News Stay informed about the latest enterprise technology news and product updates.

Expert offers prep tips for Active Directory in Windows Server 2008

Microsoft MVP Brian Desmond gives administrators some tips for working with the next generation of Windows Server and Active Directory. Check out his insights on a new format for automating installs and more.

IT administrators will find new Active Directory (AD) features in Windows Server 2008. In part one of a two-part interview, Brian Desmond dissects the Server Core and read-only domain controllers.
Brian Desmond on Active Directory in Win Server 2008
In part 2, Desmond looks at a tool that helps Windows shops manage new AD password policies, a new format for automating installs and improvements to Dcpromo. Desmond manages the AD operations of enterprise corporations as a member of the Active Directory team of a major technology outsourcing company. Desmond has been working with AD since the release of Windows 2000 Server. Are IT administrators going to see any install or Dcpromo improvements?

Brian Desmond: They've made some improvements especially around the read-only domain controllers. You can now do what's called delegating the install of these read-only DCs.

Part 1: New Active Directory features in Win Server 2008
Expert eyes Active Directory changes in Windows Server 2008
You can actually ship the box out into the field and you can have whatever the local site guy promoted to the DC without [giving him] full admin rights and access to the entire forest or the entire domain.

Also there are some improvements around the whole install for media, which is another big branch office feature. Say your domain database is 5 gigs. If you're going to put that out in your branch office, that's usually a slow link between your hub and spoke. So there's this install from media [feature]. It's been there since 2003, but it's been improved so you can take a backup of an existing DC and burn it to a CD or DVD and ship it to the site. Then when you do a Dcpromo, it takes that as its starting copy and only replicates the changes since that copy was made.

What are some new tools for managing Active Directory?

Desmond: With the new [AD] password policies [in Windows Server 2008], there's a free tool already out on the Internet for managing them because Microsoft is not going to ship one. The tool's called PSOMgr. The tool manages the new fine-grain password policies. You can get it from

Right now if you want to use the new password policies, these are raw numbers and dates stored in special computer language format that you wouldn't normally know or even think of. This command-line tool specifies everything in days or minutes, coverts it all to the right number formats and creates the actual objects in AD. You can tell it that you want your [password] policy to be for 32 days and it will do everything behind the scenes. It also supports reporting on who is affected by each policy.

Any other tools admins should start taking advantage of to work with in Active Directory?

Desmond: You should continue to use whatever scripting language you are comfortable using, or pick one and learn it.

 Most new features will work without switching all of your domain controllers in Windows Server 2008.
So it's a cool value add.

You're going to be much more efficient if you can figure out how to automate things as opposed to point and click. Point and click doesn't scale, especially if you get into tens or hundreds of thousands of objects that you need to point and click on.

How can Windows shops start preparing for an AD/Windows Server 2008 installation?

Desmond: Most of the new features will work without switching all of your domain controllers in Windows Server 2008. So it's a cool value add. At the Windows Server 2003 level, they can start adding Server 2008 domain controllers and getting the new features on those without switching all the domain controllers because it takes a long time to do a refresh of those company-wide. I have customers still coming off Windows 2000, and now we're talking about 2008.

The new [AD/Windows Server 2008] password policies are the only new features, discussed in this series, that you have to have all of your domain controllers on [Windows Server] 2008 in order to use.

There is a new format in [Windows Server] 2008 as far as automating the installs. So folks are going to do a bit of relearning. I ship 100 boxes to 100 sites. I also ship out a CD or DVD and the local guy pops it in the drive and it takes it from bare metal all the way up to being a domain controller for that site. The only way to guarantee consistency is to make sure the same mechanism does it every single time. If I give 100 guys a printed out Word document with pictures, I guarantee they'll do it one hundred different ways.

What direction is Microsoft heading with Active Directory and Windows servers?

Desmond: The performance improvements [with 64-bit servers] are huge from an AD standpoint. You can generally achieve some substantial server consolidation goals by moving to 64-bit.

The barrier many folks have run into is that third parties all have to update their stuff to work on 64-bit and some have been moving at a snail's pace. But we're starting to see that road block being moved out of the way.

Dig Deeper on Windows systems and network management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.