What is New in Windows Server 2008 R2 Active Directory?

• Active Directory Recycle Bin
• Active Directory module for Windows PowerShell
• Active Directory Administrative Center
• Active Directory Best Practices Analyzer
• Active Directory Web Services
• Authentication mechanism assurance: Authentication mechanism assurance makes it possible for applications to control resource access based on authentication strength and method
• Offline domain join
• Managed Service Accounts
• Active Directory Management Pack: The Active Directory Management Pack enables proactive monitoring of availability and performance of AD DS with Systems Center Operations Manager 2007.
• Bridgehead Server Selection: The bridgehead server selection process enables domain controllers to load balance incoming connections. The new logic for bridgehead server selection allows for even distribution of workload among bridgehead servers

What is New in Windows Server 2008 Active Directory?

AD DS includes many new features that are not available in previous versions of Windows Server Active Directory. These new features make it possible for organizations to deploy AD DS more simply and securely and to administer it more efficiently.

• AD DS: Auditing
• AD DS: Fine-Grained Password Policies
• AD DS: Read-Only Domain Controllers
• AD DS: Restartable Active Directory Domain Services
• AD DS: Database Mounting Tool (Snapshot Viewer or Snapshot Browser)
• AD DS: User Interface Improvements
• AD DS: Owner Rights

How do you change the Directory Service Restore Mode aka DSRM password?

In Windows Server 2003 onwards, Directory Service Restore Mode password can be changed by Ntdsutil utility. Steps are as follows -

1. Click, Start, click Run, type ntdsutil, and then click OK.
2. At the Ntdsutil command prompt, type set dsrm password.
3. At the DSRM command prompt, type one of the following lines:

   To reset the password on the server on which you are working, type reset password on server null. The null variable assumes that the DSRM password is being reset on the local computer. Type the new password when you are prompted. Note that no characters appear while you type the password.

   -or-

   To reset the password for another server, type reset password on server servername, where servername is the DNS name for the server on which you are resetting the DSRM password. Type the new password when you are prompted. Note that no characters appear while you type the password.

4. At the DSRM command prompt, type q.
5. At the Ntdsutil command prompt, type q to exit.

Why we need netlogon?

It maintains a secure channel between the computer and the domain controller for authenticating users and services. If this service is stopped the computer may not authenticate users and services, and the domain controller can’t register DNS records.

What is the default Active Directory Built in groups?

Groups in the Builtin container

- Account Operators
- Administrators
- Backup Operators
- Guests
- Incoming Forest Trust Builders
- Network Configuration Operators
- Performance Monitor Users
- Performance Log Users
- Pre-Windows 2000 Compatible Access
- Print Operators
- Remote Desktop Users
- Replicator
- Server Operators
- Users

Groups in the Users container

- Cert Publishers
- DnsAdmins (If installed with DNS)
- DnsUpdateProxy (If installed with DNS)
- Domain Admins
- Domain Computers
- Domain Controllers
- Domain Guests
- Domain Users
- Enterprise Admins (only appears in the forest root domain)
- Group Policy Creator Owners
- IIS_WPG (installed with IIS)
- RAS and IAS Servers
- Schema Admins (only appears in the forest root domain)

What is AD DS Best Practices Analyzer?

Active Directory Domain Services (AD DS) Best Practices Analyzer (BPA) is a server management tool that can help you implement best practices in the configuration of your Active Directory environment. AD DS BPA scans the AD DS server role as it is installed on your Windows Server 2008 R2 domain controllers, and it reports best practice violations.

You can filter or exclude results from AD DS BPA reports that you do not need to see. You can also perform AD DS BPA tasks by using either the Server Manager graphical user interface (GUI) or cmdlets in the Windows PowerShell command-line interface.

What is AD Administrative Center?

Active Directory Administrative Center provides administrators with an enhanced Active Directory data management experience and a rich graphical user interface (GUI). Administrators can use Active Directory Administrative Center to perform common Active Directory object management tasks (such as user, computer, group, and organization units management) through both data-driven and task-oriented navigation.

Administrators can use the enhanced Active Directory Administrative Center GUI to customize Active Directory Administrative Center to suite their particular directory service administering requirements.

What is the Active Directory Management Gateway Service?

Windows Server 2008 R2 introduces a web service interface for application accessibility to Active Directory (AD), and the Windows Server 2008 R2 AD PowerShell cmdlets use this service.

ADMGS provides this web service interface for Windows Server 2003 SP2 and Windows Server 2008 domain controllers (DCs). The service lets Server 2008 R2 AD PowerShell cmdlets and other applications work against the DCs with ADMGS installed.

What is Active Directory Federation Services?

Active Directory Federation Services (AD FS) simplifies access to systems and applications using a claims-based access (CBA) authorization mechanism to maintain application security. AD FS supports Web single-sign-on (SSO) technologies that help information technology (IT) organizations collaborate across organizational boundaries.

AD FS 2.0 is a downloadable Windows Server 2008 update that is the successor to AD FS 1.0, which was first delivered in Windows Server 2003 R2, and AD FS 1.1, which was made available as a server role in Windows Server 2008 and Windows Server 2008 R2. Previous versions of AD FS are referred to collectively as AD FS 1.x.

What is AD Certificate Services?

Active Directory Certificate Services (AD CS) provides customizable services for issuing and managing public key certificates used in software security systems that employ public key technologies.