Sunday, April 5, 2009

What’s new in Windows Server 2008

Active Directory Domain Services (formerly known as Active Directory) and Identity Management in Windows Server 2008 now cover several different services:

Active Directory Domain Services (AD DS)
Active Directory Federation Services (AD FS)
Active Directory Lightweight Directory Services (AD LDS)
Active Directory Rights Management Services (AD RMS).
Active Directory Certificate Services (AD CS)
Each service represents a Server Role, a new concept in Windows Server 2008.


There have been a lot of new features and functions added to the Active Directory in Windows Server 2008.

In this article I will focus on the Active Directory Domain Services (AD DS) in Windows Server 2008, which includes several enhancements and new features compared to Windows Server 2003.

Here is a short overview of the main changes and new Domain Services functionality, which I will focus on in this article:

Active Directory Domain Services - Read-Only Domain Controllers
Active Directory Domain Services - Restartable Active Directory Domain Services
Active Directory Domain Services - Fine-Grained Password Policies

Active Directory Domain Services

The Domain Services functionality has been carried forward and updated in Windows Server 2008, along with an improved setup wizard (Server Manager). This also provides new management options for AD DS features such as Read-Only Domain Controllers (RODCs).

The Active Directory Read-Only Domain Controller (RODC) is a new type of domain controller in Windows Server 2008. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed.

The RODC’s main purpose is to improve security in branch offices. In branch offices it is often hard to get the physical security needed for an IT infrastructure, especially for Domain Controllers that contain sensitive data. Often a DC can be found under a desk in the office. If someone gets physical access to the DC, it is not hard to manipulate the system and get access to the data. The RODC solves these issues.

The essentials of RODC are:

Read-Only Domain Controller
Administrative Role Separation
Credential Caching
Read-Only DNS

Read-Only Domain Controller
RODC holds a non-writable and read-only copy of the Active Directory database with all objects and attributes. RODC only supports uni-directional replication of Active Directory changes, which means that the RODC always replicates directly with the Domain Controllers in the HUB site.

Administrative Role Separation

You can delegate local administrator permissions for the RODC server to any user in Active Directory. The delegated user account will now be able to log onto the server and do server maintenance tasks, without having any AD DS permissions and the user does not have access to other Domain Controllers in Active Directory, this way security is not compromised for the domain.

Credential Caching