Active Directory Improvements

This is the third installment of a five-part series by contributing editor Greg Shields, which takes a close look at Microsoft's upcoming Windows Server 2008 operating system, commonly referred to as Longhorn. This installment looks at a number of improvements made to the product that benefit Active Directory. Click here to see last month's installment.

Server 2008 isn't just about Server 2008: Moving to Microsoft's new server operating system also provides some immediate benefits to your Active Directory. Aligned in the three areas of administration, stability and security, Server 2008's Active Directory improvements are a good sell for Microsoft. Because AD Domain Controllers (DCs) are typically easy upgrades with few installed third-party apps, these new capabilities will likely compel businesses to start with these servers first.

From the admin side, we get a few features like AD object protection and an improved DCPROMO process. Object protection isn't exactly new. The underlying permissions that are structured to enable object protection have always been a part of AD. With Server 2008, however, admins get a new checkbox right in the Active Directory Users & Computers interface, which lets them invoke those restrictive permissions during object creation or later during administration. By enabling object protection, an administrator can prevent the accidental deletion of objects within specified Organizational Units.

Read the rest of of Greg Shields' five-part "The Drive to Longhorn" series:

Part 1: Server Manager Responds to Users' Needs

Part 2: Longhorn's Terminal Services: The Server Manager

Part 3: Active Directory Improvements

Part 4: Getting Manageable

Part 5: Longhorn's File Services Role

The DCPROMO process also gets a much-needed facelift. The wizard is much easier to use, and provides more options for network-based and media-based deployment. If DNS isn't properly configured when a DCPROMO is run -- a huge problem with previous versions -- the DCPROMO process itself will verify and in some cases fix the problems all on its own. What's particularly useful with the new DCPROMO is its new ability to create answer files for DC-unattended installations. Simply run the DCPROMO process and export the answer file as the very last step before clicking the Finish button.

For stability, Microsoft has reconfigured AD itself to become a true service with all the associated benefits. This means that if you need to shut down AD to perform a restoration or some other administrative task, you no longer need to shut down the server and restart it in Directory Services Restore Mode. Additionally, AD's new snapshotting feature enables the administrator to create a snapshot of the database to use for object comparison.

In the security department, AD gets three long-demanded features as well. First is an enhancement to auditing that enables a more granular understanding of changes to the directory itself. You can now log settings to the event log both before and after a change for better security and regulatory compliance. Now available are four new subcategories to audit policy: Directory Service Access, Directory Service Changes, Directory Service Replications and Detailed Directory Service Replication.

Second is the new ability to create password policies for groups rather than at the domain level only. Want to create a password policy for a subgroup of users? Create a new domain. With the new feature called Fine-Grained Password Policies, admins can now create multiple policies and apply them directly to individuals or Global Groups in the domain.

Last, there are the Read-Only DCs. In previous versions, the need to extend AD to branch offices always came with a risk. Because the entire AD database replicates to each full DC, the theft of any one of them means the entire forest can potentially be exposed. With Read-Only DCs, only a subset of the total directory can be pushed down to a branch office. This has the effect of reducing the total exposure should that remote-site DC be compromised or stolen.

These AD updates come at a time when stability and security are much-desired traits, especially for widespread environments. As you prepare yourself for Server 2008's release, consider your DCs as an excellent target for an early upgrade to take advantage of these features.

About the Author

Greg Shields is Author Evangelist with PluralSight, and is a globally-recognized expert on systems management, virtualization, and cloud technologies. A multiple-year recipient of the Microsoft MVP, VMware vExpert, and Citrix CTP awards, Greg is a contributing editor for Redmond Magazine and Virtualization Review Magazine, and is a frequent speaker at IT conferences worldwide. Reach him on Twitter at @concentratedgreg.


comments powered by Disqus