вторник, 24 августа 2010 г.

Windows Server 2008- Active Directory Domain Services Role

Active Directory Domain Services Role ( AD DS )
The following topics describe changes in AD DS functionality available in this release
AD DS: Auditing
AD DS: Fine-Grained Password Policies
AD DS: Read-Only Domain Controllers
AD DS: Restart able Active Directory Domain Services
AD DS: Data Mining Tool
AD DS: User Interface Improvements

AD DS: Auditing New values when changes are made to AD DS objects and their attributes
The global audit policy Audit directory service access controls whether auditing for directory service events is enabled or disabled. This security setting determines whether events are logged in the Security log when certain operations are carried out on objects in the directory. You can control what operations to audit by modifying the system access control list (SACL) on an object. In Windows Server 2008, this policy is enabled by default
Auditing AD DS access In Windows 2000 Server and Windows Server 2003, there was one audit policy, Audit directory service access that controlled whether auditing for directory service events was enabled or disabled.
In Windows Server 2008, this policy is divided into four subcategories:
Directory Service Access
Directory Service Changes
Directory Service Replication
Detailed Directory Service Replication

AD DS: Fine-Grained Password Policies The Windows Server® 2008 operating system provides organizations with a way to define different password and account lockout policies for different sets of users in a domain. In Microsoft® Windows® 2000 and Windows Server® 2003 Active Directory domains, only one password policy and account lockout policy could be applied to all users in the domain. These policies were specified in the Default Domain Policy for the domain. As a result, organizations that wanted different password and account lockout settings for different sets of users had to either create a password filter or deploy multiple domains. Both options are costly for different reasons.

AD DS: Read-Only Domain Controllers
A read-only domain controller (RODC) is a new type of domain controller in the Windows Server® 2008 operating system. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed. An RODC hosts read-only partitions of the Active Directory® Domain Services (AD DS) database
Before the release of Windows Server 2008, if users had to authenticate with a domain controller over a wide area network (WAN), there was no real alternative. In many cases, this was not an efficient solution. Branch offices often cannot provide the adequate physical security that is required for a writable domain controller. Furthermore, branch offices often have poor network bandwidth when they are connected to a hub site. This can increase the amount of time that is required to log on. It can also hamper access to network resources
Beginning with Windows Server 2008, an organization can deploy an RODC to address these problems.

As a result, users in this situation can receive the following benefit: Improved security
Faster logon times
More efficient access to resources on the network
Who will be interested in this feature?
Relatively few users
Poor physical security
Relatively poor network bandwidth to a hub site
Little knowledge of information technology (IT)
This feature provides: Read-only AD DS database
Unidirectional replication
Credential caching
Administrator role separation
Read-only Domain Name System (DNS)
Read-only AD DS database
Except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable domain controller holds
RODC filtered attribute set you can dynamically configure a set of attributes in the schema for domain objects that will not replicate to an RODC. This set of attributes is called the RODC filtered attribute set. Attributes that are defined in the RODC filtered attribute set are not allowed to replicate to any RODCs in the forest
Administrator role separation
You can delegate local administrative permissions for an RODC to any domain user without granting that user any user rights for the domain or other domain controllers
Read-only DNS
You can install the DNS Server service on an RODC. An RODC is able to replicate all application directory partitions that DNS uses, including ForestDNSZones and DomainDNSZones. If the DNS server is installed on an RODC, clients can query it for name resolution as they query any other DNS server

AD DS: Restartable Active Directory Domain Services
Restartable AD DS reduces the time that is required to perform certain operations. AD DS can be stopped so that updates can be applied to a domain controller; also, administrators can stop AD DS to perform tasks such as offline defragmentation of the Active Directory database, without restarting the domain controller. Other services that are running on the server and that do not depend on AD DS to function, such as Dynamic Host Configuration Protocol (DHCP), remain available to satisfy client requests while AD DS is stopped.
AD DS: Data Mining Tool
The data mining tool (Dsamain.exe) can improve recovery processes for your organization by providing a means to compare data as it exists in snapshots or backups that are taken at different times so that you can better decide which data to restore after data loss. This eliminates the need to restore multiple backups to compare the Active Directory data that they contain.
Using the data mining tool, you can examine any changes that are made to data that is stored in Active Directory Domain Services (AD DS). For example, if an object is accidentally modified, you can use the data mining tool to examine the changes and help you better decide how to correct them if necessary.
AD DS: User Interface Improvements
To improve the installation and management of Active Directory® Domain Services (AD DS), Windows Server® 2008 includes an updated Active Directory Domain Services Installation Wizard. Windows Server 2008 also includes changes to the Microsoft Management Console (MMC) snap-in functions that manage AD DS.

New wizard page

Description

Additional Domain Controller Options

Specifies that during the domain controller installation, the domain controller will also be configured to be a DNS server, global catalog server, or RODC. An RODC can also be a DNS server and a global catalog server.

Select a Domain

Specifies the name of the domain where you are installing an additional domain controller.

Select a Site

Specifies the site in which the domain controller should be installed.

Set Functional Levels

Sets the domain and forest functional level during the installation of a new domain or forest.

Delegation of RODC Installation and Administration

Specifies the name of the user or group who will install and administer the RODC in a branch office.

Password Replication Policy

Specifies which account passwords to allow or deny from being cached on an RODC. This page appears only if the Use advanced mode installation check box is selected.

DNS delegation creation

Provides a default option to create a DNS delegation based on the type of domain controller installation (as specified on the Choose a Deployment Configuration page) and the DNS environment.

 

ACTIVE DIRECTORY (AD DS)
AD INSTALLATION

AD users and computers tool
New in 2008

Read only DCS

GPMC - new in 2008 - GPO

GPO search and filter

ACTIVE DIRECTORY (AD DS)
NEW IN 2008
STOP AD 2008 without restarting the DC

ACTIVE DIRECTORY (AD DS)
SERVER 2008 - AD 2008 AUDITING

Комментариев нет:

Отправить комментарий