Windows Server 2008: Discover the New Active Directory Domain Services

There are a number of new Active Directory Domain Services features in Windows Server 2008. These new features improve auditing, security, and the management of Active Directory Domain Services and show Microsoft's commitment to evolving Active Directory Domain Services. The following is an overview of the new Active Directory Domain Services features that are in Windows Server 2008.

Auditing

Windows Server 2008 introduces significant changes to Active Directory Domain Services auditing. Active Directory Domain Services auditing in Windows Server 2008 is more granular than previous versions and provides you with more control over what is audited.

Active Directory Domain Services auditing is now divided into the following four subcategories:

* Directory Service Access
* Directory Service Changes
* Directory Service Replication
* Detailed Directory Service Replication

You can disable or enable Active Directory Services auditing at the subcategory level. For each subcategory, you can also configure whether to log successful events, failed events, both successful and failed events, or no auditing.

In Windows Server 2008, the new Directory Service Changes subcategory allows you to log the old value and new value of a changed attribute, in addition to the attribute name.

Windows Server 2008 also provides the ability to exclude the logging of changes to specific attributes by modifying the attribute properties.

The Active Directory Domain Services auditing subcategories are viewed and configured by using the Auditpol.exe command-line tool.
Fine-Grained Password Policies

Windows Server 2008 introduces the ability to create multiple password policies in a single domain, which is another first for Active Directory Domain Services. The introduction of fine-grained password policies in Windows Server 2008 allows organizations to create and manage multiple password policies and account lockout policies to meet diverse security requirements.

You can configure the same password policy and account lockout settings in a fine-grained password policy as you can at the domain level. Fine-grained password policies can be linked to users and to global groups. Because users can inherit multiple password fine-grained password policies, a precedence setting has been included to allow you more granular control.

Fine-grained password policies are configured by using the ADSI Edit snap-in.
Read-Only Domain Controllers

Another first for Active Directory Domain Services is the introduction of a new type of domain controller in Windows Server 2008, the read-only domain controller (RODC). RODCs are intended to assist you in situations in which domain controllers must be deployed in locations where physical security cannot be guaranteed, such as branch offices.

Microsoft has implemented a number of mitigating measures to ensure a compromised RODC does not impact the rest of your Active Directory Domain Services environment. These measures include the following:

* Read-only database
* Unidirectional replication
* Credential caching
* Administrator role separation
* Read-only Domain Name System (DNS)

Restartable Active Directory Domain Services

Windows Server 2008 now includes a true service, which allows you to stop, start, and restart Active Directory Domain Services without having to restart the operating system.

In Windows 2000 Server and Windows Server 2003, the operating system on a domain controller had to be restarted in Directory Services Restore Mode for most maintenance and recovery. However, Windows Server 2008 now provides the ability to start, stop, and restart the Domain Controller service.

The domain controller service can be manipulated by using the Services snap-in or the Computer Management snap-in.

Database Mounting Tool

Windows Server 2008 includes a new ability to take snapshots of an Active Directory Domain Services database and mount these snapshots into a new database mounting tool.

The database mounting tool allows you to view an Active Directory Domain Services object's previous state. You can then use this to compare the object's previous state to the object in production. This is particularly useful if you know that an object's attributes were changed, but do not know what the previous value of the attributes were.

User Interface Improvements

A number of user interface improvements have been made in Windows Server 2008. The following is a list of some of the most noteworthy interface changes in Windows Server 2008:

* New installation options for domain controllers.
* A more streamlined and simplified installation process.
* Improvements to the Active Directory Users and Computers console.
* A built-in Attribute Editor, which is accessible on the properties page of each object in the Active Directory Domain Services management tools.

Owner Rights

Windows Server 2008 now provides the ability to limit the default permissions that the owner of an object is given. In previous versions of Windows, the owner of an object was given the ability to read and change permissions on the object, which was more than they required in most cases. This new functionality in Windows Server 2008 also applies to Active Directory Domain Services objects.

Source: http://www.enterpriseitplanet.com/networking/features/article.php/3796561

Active Directory Domain Services Fine-Grained Password and Account Lockout Policies

Since the release of Windows NT 3.1, Microsoft's first Network Operating System, password policies were limited to the domain level. This held true for Windows 2000 Server and Windows Server 2003 versions of Active Directory. However, Microsoft has introduced the ability to define multiple password and account lockout policies in Windows Server 2008.

This article takes a deeper look at the new Active Directory Domain Services fine-grained password and account lockout policies in Windows Server 2008.

Password Settings Container and Password Settings Objects

Active Directory Domain Services in Windows Server 2008 includes two new object classes for fine-grained password and account lockout policies: Password Settings Container and Password Settings objects. Fine-grained password and account lockout policies require a domain functional level of Windows Server 2008, so these two objects will not be used for domains with a lower domain functional level.

The Password Settings Container (PSC) is created in the System container in each domain that has a domain functional level of Windows Server 2008. Password Settings Containers are used to store Password Settings objects for the domain. Once created by the system, the Password Settings Container cannot be moved, deleted, or renamed. You can view the Password Settings Container by enabling the Advanced View in the Active Directory Users and Computers Container, ADSI Edit, and LDP.exe.

Password Settings objects (PSOs) are the objects that you create to define fine-grained password and account lockout policies. Password Settings objects are stored in the Password Settings Container for the domain. Multiple Password Settings objects can be stored. Password Settings objects can be created by using ADSI Edit and LDIFDE.

Password Settings Object Attributes

Password Settings objects include the nine attributes for the same Password Policy and Account Lockout settings as the Default Domain Policy. These nine attributes are mandatory and must be defined on every Password Settings object. These attributes are shown in the table below.

LDAP Display Name	Description
msDS-PasswordHistoryLength	Enforce password history
msDS-MaximumPasswordAge	Maximum password age
msDS-MinimumPasswordAge	Maximum password age
msDS-MinimumPasswordLength	Minimum password length
msDS-Password-ComplexityEnabled	Passwords must meet complexity requirements
msDS-PasswordReversibleEncryptionEnabled	Store passwords using reversible encryption
msDS-LockoutDuration	Account lockout duration
msDS-LockoutThreshold	Account lockout threshold
msDS-LockoutObservationWindow	Reset account lockout after

Microsoft did not include the ability to create fine-grained password and account lockout policies in the Active Directory Users and Computers console in Windows Server 2008. As a result, the graphical interface to create Password Settings objects is the ADSI Edit console. The ADSI Edit console allows you to create Password Settings objects, and enter values for the attributes that are contained in Password Settings objects, in raw format. To set a Maximum Password Age of 42 days on a Password Settings object, you would enter a value of 42:00:00:00.

Controlling the Scope of Password and Account Lockout Policies

In addition to the above nine attributes, Password Settings objects also include two new attributes which are used to control the scope. These two attributes are shown in the table below:

LDAP Display Name	Description
msDS-PSOAppliesTo	PSO link
msDS-PasswordSettingsPrecedence	Precedence

The msDS-PSOAppliesTo attribute is used to link Password Settings objects to users and/or global groups. The msDS-PSOAppliesTo attribute is a multivalued attribute, which allows Password Settings objects to be linked to multiple users and/or global groups. The msDS-PSOAppliesTo includes a forward link to user or group objects. The msDS-PasswordSettingsPrecedence attribute is a mandatory attribute which is used to resolve conflicts when more than one Password Settings object is applied to a user or group.

Source: http://www.enterpriseitplanet.com/networking/features/article.php/3800436

Integrating Mac OS X with Active Directory

Active Directory within Mac OS X enables Mac clients and servers to integrate smoothly into existing AD environments, and provides the option of deploying a single directory services infrastructure that can support both Windows and Mac clients.

A key component of any modern computing environment, directory services allow organizations to centralize information about users, groups, and computing resources. A network-based repository consolidates resources, simplifies system management, and reduces support and administration costs. At the same time, it benefits users by enabling them to access enterprise resources from anywhere on the network. Thus, a directory services infrastructure offers advantages for both administrators and end users.

Of course, the full benefits of active directory services can only be realized when all of your desktop, laptop, and server systems are integrated into the same directory services infrastructure. This goal has been difficult to achieve in the past due to the proliferation of proprietary directory services solutions.

With the introduction of the Active Directory (AD) plug-in in Mac OS X v10.3 (Tiger), Apple made a concerted effort to enable IT administrators to integrate Mac OS X clients and servers easily into existing Active Directory infrastructures. While every Active Directory installation is different (especially in the enterprise space), Mac OS X integrates well with the vast majority of them, and with minimum effort.

Whatever combination of Mac, Windows, and Linux systems your organization uses, you no longer need to maintain a separate directory or separate user records to support your OS X systems. Users can move effortlessly between different computers while still adhering to enterprise policies for strong authentication and password-protected access to network resources.

Apple's support for Active Directory within Mac OS X enables Mac clients and servers to integrate smoothly into existing AD environments, and provides the option of deploying a single directory services infrastructure that can support both Windows and Mac clients.

Source: http://www.ciol.com/Developer/Operating-System/Tech-Papers/Integrating-Mac-OS-X-with-Active-Directory/4209115565/0/

Microsoft Active Directory Topology Diagrammer

The Microsoft Active Directory Topology Diagrammer is a really useful tool when documenting Active Directory domains of any size.

With the Active Directory Topology Diagrammer tool, you can read your Active Directory structure through Microsoft ActiveX Data Objects (ADO). The Active Directory Topology Diagrammer tool automates Microsoft Visio to draw a diagram of the Active Directory Domain topology, your Active Directory Site topology, your OU structure or your current Exchange 200X Server Organization.

With the Active Directory Topology Diagrammer tool, you can also draw partial information from your Active Directory, like only one Domain or one site. The objects are linked together, and arranged in a reasonable layout that you can later interactively work with the objects in Microsoft Visio.



The Diagrammer is very flexible and allows the user to include and exclude granular information such as the following:

• domain(s) (child etc.)
• Site(s )
• OUs
• Administrative Groups
• Exchange connectors (Routing, SMTP, X.400, Notes etc.)
• Users in the domain(s)
• Trusts
• User Count
• Global Catalog servers
• IP and SMTP Site links
• Subnets
• Inter/Intra Site Replication Connections
• Number of Mailboxes
• Application Partitions
• Servers and OS version information (with color coding)

Source : http://thebackroomtech.com/2008/01/30/microsoft-active-directory-topology-diagrammer/