What s New in Active Directory for Windows Server 2008 . . . . . . . . . . . .

3
What s New in Active Directory Domain Services
Read-Only Domain Controllers (RODC)
- Security stand point its better to place RODC at branch site
- RODC can be managed by deligating a domain user or security group so just make
sure the user isnt part of domain admin groups
- RODC stores read only copy of AD and is unidirectional .replication dont need
to pull changes from RODC
This provides protection on branch site
- Replication also applies to DFS replication .. RODC accepts inbound replicatio
n
- Read request is served whereas writeable LDAP queries gets a referral to writa
ble domain controller in hub site
# Not every data .. only few attributes are replicated to RODC
This can be configured via RODC filtered attribute set
#Credential caching
by default it doesnt store users or computer credentials
Only exception .. Computer account of RODC itself and krbtgt account that each r
odc has
This caching is enabled by password replication policy
This helps users to login even during WAN link failure
WAN link is important for first log on attempt till its cached
# you can assign any branch user with administrative privledge to do server main
tainance
# Read only DNS
Just like rodc .. doesnt update itself .. gets replication from other server
Active Directory Domain Services Auditing
Previously there was only single audit policy - Audit directory services access
Now there are 4
- DS Access
- DS service changes
- DS replication
- Details DS replication
this global audit policy is enabled by default
# Fine-Grained Password Policies
both password and account lockout policy was controlled by default domain policy
We can create seprate password policies with FGPP
But now fine grained password policies can be assigned to a user or security gro
up
It cannot be assigned to an OU
To apply PP to OU you need to apply it to security group that maps to OU .. shad
ow group

FGPP store
- Schema - Password setting container and password settings object's
- its created by default in system container
- PSO has all the attributes of PP as in Default domain policy .. exception kerb
eros settings
-

enforce password history

min max password age
min password length
meet complexity requirement
store it using reversible encryption

- Account lockout duration

- lockout threshold
- reset account lockout after
PSOs has two value pso link and precendence ( integer value)
Note : resultant set of policy
# Restartable Active Directory Domain Services
start stop dsrm
Database Mounting Tool
DSAMain.exe enables you to view snapshot of AD data to determine the content for
restoration
this is not to restore .. just to view
User Interface Improvements