Changes to Active Directory

Microsoft has made many changes and improvements to Active Directory since its first incarnation for Windows 2000 Server. It is important for IT managers and administrators to understand the differences in Active Directory in regards to which version of Windows they are using.

Active Directory in Windows Server 2008 R2

Microsoft built on Windows Server 2008 with the release of R2, which featured two notable Active Directory changes. First, the company unveiled the new Active Directory Administrative Center (ADAC) for managing directory service objects, somewhat replacing the usual AD Users and Computers snap-in from past releases. One caveat of the ADAC is that it can only be used on machines running Windows Server 2008 R2; all previous versions of Windows still require AD Users and Computers. It can, however, be used to manage Windows 2003 and 2008 domains. It should also be noted that the old Users and Computers snap-in is still available with R2, so admins can continue to use it while learning the ins and outs of ADAC.

The second most notable update to Windows Server 2008 R2 Active Directory is the addition of the AD Recycle Bin. The tool is designed to work similar to the familiar Windows Recycle Bin to make it easier for admins to recover accidentally deleted objects. Though initially met with enthusiasm from IT pros, some were initially disappointed with the Active Directory Recycle Bin, citing that while it was a step in the right direction, the utility still lacked functionality found in more mature, third-party recovery tools.

Other Active Directory changes with Windows 2008 R2 include a Best Practices Analyzer, a flurry of new PowerShell cmdlets and added offline domain join functionality. Microsoft also introduced a new managed service accounts feature designed to improve security for application management. The company has announced plans to improve the feature with the first service pack for R2 for app servers and services running in perimeter networks. Windows Server 2008 R2 SP1 will also feature enhancements for domain controller scalability.

Changes to Active Directory for Windows Server 2008

Once again, many changes to Active Directory were made with Windows Server 2008. Microsoft has incorporated two very significant features with Windows Server 2008 that will probably relate to most Active Directory deployments: the read-only domain controller (RODC) and server roles.

The read-only domain controller is perhaps the marquee feature for Active Directory in Windows Server 2008. The RODC hosts a read-only copy of the Active Directory database. That is, you can't make any changes to the Active Directory database from a read-only domain controller. You can connect to an RODC to read any information you like (with a few exceptions, which we'll get to in a moment), but you will not be able to perform any write operations without connecting to or being referred to a writeable domain controller.

Also with RODC, the administrator can determine which accounts will be replicated to the domain controller, and replication is unidirectional. RODC does not perform any outbound replication. This is a fundamental change from the typical multi-master replication model that many have become familiar with in Active Directory. In Windows 2000 Server and Windows Server 2003, an administrator can connect to any domain controller to make a change, and that change will be replicated out to the rest of Active Directory via outbound replication from the DC that the change originated from.

This is not so with the RODC. The read-only domain controller will receive inbound replication from other writeable Windows Server 2008 DCs, but it will not replicate any information whatsoever out to other DCs. This solves a lot of security issues at remote sites since it will minimize accounts exposed at the site (presumably not any admin accounts), and anything compromised at the site will not make it out of the site. Combined with the new BitLocker technology, RODC will allow deployment of DCs at smaller sites where it was not feasible before.

Server Core was also developed for Windows Server 2008 as a response to customer requests to provide a lean server operating system that would permit specific server functions to run without all the overhead of the GUI. It has been referred to by Microsoft as a bare bones installation of Windows Server 2008.

With Server Core, after logon, a user will be presented with a desktop with no start menu, taskbar or icons, and two command windows. Installation of roles such as Dynamic Host Configuration Protocol (DHCP), DNS, file services and print server will be done completely from the command line. However, this environment will still allow users to open applications such as Event Viewer, notepad and others. In addition to making the server better defined for administrative purposes and reducing the hardware resources required, Server Core also permits better security at remote sites, allowing a smaller footprint of exposure.

Other changes include the Restartable Active Directory, which allows AD to be restarted without rebooting the server. You can accomplish this via the command line and MMC Snap-ins. It is designed to save admins time on offline operations (like an offline defrag of Active Directory) without taking the server offline and shutting down other services and applications.

Active Directory improvements with Windows Server 2003 SP1

Several changes in Windows Server 2003 Service Pack 1 have to do with the way Active Directory handles "tombstoned" objects. Just like in Windows 2000, when you delete an Active Directory object, it is not immediately deleted; instead, it's marked as a tombstoned object. This allows the deletion to be replicated properly to other domain controllers. Once an object has been in this tombstoned state for a certain amount of time, it is finally deleted outright.

In Windows 2000, the default tombstone lifetime was 60 days. However, in Windows Server 2003, Microsoft changed it to 180 days, effectively tripling the amount of time that a deletion had to be communicated to all of the domain controllers in an environment. However, if you have already installed Active Directory using either Windows 2000 or the original Windows Server 2003 media, the default tombstone lifetime will not automatically change when you upgrade to Windows Server 2003 SP1. You will only receive the 180-day tombstone lifetime value automatically by building a pristine 2003 SP1 Active Directory forest.

In addition to modifying the tombstone lifetime for new Active Directory installations, 2003 Service Pack 1 added the SID History attribute to the list of attributes that are retained when an object is tombstoned. When an Active Directory object is tombstoned, it is stripped of most of its attributes, so the tombstoned object only takes up a fraction of the size of the original object within the Active Directory database. Each user, group and computer object within Active Directory is assigned a numeric security identifier, or SID. SIDs are unique within the domain and do not change, even if the security principal is renamed or moved to another container within the same domain.

Prior to Windows Server 2003 SP1, one of the attributes that was stripped when an object was tombstoned was this SID History attribute, which meant that if you restored an object, any previous SIDs that were recorded in its SID History were lost. Fortunately, Windows Server 2003 SP1 includes SID History among the attributes retained when an object is deleted.

Service Pack 1 also made changes in the types of Active Directory information that are logged in the Event Viewer on a domain controller, thus allowing for more proactive monitoring and easier troubleshooting. One such update is Event ID 2089, which is recorded in the Directory Service event log if any directory partition has not been backed up for a significant length of time (half of the tombstone lifetime or more). The event is logged whether the partition is the Schema, Configuration, or domain partitions -- or any application partitions or ADAM partitions that are hosted on the DC in question.

Ever since SP1, administrators can also now run domain controllers using virtualization technology such as Microsoft Virtual Server 2005. That allows you to run multiple domains or forests on a single machine or to use virtualization to reduce the attack footprint of a physical server by separating its roles onto multiple virtual machines.

Differences in Active Directory for Windows 2000 and Windows 2003

For the new features and improvements that were built into Windows Server 2003's Active Directory, Microsoft focused on five areas:

        * Integration and productivity
        * Performance and scalability
        * Administration and configuration management
        * Group Policy
        * Security

Some changes in the areas of integration and productivity include the abilities to edit multiple Active Directory objects simultaneously, as well as improved interoperability via inetOrgPerson for Novell and Netscape solutions. Replication monitoring was also improved for Windows Server 2003. In particular, a replication enhancement called linked-value replication for objects such as Active Directory group objects was significant, especially for large environments. Linked-value replication solved problems such as inconsistent replication and delays by replicating multi-valued attributes separately.

As far as performance and scalability goes, Microsoft eliminated the need to contact a global catalog (GC) server each time a user logs in. For Windows Server 2003, the GC information is cached at the local domain controller. Other enhancements include support for clustered virtual servers, DC overload prevention and GC replication tuning controls.

For better configuration management, Microsoft added automated DNS zone creation, improved inter-site replication and the ability to rename domains. Better migration and command-line tools were also created for Windows Server 2003 Active Directory. Some of the new command-line tools include:

        * dsadd -- Allows you to create objects from the command line
        * dsmove -- Moves an object from one OU or container to another within the same domain
        * dsrm -- Will delete an object from Active Directory
        * dsquery -- Will return an object or list of objects that matches criteria that you specify
        * dsget -- Will return one or more attributes of a particular Active Directory object

As for Group Policy, Windows Server 2003 greatly improved the Group Policy management interface, which is able to interact with both 2003 and 2000 GPOs. Other improvements included GPO results reports, over 150 new GPO controls and improved client management features. New security features included forest trusts, trusted namespaces, cross-forest authentication and authorization, and a credential manager.

Other changes to Active Directory for Windows Server 2003 include the "Install from Media" option for promoting new domain controllers into a domain, and the Users and Computers MMC snap-in which allows admins to move an object from one location in the directory tree to another more easily.