Active Directory Domain Services (formerly known as Active Directory) and Identity Management in Windows Server 2008 now cover several different services:
- Active Directory Domain Services (AD DS)
- Active Directory Federation Services (AD FS)
- Active Directory Lightweight Directory Services (AD LDS)
- Active Directory Rights Management Services (AD RMS).
- Active Directory Certificate Services (AD CS)
Each service represents a Server Role, a new concept in Windows Server 2008.
What’s new in Windows Server 2008
There have been a lot of new features and functions added to the Active Directory in Windows Server 2008.
In this article I will focus on the Active Directory Domain Services (AD DS) in Windows Server 2008, which includes several enhancements and new features compared to Windows Server 2003.
Here is a short overview of the main changes and new Domain Services functionality, which I will focus on in this article:
- Active Directory Domain Services – Read-Only Domain Controllers
- Active Directory Domain Services – Restartable Active Directory Domain Services
- Active Directory Domain Services – Fine-Grained Password Policies
Active Directory Domain Services
The Domain Services functionality has been carried forward and updated in Windows Server 2008, along with an improved setup wizard (Server Manager). This also provides new management options for AD DS features such as Read-Only Domain Controllers (RODCs).
The Active Directory Read-Only Domain Controller (RODC) is a new type of domain controller in Windows Server 2008. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed.
The RODC’s main purpose is to improve security in branch offices. In branch offices it is often hard to get the physical security needed for an IT infrastructure, especially for Domain Controllers that contain sensitive data. Often a DC can be found under a desk in the office. If someone gets physical access to the DC, it is not hard to manipulate the system and get access to the data. The RODC solves these issues.
The essentials of RODC are:
- Read-Only Domain Controller
- Administrative Role Separation
- Credential Caching
- Read-Only DNS
Read-Only Domain Controller
RODC holds a non-writable and read-only copy of the Active Directory database with all objects and attributes. RODC only supports uni-directional replication of Active Directory changes, which means that the RODC always replicates directly with the Domain Controllers in the HUB site.
Figure A: Replication to RODC
The RODC will perform normal inbound replication from the HUB site for Active Directory and DFS changes. The RODC will receive everything from Active Directory but sensitive information, by default accounts such as Domain Admins, Enterprise Admins and Schema Admins are excluded from the replication to RODC.
If an application needs write access to Active Directory, the RODC sends an LDAP referral response which automatically redirects the application to a writable Domain Controller, located in the main HUB site. The RODC is also capable of running the Global Catalog Role for faster logon if needed.
This is a big advantage for branch offices, because if someone gains physical access to the server or even steals it, the person might be able to crack the passwords on the user accounts in AD, but not any of the sensitive accounts – since they are not located on the RODC.
This also means that those sensitive admin accounts are not able to log onto the RODC if the WAN link to the main HUB site is unavailable.
To implement RODC in your environment, you need your domain and forest at Windows Server 2003 mode and the DC running the PDC emulator needs to be running Windows Server 2008.
Administrative Role Separation
You can delegate local administrator permissions for the RODC server to any user in Active Directory. The delegated user account will now be able to log onto the server and do server maintenance tasks, without having any AD DS permissions and the user does not have access to other Domain Controllers in Active Directory, this way security is not compromised for the domain.
By default the RODC doesn’t store any user or computer credentials, except the computer account of the RODC itself and a special “krbtgt” account that each RODC has.
The RODC can however be configured to cache passwords, this is handled by the Password Replication Policy. The Password Replication Policy determines if replication from the writeable DC to the RODC is allowed for the user or computer credentials. If a certain user is allowed, the user’s credentials are cached on the RODC at login.
When an account is successfully authenticated against the RODC, the RODC attempts to contact a writable Domain Controller at the HUB site. If a password is not cached, the RODC will forward the authentication request to a writeable DC. The DC receiving the request recognizes that the request is coming from an RODC and checks with the Password Replication Policy.
The benefit of Credential Caching is that is helps with password protection at branch offices and minimizes exposure of credentials, in case the RODC is compromised. When using Credential Caching and if an RODC is stolen, the user account and computer account can have their passwords reset, based on the RODC they belong to.
Credential Caching can be left disabled and this will limit the eventual exposure, but it will also increase WAN traffic, since all authentication requests will be forwarded to the writeable DCs in the main HUB site.
In addition to the RODC, it’s also possible to install a DNS service. A DNS server running on an RODC doesn’t support dynamic updates. But clients are able to use the DNS server to query for name resolution.
Since the DNS is Read-Only, clients cannot update records on it. But if a client wants to update its own DNS record, the RODC will send a referral forward to a writeable DNS. The single updated record will afterwards be replicated from the writable DNS server to the DNS server on the RODC. This is a special single object (DNS record) replication, to keep the RODC DNS servers up-to-date and give the clients in the branch office faster name resolution.
Restartable Active Directory Domain Services
With Windows Server 2008, Active Directory Domain Services (AD DS) are now stoppable and restartable. This means that you can stop the AD DS to perform tasks and maintenance, which in prior versions of Windows Server required a reboot into Directory Services Restore Mode (DSRM). This is an excellent feature for scripting and automating those tasks.
The possible states for AD DS are:
- AD DS – started
- AD DS – stopped
- AD DS Restore Mode (DSRM)
It’s a benefit that tasks that used to require a reboot to take the AD DS offline are now available directly from the console. This gives administrators some flexibility towards maintaining and performing offline AD DS operations more quickly.
Fine-Grained Password Policies
Prior to Windows Server 2008, you could have only one password and account lockout policy per domain, which applied to all users in the domain. As something new in Windows Server 2008 AD DS, it is now possible with Fine-Grained Password Policies to define different sets of password or lockout policies to different set of users in the same domain.
With Fine-Grained Password Policies the following settings are available:
- Enforce password history
- Maximum password age
- Minimum password age
- Minimum password length
- Passwords must meet complexity requirements
- Store passwords using reversible encryption
- Account lockout duration
- Account lockout threshold
- Reset account lockout after
Fine-Grained Password Policies can be applied to user objects and global security groups. It’s not possible to apply them to OUs.
To use Fine-Grained Password Policies the domain functional level must be at Windows Server 2008.
Windows Server 2008 Active Directory Domain Services (AD DS) has some great new features and functions, which can optimize a lot of domain management. To summarize;
For branch office scenarios The Read-Only Domain Controller (RODC) is by far the greatest new feature of Windows Server 2008, it is a great enhancement of security for organizations running Domain Controllers at remote locations.
Fine-Grained Password Policies is a great new feature that gives additional flexibility in any domain with the ability of having multiple password and lockout policies.
Together the new features, increase security and flexibility in Active Directory.
Additional resources about Windows Server 2008
Microsoft’s Windows Server 2008 website