|
|||
|
There are a number of new Active Directory Domain Services features in Windows Server 2008. These new features improve auditing, security, and the management of Active Directory Domain Services and show Microsoft's commitment to evolving Active Directory Domain Services. The following is an overview of the new Active Directory Domain Services features that are in Windows Server 2008. Auditing Active Directory Domain Services auditing is now divided into the following four subcategories:
You can disable or enable Active Directory Domain Services auditing at the subcategory level. For each subcategory, you can also configure whether to log successful events, failed events, both successful and failed events, or no auditing. In Windows Server 2008, the new Directory Service Changes subcategory allows you to log the old value and new value of a changed attribute, in addition to the attribute name. Windows Server 2008 also provides the ability to exclude the logging of changes to specific attributes by modifying the attribute properties. The Active Directory Domain Services auditing subcategories are viewed and configured by using the Auditpol.exe command-line tool. Fine-Grained Password Policies You can configure the same password policy and account lockout settings in a fine-grained password policy as you can at the domain level. Fine-grained password policies can be linked to users and to global groups. Because users can inherit multiple password fine-grained password policies, a precedence setting has been included to allow you more granular control. Fine-grained password policies are configured by using the ADSI Edit snap-in. Read-Only Domain Controllers Microsoft has implemented a number of mitigating measures to ensure a compromised RODC does not impact the rest of your Active Directory Domain Services environment. These measures include the following:
Restartable Active Directory Domain Services In Windows 2000 Server and Windows Server 2003, the operating system on a domain controller had to be restarted in Directory Services Restore Mode for most maintenance and recovery. However, Windows Server 2008 now provides the ability to start, stop, and restart the Domain Controller service. The domain controller service can be manipulated by using the Services snap-in or the Computer Management snap-in. Database Mounting Tool The database mounting tool allows you to view an Active Directory Domain Services object's previous state. You can then use this to compare the object's previous state to the object in production. This is particularly useful if you know that an object's attributes were changed, but do not know what the previous value of the attributes were. User Interface Improvements
Owner Rights * This article originally appeared at http://www.enterpriseitplanet.com/networking/features/article.php/3796561. John Policelli (Microsoft MVP for Directory Services, MCTS, MCSA, ITSM, iNet+, Network+, and A+) is a solutions-focused IT consultant with over a decade of combined success in architecture, security, strategic planning, and disaster recovery planning. John has spent the past 9 years focused on Identity and Access Management and providing thought leadership for some of the largest installations of Active Directory in Canada. John maintains a blog at http://policelli.com/blog. |
|||
LEARN: WINDOWS SERVER 2008 R2
IT PROJECTS: WINDOWS SERVER 2008 R2 |
 |
Digg
del.icio.us
Newvine
furl
StumbleUpon
BlinkList
Newsvine
Magnolia
Facebook
Tailrank
Slashdot
Technorati
Google Bookmarks
Yahoo Favorites
Windows Live
Ask
VOICES: WINDOWS SERVER 2008 R2
DISCUSS: WINDOWS SERVER 2008 R2
