Windows Server 2008 Active Directory

Active Directory has undergone a number of changes in Server 2008, but none of them are earth shattering. But Microsoft has addressed a number of pain points, which should make installing and maintaining AD easier. Enhancements include:

*DCpromo is smarter

– Rewritten to provide more advanced options to specify whether the server is a GC, set site membership, replication targets, and whether it should be a read-only DC.

*Read-Only DCs

-By default does not store passwords, as password replication is now selective

-Keberos key separation – Each RODC has it’s own Kerberos accounts

-Limited rights to write to AD: RODCs are just workstation computer accounts and not a member of the usual domain controller groups.

-Unidirectional replication of AD and SYSVOL

-Password repication based on membership

-Great for branch offices or locations with questionable physical security

-Can reset passwords for all users with cached credentials upon decomission of the RODC

-Useful in domain isolation scenarios

-Local administrators on the server do NOT need domain admin rights, but will not have any AD rights. Great for patching/maintaining remote DCs.

*Re-startable AD

Revolutionize Your Business With Generative AI

From product design and software development to virtual agents, content creation, and reporting, GenAI is transforming business. Our AI experts help you unlock GenAI’s full potential and drive growth.

Let’s Get Started

-AD is now a service you can start/stop/pause without rebooting.

*Admin role Seperation

-Allows separation of local server administrators and domain administrators

-On full read/write DCs you must stop the AD service to allow local non-domain admins to login.

*Granular Password Policy

-Allows the setting of password policies on users or groups (NOT OUs)

-Requires ADSI to edit, and can not set via GPOs.

-No longer need multiple domains to support a variety of password policies.

-Great for enforcing lengthy passwords on service accounts and administrators

*Bitlocker compatible

-Full hard drive encryption is supported, so should a DC be stolen, an attacker can not read the drive.

*Change Auditing

-Major overhaul to the auditing system, as seen first in Vista

-Allows a change history of AD object modifications, down to the property level

-Major improvement for tracking who changed what value, and what the old/new value is.

-More granular auditing options, with subcategories.

–Additions appear as additions

–Deletions appear as deletions

–Modifications appear as delete + add (separate audit entries)

–Logs who, when, where, before/after values