Tuesday, 24 April 2007 3:26 PM
kens
New in Longhorn Server - Active Directory Changes Part 1
Longhorn Server bring a number of changes to the way Active Directory operates. There are new features, new naming and new administrative tools. I'll try to cover most of the major changes over two posts.
Firstly Active Directory is changing name wise. The Active Directory that most of us are familiar with will be called Active Directory Domain Services. Active Directory Application Mode (or ADAM) will be known as Active Directory Lightweight Services.
Active Directory setup will change in a few ways. Firstly, to support the new Server Core SKU which has no GUI management options the dcpromo process can now be fully automated. Secondly a few additional options are exposed in the dcpromo setup process (e.g. being able to associate a DC with an AD Site).
Active Directory will now have an "Offline" mode, where the server is still running but Active Directory services have been stopped. This will allow administrators to perform administrative tasks like offline defrag, or patch Active Directory, without having to reboot the server, or boot the server into Directory Services Restore Mode (DSRM). Whilst the DC is in "AD Offline" mode, clients will no longer be able to access directory services (such as authentication), in a similar way to stopping Netlogon currently. However "AD Offline" mode has the benefit of allowing administrative actions to be performed by Admins.
Possibly one of the biggest new features will be a new Active Directory DC called a "Read Only DC" (RODC). The RODC will hold a non-writable copy of most of the directory. Clients can use the RODC to perform read operations, but can not write changes to the RODC. Applications that need to write changes will be given a referral to a DC that holds a writable copy of the directory.
The RODC will not, by default, hold user credentials. This means that users or computers attempting to authenticate will have their authentication handled by an upstream, regular, DC. Depending on the password caching policy in effect for the RODCs, user credentials can be cached by a RODC, allowing the RODC to authenticate the user in future (until the user changes their password).
The RODC is aimed at scenarios such as where there is poor physical security for a DC, e.g. in small or remote branch offices. An attacker who steals or otherwise gains access to such a DC will not be able to compromise the directory further by writing potentially inimical changes back to regular, writable Domain Controllers.
Lastly, a new delegation wizard (in ADU&C) will allow a Domain Administrator to delegate permissions to a regular user to administer the RODC, without having to give that user additional permissions. This can allow IT Support for remote branch offices to perform administrative tasks on that RODC without having to give that user permissions to any other Domain Controllers within the domain.
In the next part, we'll look at additional changes to Active Directory, such as Auditing changes, password policy changes, and new Group Policy functionality!