Active Directory

Active Directory provides the means to manage the identities and relationships that
make up your organization’s network. Integrated with Windows Server 2008, the next
generation of Active Directory gives you out-of-the-box functionality needed to
centrally configure and administer system, user, and application settings. With Active
Directory, you can simplify user and computer management, enable single sign-on
(SSO) access to your network resources, and help enhance the privacy and security of
stored information and communications.

Active Directory has proven itself as a robust directory service in Windows Server
2003 R2. Windows Server 2008 builds on the prior success of Active Directory with
several new and improved features:

Active Directory Domain Services

Active Directory Domain Services (AD DS), formerly known as Active Directory
Directory Services, is the central location for configuration information,
authentication requests, and information about all of the objects that are stored within
your forest. Using Active Directory, you can efficiently manage users, computers,
groups, printers, applications, and other directory-enabled objects from one secure,
centralized location. Enhancements to AD DS in Windows Server 2008 include:

• Auditing. Changes made to Active Directory objects can be recorded so that

you know what was changed on the object, as well as the previous and current
values for the changed attributes.
• Fine-Grained Passwords. Password policies can be configured for distinct
groups within the domain. No longer does every account have to use the same
password policy within the domain.
• Read-Only Domain Controller. A domain controller with a read-only
version of the Active Directory database can be deployed in environments
where the security of the domain controller cannot be guaranteed, such as
branch offices where the physical security of the domain controller is in
question, or domain controllers that host additional roles, requiring other users
to log on and maintain the server. The use of Read-Only Domain Controllers
(RODCs) prevents changes made at branch locations from potentially
polluting or corrupting your AD forest via replication. RODCs also eliminate
the need to use a staging site for branch office domain controllers, or to send
installation media and a domain administrator to the branch location.
• Restartable Active Directory Domain Services. Active Directory Domain
Services can be stopped and maintained. Rebooting the domain controller and
restarting it in Directory Services Restore Mode is not required for most
maintenance functions. Other services on the domain controller can continue
functioning while the directory service is offline.
• Database Mounting Tool. A snapshot of the Active Directory database can
be mounted using this tool. This allows a domain administrator to view the
objects within the snapshot to determine the restore requirements when
necessary.

Active Directory Lightweight Directory Services

Active Directory Lightweight Directory Service (AD LDS), formerly known as

Active Directory Application Mode, can be used to provide directory services for
directory-enabled applications. Instead of using your organization’s AD DS database
to store the directory-enabled application data, AD LDS can be used to store the data.
AD LDS can be used in conjunction with AD DS so that you can have a central
location for security accounts (AD DS) and another location to support the
application configuration and directory data (AD LDS). Using AD LDS, you can
reduce the overhead associated with Active Directory replication, you do not have to
extend the Active Directory schema to support the application, and you can partition
the directory structure so that the AD LDS service is only deployed to the servers that
need to support the directory-enabled application. Enhancements to AD LDS in
Windows Server 2008 include:

• Install from Media Generation. The ability to create installation media for
AD LDS by using Ntdsutil.exe or Dsdbutil.exe.
• Auditing. Auditing of changed values within the directory service.
• Database Mounting Tool. Gives you the ability to view data within
snapshots of the database files.
• Active Directory Sites and Services Support. Gives you the ability to use
Active Directory Sites and Services to manage the replication of the AD LDS
data changes.
• Dynamic List of LDIF files. With this feature, you can associate custom
LDIF files with the existing default LDIF files used for setup of AD LDS on a
server.
• Recursive Linked-Attribute Queries. LDAP queries can follow nested
attribute links to determine additional attribute properties, such as group
memberships.

Active Directory Certificate Services

Most organizations use certificates to prove the identity of users or computers, as well
as to encrypt data during transmission across unsecured network connections. Active
Directory Certificate Services (AD CS) enhances security by binding the identity of a
person, device, or service to their own private key. Storing the certificate and private
key within Active Directory helps securely protect the identity, and Active Directory
becomes the centralized location for retrieving the appropriate information when an
application places a request. Enhancements to AD CS in Windows Server 2008
include:

• Enrollment Agent Templates. Delegated enrollment agents can be assigned

on a per-template basis.
• Integrated Simple Certificate Enrollment Protocol (SCEP). Certificates
can be issued to network devices, such as routers.
• Online Responder. Certificate Revocation List (CRL) entries can be returned
to the requestor as a single certificate response instead of the entire CRL. This
reduces the total amount of network traffic consumed when clients validate
certificates.
• Enterprise PKI (PKI View). A new management tool for AD CS, this tool
allows a Certificate Services administrator to manage Certification Authority
(CA) hierarchies to determine the overall health of the CAs and to easily
troubleshoot errors.

Active Directory Federation Services

Active Directory Federation Services is a highly secure, highly extensible, and

Internet-scalable identity access solution that allows organizations to authenticate
users from partner organizations. Using AD FS in Windows Server 2008, you can
simply and very securely grant external users access to your organization’s domain
resources. AD FS can also simplify integration between untrusted resources and
domain resources within your own organization. Enhancements to AD FS in
Windows Server 2008 include:

• Availability As an Integrated Server Role. AD FS is a server role within

Windows Server 2008 that can be easily deployed and managed using Server
Manager, instead of handled as an added feature, as in Windows Server 2003
R2.
• Integration with Microsoft Office SharePoint Server 2007. AD FS can be
used to facilitate a single sign-on solution for Office SharePoint Server 2007.
• Integration with Active Directory Rights Management Services (AD
RMS). AD FS can integrate with AD RMS to support the sharing of rights-
protected content between organizations without requiring AD RMS to be
deployed in both organizations.
• Improved Administration. Importing and exporting trust information has
been enhanced so that each organization can quickly export or import XML
files to facilitate the configuration of trust information.

Active Directory Rights Management Services

Your organization’s intellectual property needs to be safe and highly secure. Active
Directory Rights Management Services, a component of Windows Server 2008, is
available to help make sure that only those individuals who need to view a file can do
so. AD RMS can protect a file by identifying the rights that a user has to the file.
Rights can be configured to allow a user to open, modify, print, forward, or take other
actions with the rights-managed information. With AD RMS, you can now safeguard
data when it is distributed outside of your network. Enhancements of AD RMS in
Windows Server 2008 include:

• Application Support. Support for AD RMS is already included within

Windows Vista. Internet Explorer 7 and the 2007 Microsoft Office system
already have support for AD RMS. The AD RMS client can also be installed
on other Windows operating systems.
• Persistent Protection. Your content can be protected on the go. You specify
who can open, modify, print, or manage the content, and the rights stay with
the content—even after it has been transferred outside of your organization.
• Usage Policy Templates. If you have a common set of rights that you use to
control access to information, a Usage Policy Template can be created and
applied to content. This alleviates the need to recreate the usage rights settings
for every file you want to protect.
• AD RMS Software Development Kit. The AD RMS Software Development
Kit (SDK) can be used by independent software vendors (ISVs) to rights-
enable their applications, meaning the application investments you’ve already
made may be (or will become) compatible with AD RMS.

Additional Active Directory Improvements

The Active Directory Installation Wizard includes several improvements over earlier
versions. These improvements make it easier for an administrator to control the
installation of domain controllers within the domain. Enhancements include:
• Better Management with Server Manager. Server Manager, the new Windows
Server 2008 server management tool, allows an administrator to pre-stage
domain controllers. When the domain controller role is added from the Server
Manager console, the files that are needed to perform the installation of the
directory service are copied to the server. When an administrator starts the
Installation Wizard, dcpromo.exe, the files are already cached and available.
o Install DNS.
o Create a Global Catalog server.
o Create a Read-Only Domain Controller.
o Select the domain for the domain controller (including selecting the
domain from a tree list).
o Select the domain controller’s Active Directory site.
o Set the domain’s functional level.
o Delegate the Read-Only Domain Controller installation and
administration user.
o Configure the Read-Only Domain Controller password replication
policy.
o Configure the Read-Only Domain Controller password replication
policy.
• Answer File Creation. If several domain controllers use the same settings
when they are installed, the Summary page allows you to export the settings
from the current installation into an answer file. The password used for your
Directory Services Restore Mode administrator account is not exported with
the answer file, and you can specify that the user who is installing the domain
controller is always prompted for the administrator password. This way,
passwords are not accessible to users who have access to the location where
the answer files are stored.
• Read-Only Domain Controller Installation. The new Read-Only Domain
Controller role can be installed using the Installation Wizard. When installing
a Read-Only Domain Controller, you can define who is allowed to install and
manage the domain controller. In the first phase of the installation, a domain
administrator can define the account that can install the Read-Only Domain
Controller. Once defined, the user that is associated with the Read-Only
Domain Controller will have the rights to install the directory service.