Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Active Directory in R2: Features to care about, others to ignore

From the ADAC to managed service accounts, Active Directory in Windows 2008 R2 has several new capabilities. See the ones worth checking out -- and those that probably aren't.

While for the most part, Microsoft's previous R2 release – Windows Server 2003 R2 -- only targeted very specific needs, Windows Server 2008 R2 includes improvements that directly impact Active Directory (AD) administrators.

The new capabilities for Active Directory in Windows Server 2008 R2 may encourage enterprises to upgrade their domain controllers (DC). Since these servers often lack complex software integrations or contain too many third-party applications, upgrading the DCs may be a smart first step for those considering a R2 rollout. And, in order to get the nine Active Directory enhancements Microsoft advertises, domain and/or forest functional levels need to be upgraded to R2.

Inside Windows Server 2008 R2

Check out all of Greg's articles on Windows Server 2008 R2.

Here are the new notable features and enhancements for Active Directory in Windows Server 2008 R2 -- as well as some that can be ignored.

Active Directory module for Windows PowerShell and PowerShell cmdlets

The biggest change to AD in Windows Server 2008 R2 is Microsoft's complete embrace of Windows PowerShell for every core management function.

In this release, Microsoft fully migrated Active Directory to its new philosophy of "PowerShell at the core, with GUI management tools riding on top." R2's Active Directory module for PowerShell adds more than 75 different cmdlets, which encompass almost all AD tasks.

Active Directory Administrative Center

In Windows Server 2008 R2, the Active Directory Administrative Center (ADAC), which has a new console with a very different look, adds an additional graphical user interface for managing users, groups and other objects. In addition, ADAC's task-based pages and all-up views on object properties centralize the configuration of AD objects into a single-pane view.

A single ADAC console can manage multiple domains at once, and a single console can also be launched under alternate credentials for managing other trusted domains. Furthermore, a breadcrumb bar and rich query building capabilities make it easy to locate objects and track where you've been.

The introduction of the ADAC doesn't eliminate the old-school Active Directory Users and Computers interface. As a result, the old console can be used while you learn ADAC's capabilities.

Active Directory Recycle Bin

The Active Directory Recycle Bin is a new feature in R2 that's received a lot of attention. The tool makes it easier to retrieve accidentally-deleted objects by introducing a few new steps to AD's internal deletion processes.

Previously, restoring deleted Active Directory objects required rebooting a domain controller into Directory Services Restore Mode, locating the object, restoring it, and quickly learning that many of its attributes and back-links were still lost in the process.

Once the Active Directory Recycle Bin is enabled – a process that requires raising that forest functional level and then manually installing an additional set of schema upgrades – deleted objects are put into a special logically deleted state. While in this state, the object's attributes are preserved, and it remains logically deleted for a configurable period of time before being recycled. While recycled objects are not deleted, many of their attributes are stripped – similar to the process in earlier versions. To recover a deleted object, a tool like LDP is needed.

Even with the challenge, having this capability for the few times you'll need it will save your neck during those Friday afternoon accidental-deletions when you're ready for the weekend.

AD Best Practices Analyzer

While the Active Directory Best Practice Analyzer may not be used on a regular basis, this new feature still comes in handy.

Simply put, the AD Best Practice Analyzer analyzes the Active Directory, DNS, time services, etc., and ensures their configurations meet best practices. Like all the new features, the AD Best Practices Analyzer runs as part of a PowerShell script, though GUI exposure is available through Server Manager.

To run this tool in Server Manager, navigate to the Active Directory Domain Services role and scrolling down to the Best Practices Analyzer. Click Scan this Role, and you'll see how well-designed – or not -- your Active Directory is.

Offline domain join

Environments planning a major Windows 7 or Server 2008 R2 rollout -- particularly those looking into hosted virtual desktops -- will benefit from offline domain join.

With this tool -- which only works with the latest OSes -- administrators can join computers to an Active Directory domain without being connected to a network. As a result, new computers can automatically join the domain when they first start, eliminating at least one reboot and speeding up the process of spinning up new OS instances.

Offline domain join uses the command line tool djoin.exe to accomplish its work. It's worth considering if you're looking into automating the distribution of new OS instances.

Managed service accounts

Service accounts have always been a pain in the neck for IT professionals. Performing password changes and other administration with these accounts is never easy -- with a domain's password and account policies often causing major problems at the worst times.

In Windows Server 2008 R2, service accounts get their own special compensation in the form of managed service accounts and virtual accounts. With managed service accounts, a local account password on an individual server (the "virtual account") can be automatically changed when its linked password is changed in AD. Managed service accounts are only supported in Windows 7 and Windows Server 2008 R2, and are completely administered through PowerShell.

AD Web Services

While you probably won't directly interact with Active Directory Web Services, this feature extends the interaction with Active Directory Domain Services (ADDS) to any external web services application. The extension of the traditionally-closed ADDS to a Web services framework enables third-party solutions to easily link into domain management.

AD Web Services works with traditional ADDS as well as AD Lightweight Directory Services (LDS) for environments making use of AD LDS' authentication capabilities.

Windows integrated authentication and simple plaintext usernames and passwords are supported, although simple authentication will require certificates for access.

By default, AD Web Services only provides for interaction with ADDS atop Windows Server 2008 R2 DCs. For down-level servers, Microsoft has provided the AD Management Gateway Service, which brings Web service capabilities to older domain controllers. In addition, AD Web Services is installed on any promoted domain controller: AD Management Gateway is a separate installation.

Authentication mechanism assurance

Have you ever wished you could provide a different set of resources to users when they login using smart cards instead of just passwords? Now you can with authentication mechanism assurance. This feature creates a new Universal Group in a domain that is automatically populated with the names of all the users who have logged in with a certificate (which is typically via a smart card login).

With authentication mechanism assurance, the user base can be separated into two groups – those who have logged in using a certificate and those who haven't – and these groups can be given different access to resources. As a result, new access control measures can be created for users that have logged in via a strong authentication mechanism.

Active Directory Management Pack

System Center Operation Manager (OpsMgr) shops will quickly add this new management pack to their infrastructure. Others can safely ignore this new feature -- though they should consider having an OpsMgr server installed. There's no better server than OpsMgr for finding problems -- and ultimately saving the day -- in an environment.

Overall, domain controllers are easy upgrades, and the new features and capabilities that come with that upgrade are worth the effort. Some features require an upgrade to the domain functional level -- a process that requires every DC to be at the new OS -- while others require an update to the forest functional level, which requires every DC in a forest to be updated. As a result, the update process may take some time in large environments.

But, rest assured -- you'll enjoy the results. The more time I spend with Windows Server 2008 R2, the more I appreciate its new features. And that's a poignant statement when you compare this R2 release with that of Windows Server 2003.


- Introduction
- Remote Desktop Services (RDS)
- Hyper-V
- File Classification Infrastructure (FCI)
- DirectAccess
- BranchCache
- AppLocker
- BitLocker
- Internet Information Services 7.5
- VPN Reconnect
- Active Directory

Greg Shields, MVP, is a co-founder and IT guru with Concentrated Technology with nearly 15 years of IT architecture and enterprise administration experience. He is an IT trainer and speaker on such IT topics as Microsoft administration, systems management and monitoring, and virtualization. His recent book Windows Server 2008: What's New/What's Changed is available from SAPIEN Press.

Dig Deeper on Windows systems and network management