Active Directory Improvements in Windows Server 2008

http://www.trainsignal.com/blog/windows-server-2008-active-directory
By Jason EnsingerJuly 2, 2008
In the Beginning
When Active Directory was first introduced in Windows Server 2000 it quickly became the most widely implemented
Network resource management system in use.
By providing a single logon process from the Windows logon prompt on the client side for authenticated access to all
resources locally and on the network as well as a single point of administration, it is hard to argue with results.
The first version of Active Directory used an access control list (ACL) to provide an object based method of managing
access to network resources.
Still not every business needs were met with the initial release of Active Directory.
Certificate Services, Windows method of determining access to web based resources such as email, and Microsoft
Metadirectory Services (MMS), Windows method for providing central access to multiple network directories, were both
separate components from Active Directory.
Here and Now
When Microsoft released Windows Server 2003 Active Directorys prominence was secured by adhering to the demands
of customers for better integration with other network security components.
Microsoft improved the way Active Directory and Certificate Services worked together. MMS was replaced with Microsoft
Identity Integration Server (MIIS), which provided even better integration with other directory types.
Additional features were added in the first revision of Server 2003 such as the Authorization Manager and Windows
Rights Management Services (RMS).
The Authorization Manager introduces role-based access control (RBAC) which provides the ability for Administrators to
group permissions based on job roles allowing for users to be associated with multiple job roles.
RMS provides the administrator with the ability to associate usage polices that adhere to the new information protection
laws to resources. RMS works together with Certificate Services and IIS to uphold its policies on the local network and the
World Wide Web.
In Server 2003 Revision 2, Active Directory Federation Services (ADFS) and Active Directory Applications Mode (ADAM)
were introduced.
ADFS extends the convenience of Active Directorys single sign-on authentication to the web by creating a single user
session that can be used across multiple web applications.
ADAM was introduced so directory-enabled applications could take advantage of Active Directorys access control without
requiring an actual domain or domain controller.
Windows Server 2008
In Windows Server 2008 Active Directory has continued on its path of integration with its latest family of components.
Active Directory components are now available as server roles, which I have listed below:
Active Directory Domain Services (AD DS)
Active Directory Certificate Services (AD CS)
Active Directory Lightweight Directory Services (AD LDS)
Active Directory Federation Services (AD FS)
Active Directory Rights Management Services (AD RMS)
As you have probably noticed, the server roles listed above all contain Active Directory in the name. The new Active
Directory roles provide the same functionality of the many identity access components from previous Windows Server
versions, but with new names.
Active Directory Domain Services (AD DS)
Active Directory Domain Services is the new name for Active Directory Directory Services and remains the core Active
Directory Component. Aside from the improvements to the user interface, there are four major improvements to AD DS
which I will go over below.
Read-only domain controllers (RODC) provide reliable security to insecure environments by replicating a
writable domain controller.

Changes cannot be made to a RODC and only the user credentials used with the RODC are stored on the server.
This makes it so the whole directory would not need to be rebuilt if security on the RODC were to be breeched.
Auditing enhancements there are now four different auditing categories: Directory Service Access, Directory
Service Changes, Directory Service Replication and Detailed Directory Service Replication.

This allows for better event searching and logging policy management.
Granular password and account lockout policies domains are no longer limited to a single password or
lockout policy. Multiple policy objects can now be saved to a domain and applied to groups or users.
Restartable AD DS you can now perform maintenance on AD DS by simply stopping the Domain Controller
Service.

Before you had to reboot the machine and start in Directory Services Restore Mode to perform maintenance
which led to more down time.
Active Directory Certificate Services (AD CS)
Certificate Services is named Active Directory Certificate Services in Server 2008. There are several notable
improvements to AD CS. I have listed the major changes below.
Certificate Web enrollment support improvements the ActiveX control for Web enrollment, XEnroll.dll, has
been replaced with the COM control, CertEnroll.dll. The new control is more secure and manageable.
Network device enrollment support AD CS now provides built in support for issuing certificates to network
devices to allow applications using the device to interact with other network entities.
Online certificate status protocol (OCSP) support Server 2008 includes this as an optional role service.

OCSP checks a certificates status for revocation prevent clients from having to download the entire certificate
revocation list, thus improving network performance.
Enterprise PKI (PKIView) PKI Health has a new name and can now be used as an MMC snap-in. This tool is
used for troubleshooting and monitoring the health of certificates and certificate authorities.
CAPI2 Diagnostics a new PKI troubleshooting feature that performs highly detailed logging for several
validation processes.
Active Directory Lightweight Directory Services (AD LDS)
Active Directory Lightweight Directory Services (AD LDS) is the new name for Active Directory Application Mode (ADAM).
AD LDS is essentially the same as ADAM except for it is now available as an in-box role in Server 2008 where it needed
to be downloaded from the Microsoft Download Center in Server 2003.
As mentioned previously, but referring to ADAM, AD LS is a stripped down version of AD DS designed to be used in
applications. Many CRM and HR applications use Active Directory for storing their data. AD LDS can be used instead of
AD DS making it possible for these applications to be used without needing to configure access to network resources.


Active Directory Federation Services (AD FS)
The name for Active Directory Federation Services (AD FS) remains the same, save the addition of a space in the
acronym.
AD FS allows for businesses to set up trust relationships with other directories, thus enabling the other directorys users
credentials to be used across directories. While there is little change to the name, a couple notable improvements have
been made which I will go over below.
Federation trust import/export support before the process of configuring federation trusts was a long manual
process. The manual process is still long, however once set up; settings can be exported and then imported to
other AD FS Servers.
AD FS deployment limiting a group policy can be applied to disable deployment of AD FS servers on
Windows Server 2008.
Active Directory Rights Management Services (AD RMS)
The follow-up to Windows RMS is Active Directory Rights Management Services (AD RMS).
The purpose of AD RMS remains the same as its predecessor. It is now integrated with Office 2007 and Internet Explorer
7 for securing sensitive information hosted on the server. For example, rights can be applied to emails to prevent
recipients from forwarding messages.
AD RMS is available as a role in Server 2008 and now includes an MMC snap-in for administration as opposed to a Web-
based interface.
Still More to Come
The Preceding components are the five Active Directory components released in Windows Server 2008. This year, MIIS
has been updated for Server 2003 under the title Identity Lifecycle Manager. An updated release for Server 2008 code-
named Identity Lifecycle Manager 2 is currently in beta.
Notable new features available to this release include administration from a GUI and SharePoint Services as well as an
approval request process for content available from Office 2007 applications. You can find out more about Identity
Lifecycle Manager 2 here.
While it would be nice to have had the release of Identity Lifecycle Manager included with Server 2008, it goes to show
you that Microsoft knows its work is never finished and will keep improvements to Active Directory coming.