DS to function.  The best way to check these dependencies is to right-click Active Directory Domain Services, and then click Properties.  Incidentally, all the dependent services stop first.  Then Windows Server 2008 stops the AD DS.

STS (Security Token Service)

Windows Server 2008 will add a new service to Active Directory called a Security Token Service (STS), that integrates authentication and authorization in a manner that simplifies access management. The Security Token Service extends the capabilities introduced with ADFS (Active Directory File System) to include support for smart clients, ‘InfoCards,’ and privacy support, In addition, STS will integrated resource discovery and management. For example, using the STS, customers will be able to automatically find application resources and operations, and provide granular access control for these operations.

DC (Domain Controller) / Domain Admin Separation

In Windows Server 2008 Server there will be a DC (Domain Controller) Admin and a separate Domain Admin. This means the DC Admin will not automatically have all privileges in the domain.  You will see a new user group called DC Admin. The DC Admin will be able to login to the domain controllers but they will not be automatically granted domain administrator privileges.

Other new features of Server 2008 Active Directory

Install a DC as a Server Core: and thus minimize surface area.


Thanks to Leon Serfontein for providing additional material on the STS and re-startable AD.

If you like this page then please share it with your friends


Microsoft Windows Server 2008 Topics:

Server 2008 Home   • Overview   • What’s New?   • Migration Advice   • Install   • SP1 Review

AD DC   • Roles   • Features   • Editions   • Hyper-V   • UAC   • IPv6   • Group Policy   • Free NPM Trial