IT Professional's Connection
by: Christian Millar, MCT, Manager Microsoft Infrastructure Training
A deeper look into the new Features of Windows Server 2008 R2 Part 1
In our last newsletter, we spoke about having the opportunity to attend the Tech·Days Canada Calgary event where IT pro’s and Developers alike, were privileged to see several presenters talk about many various subjects, everything from the Microsoft Windows 7 platform to seeing some of the items relating to the new mail server Exchange 2010 , as well as other various new launched products like SharePoint Server 2010, And finally but not least Windows Server 2008 R2 Edition.
In this edition, we will start examining the New Features that 2008 R2 has to offer as mentioned in our last month’s article we would be looking at each particular new Feature separately over the course of the year. This month we will examine all the latest add-ons to the Active Directory section.
Active Directory Domain Services - Active Directory Domain Services (AD DS), formerly known as Active Directory Directory Services, is the central location for configuration information, authentication requests, and information about all of the objects that are stored within your forest. Seems interesting every time I teach a class that most students are unaware of the actual file location that is used for Active Directory, you can always find this located typically in the %SystemRoot%\ntds\NTDS.DIT. The ntds.dit file is the heart of Active Directory including user accounts. This particular Database has the capability to grow to 16 terabytes which would be large enough for 10 million objects.
Auditing - Previously in Windows Server 2003 when you changed the value on an object the older value was lost in Windows Server 2008 you can now also capture both old and new values of the specific types in the Security event log. In previous versions of Windows, the auditing subsystem only logged the name of the Active Directory® object attribute or registry value that was changed—it did not log the previous and current values of the attribute. This new capability applies to Active Directory Domain Services, Active Directory Lightweight Directory Services, and the Windows registry. By enabling Audit Success or Audit Failure on the subcategories of "Registry" or "Directory Service Changes" and setting the associated SACLs, detailed events will be raised in the event log for actions on these objects. Changes made to Active Directory objects can be recorded so that you know what was changed on the object, as well as the previous and current values for the changed attributes.
Fine-Grained Passwords - The problem with password policies previously before within a Windows Server 2003 environment was that if a Department within your Domain required a separate Password policy; you had to create a separate child domain to facilitate the additional password policy. With Windows Server 2008 we can now utilize a single Domain infrastructure and provide separate password policies that can be associated and can be configured for Security groups or alternatively be used with a new special group called a Shadow Group that would be associated to an OU within the domain. Creating these Fine Grained Password policies requires 2 new containers known as the PSC and the PSO which would be configured with the ADSIedit tool. Essentially you can use fine-grained password policies to specify multiple password policies within a single domain. And you can use fine-grained password policies to apply different restrictions for password and account lockout policies to different sets of users in a domain.
Read-Only Domain Controller. A domain controller with a read-only version of the Active Directory database can be deployed in environments where the security of the domain controller cannot be guaranteed, such as branch offices where the physical security of the domain controller is in question, or domain controllers that host additional roles, requiring other users to log on and maintain the server. The use of Read-Only Domain Controllers (RODCs) prevents changes made at branch locations from potentially polluting or corrupting your AD forest via replication. RODCs also eliminate the need to use a staging site for branch office domain controllers, or to send installation media and a domain administrator to the branch location.
Restartable Active Directory Domain Services. Previously if you wanted to perform offline defragmentation of the Active Directory Database you would have to reboot the Domain Controller into Directory Services Restore mode and then run NTDSutil to perform the defragmentation. Problem with this was that when you offlined Active Directory you lost the use of Essential Active Directory Services like DHCP and DNS. Now in Windows Server 2008 you can offline the Active Directory Database to perform Defragmentation to the NTDS.dit without, those those Essential Services being stopped. This ultimatly means i can now defrag the Active Directory Database without rebooting the domain controller and restarting it in Directory Services Restore Mode.
Database Mounting Tool. An excellent new feature that uses the Volume shadow copy service is the ability to take a snapshot of the Active Directory database that can be later mounted using the Dsamain tool. If you have ever had to do authoritive restores previously you know that AD backups aren’t pleasant to work with. You have to boot the DC into a special Directory Services Restore Mode (DSRM), which means the DC is no longer offering directory services. Then you have to restore a backup of AD and manually mark the objects you want to restore as authoritative, so they don’t get overwritten or deleted as soon as the DC is rebooted and starts replicating again. Imagine not knowing which backup has the right version of an object you want, or being in an audit situation and needing to know what changed on an object. Manually restoring every backup to a DC through DSRM would be very time consuming. Even when you find the right backup, it’s very hard to do comparisons between the content of the backup and the live AD item. With the snapshot capabilities now present this allows a domain administrator to view the objects within the snapshot to determine the restore requirements when necessary without going through the older method.
Check back with us next time when we continue our look at the new features that are being offered and if you would like to contact me regarding anything in this article please feel free to email me at firstname.lastname@example.org.
See you next time!