Thursday, April 23, 2009

Windows Server 2008 - New Active Directory Features

New developments for Active Directory in Windows Server 2008, include a Read-only domain controller (RODC), reducing domain controller reboots, and separating the domain administrator from the local machine administrator accounts.

Windows Server 2008 Active Directory Topics
The Five Active Directory Roles
How to Install an Active Directory Role
Read-only Domain Controller (RODC)
Re-startable AD
STS (Security Token Service)
DC (Domain Controller) / Domain Admin Separation

The Five Active Directory Roles
While 'Role' is normally such an insignificant word, in Windows Server 2008 Microsoft have elevated 'Role' to a the status of a keyword. The most important association for the word 'Role' is to invoke the correct installation wizard, who then installs all the necessary sub-components associated with that role.

1) AD DS - Active Directory, Directory Services.
This is the main Active Directory database for user and computer objects. AD DS is a descendant of Active Directory in Windows 2000 --> 2003 --> 2008. Remember the two sides of AD DS, the physical data store and the logical, forest, domains, OUs and sites.

2) AD CS - The Certificate Services (CS) specializes in managing digital certificates (PKI). Security is the key, the idea is to protect data in these scenarios: S/Mime for email, SSL for websites, smartcard logon via VPN and for encrypting files (EFS). Naturally, integrates with the above AD DS.

3) AD RMS - Rights Management Solution. Can be used to protect documents sent in emails. Users must first have an AD DS account. Services using RMS must also be registered in Active Directory.

4) AD FS - Federation Services
Federation manages trust relationships between different organizations. Also provides single sign on for web based applications, for example, online retailers.

5) AD LDS - Active Directory Lightweight Directory Services
This is like the ADAM (Active Directory Application Mode) service of Windows Server 2003. Only use AD LDS for applications that cannot use the regular AD DS, for example where there are security worries, or you just need to test LDAP features. Unlike the other roles, AD LDS is an alternative to the main Active Directory and not an extension.

How to Install an Active Directory Role
Firstly, with Active Directory you always need to plan. I am assuming that you have installed a member server. Now is the time to ask smart questions such as, 'Is this a brand new forest?' or, 'Is this an additional domain controller in an existing domain'.
Secondly, the mechanics are easy. The new method of installing active directory in Windows Server 2008 is to use 'Add roles'. For this feature, call for the Server Manager and then scroll down to 'Add roles'.
The Active Directory wizard will guide you through all the options so that you can make smart choices for your situation. New choices include, specifying a DNS server, setting the server as a Global Catalog, selecting the Read-only Domain Controller option. At his time you may also want to select a site for your DC, and more importantly, set the Function Levels for the domain, or even the entire forest.
If you are familiar with command line program called dcpromo, then you will be used to the planning tree, new domain / child domain /new forest. Just go to the command line as you did in Windows Server 2003 and type dcpromo.
Be aware that you can still create answer files for dcpromo. This is useful if you are creating multiple domain controllers with similar specification.

Read only Domain Controller (RODC)
The goal of a Read-only DC (RODC) is to reduce physical security requirements and simplified local operations. At first sight this sounds like a return to the BDC. While this indeed is a read-only copy of the Active Directory database, its rationale is different from the old NT 4 BDC. The RODC philosophy is don't install features that a small office does not require.

All the features that Microsoft have put into a read-only DC is to turn their vision of a branch office model into reality. The model requires that of local domain controller that can service users' logon requests, but without the need for an administrator out at the branch. A read-only DC, which can authentication clients from it's own site, is much less vulnerable to attack from hackers.
One crucial decision is how to control password caching on the RODC. The benefits of caching are clear, faster second and subsequent logons and the ability to logon if the WAN link to the normal Domain Controllers is down. However, there is a security liability of caching the password of important accounts, for example the Administrator or your Financial Director. Your biggest security worry with the RODC is if it was stolen, what could a hacker do with unlimited time to crack cached accounts and passwords in the SAM database.
As usual, Microsoft have thought through the problem and come with the answer in the form of a Password Replication Policy. In a nutshell this policy determines which accounts can have their password's cached.
When you setup the RODC, specify which account passwords to allow or deny from being cached on an RODC. This configuration page appears only if you select the 'Use advanced mode installation' check box.

Re-startable AD (Active Directory)
Windows Server 2008's re-startable AD will continue the trend to reduce domain controller reboots. This restart facility is particularly welcome after you apply security updates to Domain Controllers. Re-startable Active Directory is implemented as a normal Windows service that can be stopped and started as required. Not only will this reduces the need for reboots, but it also it simplifies offline actions such as defragging the AD database.
The secret to restarting Active Directory is to remember that it has a corresponding service, which you can start and stop via the Computer Management snap-in.
You may wish to check which services depend on AD DS to function. The best way to check these dependencies is to right-click Active Directory Domain Services, and then click Properties. Incidentally, all the dependent services stop first. Then Windows Server 2008 stops the AD DS.

STS (Security Token Service)
Windows Server 2008 will add a new service to Active Directory called a Security Token Service (STS), that integrates authentication and authorization in a manner that simplifies access management. The Security Token Service extends the capabilities introduced with ADFS (Active Directory File System) to include support for smart clients, 'InfoCards,' and privacy support, In addition, STS will integrated resource discovery and management. For example, using the STS, customers will be able to automatically find application resources and operations, and provide granular access control for these operations.

DC (Domain Controller) / Domain Admin Separation
In Windows Server 2008 Server there will be a DC (Domain Controller) Admin and a separate Domain Admin. This means the DC Admin will not automatically have all privileges in the domain. You will see a new user group called DC Admin. The DC Admin will be able to login to the domain controllers but they will not be automatically granted domain administrator privileges.

Other new features of Server 2008 Active Directory
Install a DC as a Server Core: and thus minimize surface area

1 comment:

Manoj said...

Hi, manoj here
Please let me know if you have any idea about Hyper-V, in Server 2008, also self healing NTFS