Tuesday, May 6, 2014

AD Features in Windows Server 2008 and Windows Server 2008 R2

AD DS includes many new features that are not available in previous versions of Windows Server Active Directory. These new features make it possible for organizations to deploy AD DS more simply and securely and to administer it more efficiently.

New AD Features in Windows Server 2008

  • ADDS Auditing: Ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 150+ detailed event specific GUI reports and email alerts.
  • ADDS Fine-Grained Password Policies: We can use fine-grained password policies to specify multiple password policies within a single domain. You can use fine-grained password policies to apply different restrictions for password and account lockout policies to different sets of users in a domain.

  • ADDS Read-Only Domain Controllers: A read-only domain controller (RODC) is a new type of domain controller in the Windows Server® 2008 operating system. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed. An RODC hosts read-only partitions of the Active Directory® Domain Services (ADDS) database. 

  •  ADDS Restartable Active Directory Domain Services: Restartable ADDS is a feature in Windows Server 2008 that you can use to perform routine maintenance tasks on a domain controller, such as applying updates or performing offline defragmentation, without restarting the server. 

  • ADDS Database Mounting Tool: The Active Directory® database mounting tool (Dsamain.exe) can improve recovery processes for your organization by providing a means to compare data as it exists in snapshots or backups that are taken at different times so that you can better decide which data to restore after data loss. This eliminates the need to restore multiple backups to compare the Active Directory data that they contain.
  • ADDS User Interface Improvements: To improve the installation and management of Active Directory® Domain Services (ADDS), the Windows Server® 2008 operating system includes an updated Active Directory Domain Services Installation Wizard. Windows Server 2008 also includes changes to the Microsoft Management Console (MMC) snap-in functions that manage ADDS. ADDS user interface (UI) improvements provide new installation options for domain controllers. Furthermore, the updated Active Directory Domain Services Installation Wizard streamlines and simplifies ADDS installation. 
  • ADDS Owner Rights: Owner Rights is a well-known security principal that you can add to the DACL of an object to specify the permissions that are assigned to owners of objects in the directory service. This added security feature overrides the default behavior of owners of objects in the system. Because owners of objects (as specified in the security descriptor of the object) have WRITE_DAC permission, they can give rights to themselves and to other security principals as they see fit.

 New AD Features in Windows Server 2008 R2

  • Active Directory Recycle Bin: Active Directory Recycle Bin helps minimize directory service downtime by enhancing your ability to preserve and restore accidentally deleted Active Directory objects without restoring Active Directory data from backups, restarting Active Directory Domain Services (ADDS), or rebooting domain controllers. 

  • Active Directory Cmdlets in Windows PowerShell: Windows PowerShell™ is a task-based command-line shell and scripting language designed especially for system administration. The Active Directory module for Windows PowerShell in Windows Server 2008 R2 is a Windows PowerShell module (named Active Directory) that consolidates a group of cmdlets. You can use these cmdlets to manage your Active Directory domains, Active Directory Lightweight Directory Services (AD LDS) configuration sets, and Active Directory Database Mounting Tool instances in a single, self-contained package.
  • Active Directory Administrative Center: We can use Active Directory Administrative Center to perform the following Active Directory administrative tasks:

                   Create new user accounts or manage existing user accounts

                  Create new groups or manage existing groups

                 Create new computer accounts or manage existing computer accounts

                 Create new organizational units (OUs) and containers or manage existing OUs 

                 Filter Active Directory data by using query-building search
 

  • ADDS Active Directory Web Services: Active Directory Web Services (ADWS) in Windows Server 2008 R2 is a new Windows service that provides a Web service interface to Active Directory domains, Active Directory Lightweight Directory Services (AD LDS) instances, and Active Directory Database Mounting Tool instances that are running on the same Windows Server 2008 R2 server as ADWS. If the ADWS service on a Windows Server 2008 R2 server is stopped or disabled, client applications, such as the Active Directory module for Windows PowerShell or the Active Directory Administrative Center will not be able to access or manage any directory service instances that are running on this server. ADWS is installed automatically when you add the AD DS or AD LDS server roles to your Windows Server 2008 R2 server. ADWS is configured to run if you make this Windows Server 2008 R2 server a domain controller by running Dcpromo.exe or if you create an AD LDS instance on this Windows Server 2008 R2 server.

  • Offline Domain Join: Offline domain join is a new process that computers that run Windows® 7 or Windows Server® 2008 R2 can use to join a domain without contacting a domain controller. This makes it possible to join computers to a domain in locations where there is no connectivity to a corporate network.

  • Managed Service Accounts: The managed service account is designed to provide applications such as SQL Server or Exchange with Automatic password management, which can better isolate these services from other services on the computer.