S 4.414 Overview of new functions for Active Directory under Windows Server 2008 and higher

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

Basic information

The Active Directory introduced under Windows 2000 Server represents the elementary basis for user and object administration under Windows Server 2008 and Windows 7. Despite the partially significant changes offered by a domain controller under Windows Server 2008, the main requirements for planning and configuration of the Active Directory are not changed (see S 2.230 Planning of Active Directory administration and S 2.231 Planning of group policy under Windows). Due to the basic possibilities to separate the various roles of the Active Directory or to use a Read-Only Domain Controllers (RDOC), the planning phase under Windows Server 2008 and its Active Directory is of particular importance.

New features under Windows Server 2008 and higher

Beside the central service of the Active Directory, the Active Directory Domain Services (AD DS), four further Active Directory services can be installed as a role:

• Active Directory Certificate Services (AD CS). In this scenario of use, the Active Directory is used for publication of certificates within the scope of a public key infrastructure (PKI). The certificate services were already present in the earlier Windows Server versions, but without the name affix Active Directory.
• Active Directory Federation Services (AD FS). This service has been introduced under Windows Server 2008 R2. It performs authentication of users that are not members of the Active Directory. The authentication of web application users is a common use.
• Active Directory Lightweight Directory Services (AD LDS), formerly known as: Active Directory Application Mode (ADAM). This service provides an LDAP server as data repository for directory service applications. Here, the administration efforts for domains and overall structures required with other scenarios is not applicable. A separate scheme is administered for each AD LDS installation.
• Active Directory Rights Management Services (AD RMS). The AD RMS service offers protection of data and files by using a centrally controlled encryption.

These services can be selected as an individual role and can be installed on a dedicated system.

Further basic new features

One of the most important new features of Windows Server 2008 includes the introduction of the Read-Only Domain Controller (RODC). This server system represents a domain controller that only grants read access to the directory service. The RODC is suitable for systems for which the physical access by large user groups cannot be prevented, e.g. because the installation of the system in a protected computer centre environment is not possible. Differences to the normal domain controllers are:

• Manipulations of exposed RODC are not replicated (unidirectional replication), e.g. this includes:
  - Changes to the AD schema
  - Changes to the DNS databank
  - Administration of the server is separable from domain administration rights.
• However, operation of an RODC includes possible disadvantages that must be taken into account:
• There is a high level of dependency on an adequate domain controller as only this can create new objects in the Active Directory.
• It is possible that compatibility problems occur when performing AD integration of third-party products into an RDOC. This generates higher test efforts.
• A reasonable strategy for local temporary storage of user passwords must be created as all temporarily stored passwords can be read in case of a lost system. It should be considered for the accounts of domain administrators in particular, whether temporary storage will be prevented. In such case, login of this group to an RODC requires connection to an adequate domain controller.

The Administered service accounts are new features introduced with Windows Server 2008 R2. They can be used for central administration of service accounts via the Active Directory (see S 4.284 Handling of services under Windows Server 2003 and higher).

The Granular password and account lockout policies now allow for using different levels of password policies within a domain (see S 4.48 Password protection under Windows systems).

Further new basic features of the Active Directory under Windows Server 2008 R2 and higher include:

• Active Directory Recycle Bin: Accidentally deleted objects within the Active Directory can be restored by using the recycle bin function.
• Active Directory Administrative Center: Central management tool based on PowerShell, with advanced options for administration of the Active Directory. It must be taken into account that the Active Directory Administrative Center does not represent an adequate substitution of the Active Directory Users and Computers management tool because in some cases different functions are implemented.
• Active Directory Best Practice Analyzer: Tool for analysis of the efficient Active Directory settings. The results of the Best Practice Analyzer can be used as basis for troubleshooting.
• Active Directory Web Services: This newly introduced service is a web service interface for Active Directory domains. Usually, it is used by applications that enable access to the Active Directory via HTTP(S).
• Offline Domain Join: Systems can join in advance without connection to the domain. The corresponding computers will be added to the domain at first start.
• Active Directory Management Pack: Used for status monitoring of the central Active Directory Domain Services (AD DS).