New Features of Active Directory in Windows Server 2008

As with each previous version of Windows Server, Microsoft has introduced many new components that improve the functionality and manageability of Active Directory and of Windows Server 2008 as a whole. This section briefly summarizes these components, most of which you will learn about later in this book:

• Server roles and features: Microsoft has organized the capabilities of a computer into various roles and features. Simply put, a role is a specific function that a server can perform on the network, including file services, terminal services, and certificate services. Active Directory Domain Services (AD DS) is the server role that encompasses all domain control functions. A feature is an optional component that adds a specific function such as the .NET Framework 3.0, BitLocker Drive Encryption, Network Load Balancing, and so on. Certain roles require that specific features be installed, and these are automatically installed when you add this role. You can add roles and features from the Initial Configuration Tasks window, Server Manager, or the command line. These are discussed later in this chapter.

• Read-only domain controller: A read-only domain controller (RODC) is a domain controller that contains a read-only copy of the directory database. It can perform all client-based actions such as authenticating users and distributing group policies to clients, but administrators cannot make changes to the database directly from the RODC. It is particularly useful for branch office deployment where security might not be as high as in the central office and no administrative personnel are present for day-to-day operations.

• Server Core: A Server Core is a stripped-down version of Windows Server 2008 that does not contain any GUI, taskbar, or Start menu. After logging on, you are presented with a command prompt window from which you perform all administrative actions. A Server Core computer uses less hardware and memory resources than a normal server but is able to perform most (but not all) of the roles that a normal server performs. Furthermore, a Server Core computer is more secure because it presents a smaller attack footprint than a normal server.

• Restartable Active Directory Domain Services: You can now perform many actions, such as offline defragmentation of the database, simply by stopping Active Directory. This reduces the number of instances in which you must restart the server in Directory Services Restore Mode and thereby reduces the length of time the domain controller is unavailable to serve requests from client computers.

• Active Directory Certificate Services (AD CS): Certificate Services has been enhanced considerably from Windows Server 2003. For example, you can enroll network devices such as routers for certificates, you can use new certificate templates that support new cryptographic algorithms, you can designate several limited roles for delegating administrative tasks to different individuals, and you can use the online responder service as an alternative to traditional certificate revocation lists.

• Active Directory Lightweight Domain Services (AD LDS): Microsoft has enhanced and modified the previous Active Directory Application Mode (ADAM) feature first introduced in Windows Server 2003 Release 2 (R2).

• Active Directory Rights Management Service (AD RMS): Microsoft has added numerous features such as a new interface, delegation of administration, and integration with Active Directory Federation Service (AD FS).

• Enhancements to Group Policy: Microsoft has added many new policy settings. In particular, these settings enhance the management of Windows Vista client computers. All policy management is now handled by means of the Group Policy Management Console (GPMC), which was an optional feature first added to Windows Server 2003 R2. In addition, Microsoft has added new auditing capabilities to Group Policy and added a searchable database for locating policy settings from within GPMC. In Windows Server 2008 R2, GPMC enables you to use a series of PowerShell cmdlets to automate many of the tasks (such as maintenance and linking of GPOs) that you would otherwise perform in the GUI. In addition, R2 adds new policy settings that enhance the management of Windows 7 computers.

• Fine-grained password policies: Microsoft has added the capability to apply granular password and account lockout policy settings to different sets of users within the same domain.

• Security enhancements: Microsoft has hardened Windows Server 2008 to provide the most secure server operating system to date. The most significant security enhancements include the RODC already introduced; network access protection (NAP), which enables you to isolate computers that are noncompliant with security policies; improved clustering features; an improved version of Internet Information Services (IIS); expanded Group Policy settings; and User Account Control (UAC).