Active Directory Improvements
- By Greg Shields
This is the third installment of a five-part series by contributing editor
Greg Shields, which takes a close look at Microsoft's upcoming Windows Server
2008 operating system, commonly referred to as Longhorn. This installment
looks at a number of improvements made to the product that benefit Active
Directory. Click here
to see last month's installment.
Server 2008 isn't just about Server 2008: Moving to Microsoft's new server operating
system also provides some immediate benefits to your Active Directory. Aligned
in the three areas of administration, stability and security, Server 2008's Active
Directory improvements are a good sell for Microsoft. Because AD Domain Controllers
(DCs) are typically easy upgrades with few installed third-party apps, these new
capabilities will likely compel businesses to start with these servers first.
From the admin side, we get a few features like AD object protection and an improved
DCPROMO process. Object protection isn't exactly new. The underlying permissions
that are structured to enable object protection have always been a part of AD.
With Server 2008, however, admins get a new checkbox right in the Active Directory
Users & Computers interface, which lets them invoke those restrictive permissions
during object creation or later during administration. By enabling object protection,
an administrator can prevent the accidental deletion of objects within specified
The DCPROMO process also gets a much-needed facelift. The wizard is much easier
to use, and provides more options for network-based and media-based deployment.
If DNS isn't properly configured when a DCPROMO is run -- a huge problem with
previous versions -- the DCPROMO process itself will verify and in some cases
fix the problems all on its own. What's particularly useful with the new DCPROMO
is its new ability to create answer files for DC-unattended installations. Simply
run the DCPROMO process and export the answer file as the very last step before
clicking the Finish button.
For stability, Microsoft has reconfigured AD itself to become a true service
with all the associated benefits. This means that if you need to shut down AD
to perform a restoration or some other administrative task, you no longer need
to shut down the server and restart it in Directory Services Restore Mode. Additionally,
AD's new snapshotting feature enables the administrator to create a snapshot
of the database to use for object comparison.
In the security department, AD gets three long-demanded features as well. First
is an enhancement to auditing that enables a more granular understanding of
changes to the directory itself. You can now log settings to the event log both
before and after a change for better security and regulatory compliance. Now
available are four new subcategories to audit policy: Directory Service Access,
Directory Service Changes, Directory Service Replications and Detailed Directory
Second is the new ability to create password policies for groups rather than
at the domain level only. Want to create a password policy for a subgroup of
users? Create a new domain. With the new feature called Fine-Grained Password
Policies, admins can now create multiple policies and apply them directly to
individuals or Global Groups in the domain.
Last, there are the Read-Only DCs. In previous versions, the need to extend
AD to branch offices always came with a risk. Because the entire AD database
replicates to each full DC, the theft of any one of them means the entire forest
can potentially be exposed. With Read-Only DCs, only a subset of the total directory
can be pushed down to a branch office. This has the effect of reducing the total
exposure should that remote-site DC be compromised or stolen.
These AD updates come at a time when stability and security are much-desired
traits, especially for widespread environments. As you prepare yourself for
Server 2008's release, consider your DCs as an excellent target for an early
upgrade to take advantage of these features.
Greg Shields is Author Evangelist with PluralSight, and is a globally-recognized expert on systems management, virtualization, and cloud technologies. A multiple-year recipient of the Microsoft MVP, VMware vExpert, and Citrix CTP awards, Greg is a contributing editor for Redmond Magazine and Virtualization Review Magazine, and is a frequent speaker at IT conferences worldwide. Reach him on Twitter at @concentratedgreg.