Windows Server 2008 R2 Unleashed (37 page)

Outlining AD DS Changes in Windows Server 2008 R2

143

4

FIGURE 4.15

Enabling AD DS object auditing.

ptg

Reviewing Additional Active Directory Services

Five separate technologies in Windows Server 2008 R2 now contain the Active Directory

moniker in their title. Some of the technologies previously existed as separate products,

but they have all come under the global AD umbrella. These technologies are as follows:

.
Active Directory Lightweight Directory Services (AD LDS)—
AD LDS, previously

referred to as Active Directory in Application Mode (ADAM), is a smaller-scale direc-

tory service that can be used by applications that require a separate directory. It can

be used in situations when a separate directory is needed, but the overhead and cost

of setting up a separate AD DS forest is not warranted. Detailed information on AD

LDS can be found in Chapter 8.

.
Active Directory Federation Services (AD FS)—
AD FS in Windows Server 2008

R2 is an improvement to the older standalone versions of the ADFS product previ-

ously offered by Microsoft. AD FS provides for Single Sign-On technology to allow

for a user logon to be passed to multiple web applications within a single session.

Information on AD FS can also be found in Chapter 8.

.
Active Directory Certificate Services (AD CS)—
AD CS refers to the latest version

of Windows Certificate Services. AD CS provides for the ability to create a Public Key

Infrastructure (PKI) environment and assign PKI certificates to AD users and

machines. These certificates can be used for encryption of traffic, content, or logon

credentials. More information on deploying AD CS can be found in Chapter 14,

“Transport-Level Security.”

144

CHAPTER 4

Active Directory Domain Services Primer

.
Active Directory Rights Management Services (AD RMS)—
AD RMS is the evolu-

tion of the older Windows Rights Management Server technology. AD RMS is a ser-

vice that protects confidential information from data leakage by controlling what

can be done to that data. For example, restrictions can be placed on documents, dis-

allowing them from being printed or programmatically accessed (such as by cut-

ting/pasting of content). Chapter 13 covers this Active Directory technology in more

detail.

Examining Additional Windows Server 2008 R2 AD DS Improvements

In addition to the changes listed in the preceding sections, AD DS in Windows Server

2008 R2 supports the following features:

.
Read-Only Domain Controller (RODC) support—
Windows Server 2008 R2

includes the ability to deploy domain controllers with read-only copies of the

domain. This is useful for remote branch office scenarios where security might not

be tight. This scenario is covered in detail in Chapter 7.

.
Group Policy central store—
Administrative templates for group policies are stored

in the SYSVOL on the PDC emulator in Windows Server 2008 R2, resulting in

reduced replication and reduced SYSVOL size.

ptg

.
DFS-R Replication of the SYSVOL—
A Windows Server 2008 RTM/R2 functional

domain uses the improved Distributed File System Replication (DFS-R) technology

rather than the older, problematic File Replication Service (FRS) to replicate the

SYSVOL.

.
Active Directory database mounting tool (DSAMain)—
The Active Directory

database mounting tool (DSAMain.exe) allows administrators to view snapshots of

data within an AD DS or AD LDS database. This can be used to compare data within

databases, which can be useful when performing AD DS data restores. More informa-

tion on using this tool can be found in Chapter 7.

.
GlobalNames DNS zone—
Windows Server 2008 R2 DNS allows for creation of the

concept of the GlobalNames DNS zone. This type of DNS zone allows for a global

namespace to be spread across multiple subdomains. For example, a client in the

asia.companyabc.com subdomain would resolve the DNS name portal.asia.compa-

nyabc.com to the same IP address as a client in a different subdomain resolving por-

tal.europe.companyabc.com. This can improve DNS resolution in multizone

environments. More information on this technology can be found in Chapter 10.

Reviewing Legacy Windows Server 2003 Active Directory

Improvements

It is important to understand that AD DS is a product in constant development since its

release with Windows 2000. From humble beginnings, Active Directory as a product has

developed and improved over the years. The first major set of improvements to AD was

released with the Windows Server 2003 product. Many of the improvements made with

Windows Server 2003 AD still exist today in Windows Server 2008 R2 AD DS. It is subse-

Outlining AD DS Changes in Windows Server 2008 R2

145

quently important to understand what functionality in AD was born from Windows

Server 2003. The following key improvements were made in this time frame:

.
Windows Server 2003 Active Directory Domain Rename Tool—
Windows

Server 2003 originally introduced the concept of Domain Rename, which has

continued to be supported in Windows Server 2008 R2. This gives administrators the

ability to prune, splice, and rename AD DS domains. Given the nature of corpora-

tions, with restructuring, acquisitions, and name changes occurring constantly, the

ability of AD DS to be flexible in naming and structure is of utmost importance. The

Active Directory Domain Rename Tool was devised to address this very need.

Before AD DS domains can be renamed, several key prerequisites must be in place

before the domain structure can be modified. First, and probably the most impor-

tant, all domain controllers in the entire forest must be upgraded to Windows Server

2003 or 2008 in advance. In addition, the domains and the forest must be upgraded

4

to at least Windows Server 2003 functional level. Finally, comprehensive backups of

the environment should be performed before undertaking the rename.

The domain rename process is complex and should never be considered as routine.

After the process, each domain controller must be rebooted and each member

computer across the entire forest must also be rebooted (twice). For a greater under-

ptg

standing of the Domain Rename Tool and process, see Chapter 5, “Designing a

Windows Server 2008 R2 Active Directory.”

.
Cross-forest transitive trust capabilities—
Windows Server 2003 Active Directory

introduced the capability to establish cross-forest transitive trusts between two

disparate AD DS forests. This capability allows two companies to share resources

more easily, without actually merging the forests. Note that both forests must be

running at least at Windows Server 2003 functional levels for the transitive portion

of this trust to function properly.

.
AD DS replication compression disable support—
Another feature introduced in

Windows Server 2003 AD was the ability to turn off replication compression to

increase domain controller performance. This would normally be an option only for

organizations with very fast connections between all their domain controllers.

.
Schema attribute deactivation—
Developers who write applications for AD DS

continue to have the ability, introduced in Windows Server 2003, to deactivate

schema attributes, allowing custom-built applications to utilize custom attributes

without fear of conflict. In addition, attributes can be deactivated to reduce replica-

tion traffic.

.
Incremental universal group membership replication—
Before Windows Server

2003, Windows 2000 Active Directory had a major drawback in the use of universal

groups. Membership in those groups was stored in a single, multivalued attribute in

AD DS. Essentially, what this meant was that any changes to membership in a

universal group required a complete re-replication of all membership. In other

words, if you had a universal group with 5,000 users, adding number 5,001 would

require a major replication effort because all 5,001 users would be re-replicated

146

CHAPTER 4

Active Directory Domain Services Primer

across the forest. Windows Server 2003 and 2008 simplify this process and allow for

incremental replication of universal group membership. In essence, only the 5,001st

member is replicated in Windows Server 2003/2008.

.
AD–integrated DNS zones in application partitions—
Windows Server 2003

improved DNS replication by storing DNS zones in the application partition. This

basically meant that fewer objects needed to be stored in AD, reducing replication

concerns with DNS.

.
AD lingering objects removal—
Another major improvement originally introduced

with Windows Server 2003 and still supported in 2008 is the ability to remove lin-

gering objects from the directory that no longer exist.

Summary

Microsoft has worked to continue development of Active Directory Domain Services,

which has become a common framework to tie in the various applications and frame-

works. The success of Windows 2000 and 2003 Active Directory supplied Microsoft with

the medium into that common framework. Along with the addition of new capabilities

such as the AD Recycle Bin, fine-grained password policy support, RODCs, object auditing,

ptg

and other enhancements, the newest version of Active Directory builds on its “road

worthiness” and the real-world experience it gained with Windows 2000, Windows Server

2003, and Windows Server 2008 to bring a robust, secure environment for networking

services and functionality.

Best Practices

The following are best practices from this chapter:

. Design domains sparingly: Don’t necessarily set up multiple domains for different

remote offices or sites.

. Turn on the Active Directory Recycle Bin after upgrading to Windows Server 2008 R2

forest functional level to take advantage of the ability to do a full-fidelity restore of

domain objects that have been deleted.

. Purchase any internal or external domain namespaces that theoretically could be

bought and used on the Internet.

. Use RODCs in remote sites where security is not as strong.

. Strongly consider using Dynamic DNS in an AD DS domain environment.

. Turn on global AD DS auditing to gain a better understanding of what changes are

made to Active Directory objects.

Best Practices

147

. Consider using cross-forest transitive trusts between two disparate AD DS forests

when merging the forests is not an option.

. Place the infrastructure master role on a domain controller that isn’t also a global

catalog unless all domain controllers in the domain are global catalog servers or you

are in a single domain environment.

. Properly plan fine-grained password policies to avoid conflicting policies being

applied to users. Leave enough numerical space between the precedence numbers of

individual PSOs so as to allow for new PSOs to be placed above and below the PSO

in order of priority.

. Switch to Windows Server 2008 R2 Functional mode as early as possible, to be able

to take advantage of the numerous improvements, including AD Recycle Bin

support, fine-grained password policies, Kerberos improvements, last interactive

logon information, and the use of DFS-R for the SYSVOL replication.

4

. Use the ntdsutil command-line utility to transfer or seize OM roles in disaster recov-

ery situations.

. Use global groups to contain users in the domain in which they exist but also to

grant access to resources in other trusted domains.

ptg

. Use universal groups to contain users from any domain in the forest and to grant

access to any resource in the forest.

This page intentionally left blank

ptg

CHAPTER 5

IN THIS CHAPTER

Designing a Windows
. Understanding AD DS Domain

Design

Server 2008 R2 Active
. Choosing a Domain Namespace

. Examining Domain Design

Directory

Features

. Choosing a Domain Structure

. Understanding the Single

Proper design of a Windows Server 2008 R2 Active

Domain Model

Directory Domain Services (AD DS) structure is a critical

. Understanding the Multiple

component in the successful deployment of the technology.

Domain Model

Mistakes made in the design portion of AD DS can prove to

be costly and difficult to correct. Many assumptions about

. Understanding the Multiple

Trees in a Single Forest Model

basic AD DS domain and functional structure have been

made, and many of them have been incorrect or based on

. Understanding the Federated

erroneous information. Solid understanding of these

Forests Design Model

components is vital, however, and anyone looking at

ptg

. Understanding the Empty-Root

Windows Server 2008 R2 should keep this point in mind.

Domain Model

AD DS was specifically designed to be scalable. This means

Other books

For Love of a Cowboy by Yvonne Lindsay - For Love of a Cowboy
Skeleton Dance by Aaron Elkins
Juliana Garnett by The Quest
Unknown by Unknown
Half Moon Hill by Toni Blake
Blow Fly by Patricia Cornwell