Introducing the New Active Directory Domain Services in Windows Server 2008 R2

Windows Server 2008 introduced the most significant changes to Active Directory Domain Services (AD DS) since its inaugural release in Windows 2000 Server. Microsoft has continued along this path with Windows Server 2008 R2, making it the most noteworthy interim release of Windows Server.

AD DS in Windows Server 2008 R2 includes a number of important new features, including:
•Active Directory Recycle Bin
•Active Directory Module for Windows PowerShell
•Active Directory Administrative Center
•Active Directory Best Practices Analyzer
•Active Directory Web Services
•Authentication Mechanism Assurance
•Offline Domain Join
•Managed Service Accounts

Let’s take a closer look at each of these new features.

Active Directory Recycling Bin

Windows Server 2008 R2 includes a new Recycling Bin feature for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). The Active Directory Recycling Bin provides the ability to undo the accidental deletion of objects. This ensures accidental deletions can be reversed without restoring data from backups, restarting the AD DS service, or rebooting domain controllers in Directory Services Restore Mode.

There are important considerations for the Active Directory Recycling Bin that you must be aware of:

•The Active Directory Recycling Bin feature requires a forest functional level of Windows Server 2008 R2
•The Active Directory Recycling Bin feature is a forest-wide feature, which applies to every domain in the forest
•The Active Directory Recycling Bin feature is disabled by default
•The Active Directory Recycling Bin feature cannot be disabled after it has been enabled
•When the Recycling Bin feature is enabled, you cannot roll back / lower functional levels – see: Roll Back / Lower Active Directory Functional Levels in Windows Server 2008 R2
•Objects that were deleted before the Active Directory Recycling Bin feature was enabled cannot be recovered by using the Recycling Bin.
The Active Directory Recycling Bin is not integrated into the Active Directory Users and Computers console or the new Active Directory Administration Center. This means that objects cannot be recovered by using these tools. Instead, objects can be displayed and recovered by using the Ldp.exe program or both using Windows PowerShell cmdlets, which are included with the new Active Directory Module for Windows PowerShell.

Active Directory Module for Windows PowerShell

Windows Server 2008 R2 includes a new Active Directory Module for Windows PowerShell. This Active Directory module provides the ability to administer AD DS through 76 new cmdlets.

The Active Directory Module for Windows PowerShell is automatically installed when AD DS or AD LDS server roles are installed on a server that has the Standard, Enterprise, and Data Center editions of Windows Server 2008 R2. The Active Directory Module for Windows PowerShell can be manually installed on these same editions of Windows Server 2008 R2. In addition, the Active Directory Module for Windows PowerShell can be installed on a computer that has Windows 7 installed.

The naming for the cmdlets in the Active Directory Module for Windows PowerShell is self-explanatory names. For example, the Get-ADDomain cmdlet can be used to retrieve information about a domain; the Set-ADDomain cmdlet can be used to configure a domain. Additionally, each of the cmdlets share a common set of parameters.

Active Directory Administrative Center

Windows Server 2008 R2 includes a new data management tool for AD DS, called Active Directory Administrative Center. The Active Directory Administrative Center is built on Windows PowerShell and provides the ability to manage AD DS data through data-driven and task-driven navigation. It is important to note that the Active Directory Administrative Center does not fully replace the Active Directory Users and Computers console. Microsoft has included the Active Directory Administrative Center in addition to the Active Directory Users and Computers console in Windows Server 2008 R2.

The Active Directory Administrative Center is automatically installed when the AD DS server role is installed on a server that has Windows Server 2008 R2 installed. The Active Directory Administrative Center can be manually installed on a member server that has Windows Server 2008 R2, but it cannot be installed on any domain controllers or member computers that have a version of Windows Server previous to Windows Server 2008 R2. The Active Directory Administrative Center can be manually installed on Windows 7 as part of Remote Server Administration Tools (RSAT).

Active Directory Best Practices Analyzer

Windows Server 2008 R2 includes a built-in best practice analyzer for AD DS. The Active Directory Best Practices Analyzer provides the ability scan one or more servers against a set of predefined best practices. The Active Directory Best Practices Analyzer will report back whether each server is compliant or noncompliant with each best practice.

The Active Directory Best Practices Analyzer is installed automatically when the AD DS server role is installed on a serve that has Windows Server 2008 R2 installed. The Active Directory Best Practices Analyzer can be used to scan Windows Server 2008 R2 domain controllers; it cannot be used to scan domain controllers that have a previous version of Windows Server installed.

The Best Practice Analyzer is integrated into Server Manager in Windows Server 2008 R2. An Active Directory Best Practice Analyzer scan can be performed by using the Best Practice Analyzer GUI in Server Manager. In addition, an Active Directory Best Practice Analyzer scan can be performed by using Windows PowerShell cmdlets.

The Active Directory Best Practice Analyzer includes over 40 checks, or best practices, in the Release Candidate of Windows Server 2008 R2. The number of checks that are run when a given domain controller is scanned depends on a number of factors, such as Operations Master roles, whether or not the domain controller is a global catalog server, etc. The Active Directory Best Practice Analyzer fall into the following categories in Windows Server 2008 R2:

•Site-specific SRV records
•Global SRV records
•Number of DCs in domain
•Operations Master role holder connectivity
•Operations Master role holder grouping
•DNS client
•Lingering objects
•Time service
•Backup
•Replication

Active Directory Web Services

Windows Server 2008 R2 includes a new Active Directory Web Services (ADWS) Windows Service. ADWS provides a Web service interface AD DS domains, AD LDS instances, and Active Directory Database Mounting Tool instances.

Active Directory Web Services is installed automatically when the AD DS or AD LDS server role is installed on a server that has Windows Server 2008 R2 installed. Active Directory Web Services requires TCP port 9389 to be open on the domain controller where the ADWS service is running.

Active Directory Web Services supports Windows Integrated authentication and simple authentication. Active Directory Web Services requires a server authentication certificate from a trusted certification authority.

Lastly, the Active Directory Web Services Windows service can be stopped and started, just as any other Windows service. However, the Active Directory Module for Windows PowerShell and the new Active Directory Administrative Center require the Active Directory Web Services for client connectivity.
Authentication Mechanism Assurance

Windows Server 2008 R2 includes a new feature called authentication mechanism assurance, which is intended for companies that use certificate-based authentication methods, such as smart cards or token-based authentication systems. Authentication mechanism assurance provides the ability for applications to control resource access based on authentication strength and method.

Authentication mechanism assurance requires a domain functional level of Windows Server 2008 R2. This is another optional Active Directory feature, which must be manually enabled by using a cmdlet which is included with the Active Directory Module for Windows PowerShell.

Offline Domain Join

Windows Server 2008 R2 provides the ability to preprovision computer accounts in the domain to prepare operating system images for mass deployment. The new offline domain join can be used to join computers to an AD DS domain without network connectivity.

The Dsjoin.exe command-line tool is used to perform an offline domain join. Computers that are preprovisioned through an offline domain join actually join the domain, and contact a domain controller, when they first start up after the operating system installation. Additionally, computers do not require a restart at this point, so this results in a reduction in the time and effort required for mass computer deployments.

Offline domain join can be used to preprovision computers running Windows 7 or Windows Server 2008 R2. It cannot be used to preprovision lower-level operating systems. The Dsjoin.exe command-line tool must be run on a computer that has Windows 7 or Windows Server 2008 R2 installed. The Dsjoin.exe command-line tool will automatically target a domain controller that has Windows Server 2008 R2 installed. However, this command-line tool does have a parameter that can be used to target domain controllers that have previous versions of Windows Server installed, if required.
Managed Service Accounts

Windows Server 2008 R2 includes a new type of account called managed service accounts. Managed service accounts provide automatic password management and simplified Service Principal Name (SPN) management.

Managed service accounts can be used for applications that run on computers that have Windows 7 or Windows Server 2008 R2 installed. The functionality of managed service accounts is dependent on the domain functional level, the preparation of AD DS for Windows Server 2008 R2, and the operating system installed on domain controllers.

The domain functional level of Windows Server 2008 R2 provides native support for managed service accounts.

If the domain functional level is lower than Windows Server 2008 R2, you can still leverage manage service accounts, as long as the forest and domain have been prepared for Windows Server 2008 R2. The degree in which you can leverage managed service accounts varies based on the operating system that is installed on the domain controllers. If all domain controllers in the domain have Windows Server 2008 R2 installed, you can leverage managed service accounts for automatic password management and simplified SPN management. However, if the domain controllers have Windows Server 2008 or Windows Server 2003 installed, you can leverage automatic password management, but not SPN management; SPNs will need to be managed manually in this case.

Wrapping Up

As you can see, Windows Server 2008 R2 includes a number of new features specific to Active Directory Domain Services, which expand on the features that Microsoft introduced in Windows Server 2008. Some of these new features can be leveraged with a single domain controller that has Windows Server 2008 R2 installed, some require a domain functional level of Windows Server 2008 R2, and some require a forest functional level of Windows Server 2008 R2.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s