SearchWinIT.com: Which existing Active Directory features are getting a makeover in Windows Server 2008?
Brian Desmond: Historically, password policy [in AD] defines how passwords have to be -- for example, eight characters long and [they] expire every 90 days. You've only been able to have one [password policy] per AD domain and Microsoft changed it so you can now have multiple ones and define them on a per-user basis.
How does that help AD admins?
Desmond: Maybe you want to protect what the folks in the legal department are doing by giving them a stronger password policy. Historically you'd have to set up a separate AD domain, which has a hard cost that can be from a little bit to a lot. With [Windows Server] 2008 you can now have different policies under one domain and have multiple policies for different groups of people.
Can you talk about standout Active Directory features in the new server?
Desmond: One of the really exciting new ones is the concept of the read-only domain controller. Before with AD, as compared with NT 4.0 in particular, every domain controller has a writable copy of your directory. You can make a change anywhere and it will propagate throughout the environment. At the same time, all of [the domain controllers] have secrets like your password. Right now with [Windows Server] 2003, if that server is out in the field and gets stolen and it's not secure, then you have a huge security issue in that all the password for that domain are in the DNCs. So the only approach you can take is to make everyone change their password. That's a big deal if you have 100,000 people on that domain.
With the new read-only domain controller feature, [change] is two-fold. First you can now define which passwords are stored locally. Now if the server gets stolen, you only have to have 100 people change their passwords versus 100,000.
Any administration role changes?
Desmond: There is admin role separation. The problem now is if you put a DC out in your field office, so on a server running AD on [Windows servers] 2000 or 2003, you need to buy another server to run your file and print, for example. The other option is to put file and print on your DC, but then you either have to give a ton of access to the local IT admin so he can administer [file and print], or you're bringing that responsibility back into your central group which is generally not their core focus. With 2008, they've made it so you can define people who can log into these read-only DCs but they won't have any access to AD. They'll only have access to whatever is theirs locally, like file and print.
That's important because even if they make some sort of change to that server, it will never replicate in your environment.
How does Server Core work with Active Directory?
Desmond: In Windows 2000 Server or 2003, you put the server in and it includes everything Microsoft ships. You've got Internet Explorer and so on. These Server Core boxes have the bare minimum to run whatever feature you want to run, like AD. There's no IE so no one will be tempted to surf the Web under an admin ID, which is a huge security risk.
Now when you log in, instead of [admins] getting the start button on the desktop, all you get is the command prompt and you better know how to do things without the GUI.
Why would Windows shops want to run a Server Core AD?
Desmond: It reduces the attack surface dramatically. The big one folks like to play on is IE. You can't have a guy logged into the box under a highly privileged ID decide he's going to go surf the Web. The next thing you know, he's at some site which is of dubious value perhaps and now he's compromised the whole company's Directory Service. And, if you can look at it from where AD sits in a large enterprise, it's really very close to the center.
If you have issues with AD, you often have issues with things across the entire organization. It's about removing all the pieces that don't serve a purpose toward an AD server.