Interest in Microsoft Windows Server 2008, code-named Longhorn, the newest member of the Windows Server family, took a dramatic turn two weeks ago when Microsoft released beta 3 to the public. It certainly is big news within the Active Directory community, as a multitude of new features and changes have been included. Although there is certainly plenty to talk about, now seems like a good time to review a few of the major points regarding Windows Longhorn and Active Directory.
While I could write hundreds of pages on all the new features in Windows Server 2008, I have singled out two very significant features that will probably relate to most Active Directory deployments: the read-only domain controller (RODC) and server roles.
Note: Server roles incorporate a lot of the new features in Longhorn, so this is a pretty good list of those features.
Read-only domain controller
This is perhaps the marquee feature for Active Directory in Windows Server 2008. In Microsoft's continuing effort to improve the branch office scenario, this will be a giant step forward.
The RODC hosts a read-only copy of the Active Directory database. In addition, the administrator can determine which accounts will be replicated to the DC, and replication is unidirectional. This solves a lot of security issues at remote sites since it will minimize accounts exposed at the site (presumably not any admin accounts), and anything compromised at the site will not make it out of the site. Combined with the new BitLocker technology, RODC will allow deployment of DCs at smaller sites where it was not feasible before.
Microsoft said at TechEd 2006 that Server Core was developed as a response to customer requests to provide a lean server operating system that would permit specific server functions to run without all the overhead of the GUI. That's right -- a Windows OS without a GUI! Well … almost. After logon, you will be presented with a desktop with no start menu, taskbar or icons, and two command windows. Installation of roles such as Dynamic Host Configuration Protocol (DHCP), DNS, file services and print server will be done completely from the command line.
So why don't we just boot into a command environment and do away with the whole GUI thing? Because this environment will still allow you to open applications such as Event Viewer, notepad and others.
In addition to making the server better defined for administrative purposes and reducing the hardware resources required, Server Core also permits better security at remote sites, allowing a smaller footprint of exposure.
The core roles available include:
- Active Directory Domain Services
* Auditing -- Allows auditing of "Directory Service Changes" to better track changes to Active Directory objects and attributes.
* Fine-Grained Password Policies (FGPP) -- Allows a more granular password policy to be applied to specific sets of users that will trump the policy set in the domain level Group Policy. FGPP is defined as an attribute in the AD and not implemented through Group Policy. (Should be a lot of fun to troubleshoot!)
* Read-only domain controller
* Restartable Active Directory Domain Services -- How cool will it be to simply turn off the AD, perform tasks like offline database defragmenting, then turn it back on without a reboot?
* Snapshot Viewer -- Think of this as a staged object recovery. It allows you to view a deleted object in multiple disk snapshots and determine which one to restore.
- Active Directory Certificate Services (AD CS) -- There are many new features added in AD CS from Windows Server 2003.
- Active Directory Lightweight Domain Services (AD LDS) -- This is the new version of the Active Directory Application Mode (ADAM) product.
- Active Directory Rights Management Service -- The old Windows Rights management product gets new features such as delegation of administration, a new MMC interface, integration with AD Federated Services and, of course, it can be installed as a server role.
- DHCP server
- DNS server
- File Services -- This role includes Services for Network File System (NFS), some new NTFS features and the new Windows Server Backup, replacing the old NT Backup. Note that this new backup program does not support tape devices. However, the tape drivers are still available and can be used by third-party tape devices, including Microsoft's Data Protection Manager.
- Network Policy and Access Services -- This role includes network services such as VPN, RADIUS and dial up servers as well as routers and 802.11 wireless access. Network Access Protection (NAP) deployment is also included in this role.
- Print Server
- Streaming Media Services -- This role can be used to deploy streaming digital media content and manage Windows Media servers.
- Application Server -- This role provides an environment that allows applications to run. Features include IIS, .NET Framework v 3.0 and 2.0, ASP.NET, COM+, Message Queuing and Windows Communication Foundation (WCF).
As you can see, that is quite a list, but it still doesn't cover everything. There are a lot of other features and improvements, such as the new Terminal Services Gateway and BitLocker drive encryption. These are some interesting features that you owe it to yourself and your company to explore.
I'd also like to point out that according to Microsoft's upgrade roadmap, Longhorn will include all of the features in the Windows Server 2003 R2 release. This includes the important Distributed File System (DFS) improvements with the new DFS replication engine, plus the incorporation of Windows Services for Unix features such as NFS. Note that although R2 is not a required upgrade for Windows Server 2003 or Longhorn Server, it does allow the uses of new components that will be incorporated in Longhorn.
You can download the Longhorn Beta 3 bits from Microsoft. If you don't have a lot of spare hardware hanging around that will support Windows Server 2008, use Microsoft's free Virtual Server, VMware Server or Workstation. All these virtualization products allow you to build a Longhorn environment or a mixed mode Longhorn-Windows 2003 environment without risking hardware. Then again, I don't need to tell you all the virtues of virtualization.
So with that, I encourage you to get the downloads, start exploring and watch for future articles in this space.
ABOUT THE AUTHOR
Gary Olsen is a systems software engineer for Hewlett-Packard in Global Solutions Engineering. He authored Windows 2000: Active Directory Design and Deployment and co-authored Windows Server 2003 on HP ProLiant Servers. Gary is a Microsoft MVP for Directory Services and formerly for Windows File Systems.