• Illustration: AD Roadmap

Every major release of Windows Server includes updates to the Active Directory (AD) service, which maintains information about the server and the organization's users, computers, and applications, and the release of Windows Server 2008 is no exception. It collects many formerly separate identity and access-management services and feature packs under the AD banner. Although few organizations are likely to benefit from all the new features, most organizations will find at least one improvement valuable.

New Names for Services and Feature Packs

In Windows Server 2008, Microsoft has renamed several services to use the AD label: directory, federation, certificate, and rights management. The services themselves aren't new—they are present in Windows Server 2003 R2 or available as feature packs. All these services will ship with Windows Server 2008.

AD, the Windows OS directory service introduced in Windows 2000 and that runs on Windows domain controllers, is now called Active Directory Domain Services (Microsoft acronym: ADDS).

AD Application Mode (ADAM), which enables developers to create application-specific directories that support the Lightweight Directory Access Protocol (LDAP), is now called Active Directory Lightweight Directory Services (Microsoft acronym: ADLDS).

AD Federation Services, which enables one AD organization to share its internal resources with authorized users from other AD organizations, retains its original name (Microsoft acronym: ADFS, although it was formerly spelled AD FS).

Certificate Services, the Windows certificate authority which issues and revokes certificates to identify users and applications, is called Active Directory Certificate Services (Microsoft acronym: ADCS).

Windows Rights Management Services, which lets users place restrictions to protect documents and messages across multiple computers and domains, is now called Active Directory Rights Management Services (Microsoft acronym: ADRMS).

(For an illustration of the services that fall under AD in Windows Server 2008, see "AD Roadmap".)

The renamed AD services form a key piece of the infrastructure for Microsoft's identity and access management systems, which maintain user identity data, such as group memberships and addresses, across all the applications and OS services that use the data, and control what users can do with computer resources such as applications, files, and printers. Additional tools to help manage identity and access management information, in particular to synchronize directory entries, are available in a separate Identity Integration Feature Pack, as well as in a separate product, Identity Lifecycle Manager, that combines advanced directory synchronization with the management of the certificate life cycle.

Active Directory Domain Services

AD Domain Services, the Windows OS directory service, manages users and resources, such as computers, printers, and applications. It gains minor but useful changes in Windows Server 2008, including a new read-only domain controller (RODC) configuration, support for service restarts without OS restarts, improved auditing and password granularity, and the ability to run on Windows Server 2008 Core installations.

Read-Only Domain Controller

AD Domain Services supports RODC configurations. Except for account passwords, an RODC holds the same information that a writable domain controller holds. Changes cannot be made to the RODC database by administrators; changes must be made on a writable domain controller and then replicated to the RODC. Sensitive data such as passwords, encryption keys, or application-specific data that the organization does not want replicated to an RODC can be configured not to replicate.

The RODC is designed to reduce network traffic from branch or remote offices that are managed from a central or hub site. IT managers are often reluctant to place domain controllers in such locations because poor physical security might enable attacks (for example, an attacker might steal the domain controller and crack it offline), and because there are often no trained personnel in branch offices to administer domain controllers. However, without a local domain controller, branch office users have to authenticate and perform domain name lookups over a WAN link to a domain controller in the central office, an inefficient solution because poor network bandwidth at branch offices can bog down log-on and access to centralized resources.

RODCs can speed log-ons by credential caching: a user initially authenticates to a remote, writable domain controller, which then recognizes that the request is coming from an RODC and replicates the user's credentials to the RODC, which caches them. The RODC can then process the next user log-on with the cached credentials. In the event that the RODC is stolen or compromised, only those credentials that are cached can potentially be cracked. Similarly, an RODC can speed domain name lookups by running a local instance of the domain name service (DNS).

An organization can delegate local administrative permissions for an RODC to any domain user without granting that user any user rights for the domain or any other domain controller. This permits a local branch user to log on to an RODC and perform local maintenance work, such as upgrading a driver, without affecting the domain.

An RODC does have some limitations: it must be able to forward authentication requests to a writeable domain controller running Windows Server 2008. Therefore, the domain must be running Windows Server 2008 or higher. Likewise, the AD forest must be running Windows Server 2003 or higher so that linked-value replication, which provides better replication consistency, is available.

Restarts and Other Improvements

Other improvements to AD Domain Services include the following:

Domain Services restarts without reboots. Windows Server 2008 administrators can stop and restart AD Domain Services using either a Microsoft Management Console (MMC) snap-in or the command line, without restarting the OS of the server. This will reduce the time required to perform directory maintenance tasks, and other services that are running on the server, such as the Dynamic Host Configuration Protocol (DHCP), will remain available to satisfy client requests. While stopped, a domain controller behaves as if it had been rebooted into directory services restore mode, the feature that in earlier Windows versions enabled directory maintenance, but that required a reboot.

More granular auditing. Windows Server 2003 provided only one audit policy—audit directory service access—that controlled whether auditing for directory service events was enabled or disabled. In Windows Server 2008, the auditing is more granular: if an object is created, the values of its attributes are logged; if it is moved, the previous and new locations are logged; and if it is deleted, an audit event is logged if the directory service access category is enabled. This will help manage the volume of data generated by auditing, which in turn will simplify analysis of the results by administrators

Multiple password complexity and lockout policies. Windows Server 2008 allows an organization to specify multiple password policies within a single domain. For example, an organization can apply stricter settings to privileged accounts, such as administrators, and less strict settings to the accounts of other users. This could help protect important accounts while reducing the frequency of password resets for others. With Windows Server 2003 AD domains, only one password policy and account lockout policy could be applied to all users in the domain.

Other AD Service Improvements

Windows Server 2008 also includes improvements in other AD-branded services.

Active Directory Federation Services

AD Federation Services, which originally shipped with Windows Server 2003 R2, makes it easier for an organization to share its internal resources with authorized internal users as well as users from other organizations, such as customers and partners. In a federated identity system, each organization authenticates its own users and maintains their user accounts. When a user wants to access resources at a partner organization, the user's home organization forwards a security token that contains proof of the user's identity to the partner, and the partner grants access based on contents (claims) contained in the token and whether the user's home organization is trustworthy.

In Windows Server 2008, Federation Services becomes a server role, making installation and configuration easier using Server Manager. Federation Services also gains tighter integration with both SharePoint Services 2007 and AD Rights Management Services.

This version of AD Federation Services has integrated support for AD Federation membership and role providers, which SharePoint Server 2007 can take full advantage of for single sign-on. This means that an organization can effectively configure SharePoint Server 2007 as a claims-aware application in AD Federation Services, and can administer any SharePoint Server 2007 sites using membership and role-based access control.

In Windows Server 2008, it will be easier for administrators to create a federated trust between two organizations because of enhancements that provide more functionality and flexibility when using the Add Partner Wizard. For example, an administrator can use the wizard to specify a different account partner verification certificate and do claim mapping according to the partner's claim mapping.

Active Directory Certificate Services

AD Certificate Services, a long-time service of Windows Server, manages the issuing and revocation of certificates, which identify users and applications and are issued by Windows Server and other certificate authorities (CAs). In Windows Server 2008, Certificate Services has been improved to make Web enrollment, device enrollment, certificate revocation, and certificate services management easier.

Certificate Web Enrollment allows a user in a non-domain-joined Windows server, or a server running a non-Windows OS such as Linux, to use a Web page hosted on Internet Information Services (IIS) to request a new certificate or renew an existing one, enabling self-service for more users.

Network Device Enrollment Service allows network devices that need to work with the IPSec protocol to enroll for a certificate from a Windows Server CA using the Simple Certificate Enrollment Protocol, which defines the communication between network devices and a Registration Authority for certificate enrollment.

Online Certificate Status Protocol Support uses an online responder and protocol to receive and respond to requests to check for revocation of a certificate without having the client download the entire Certificate Revocation List.

PKIView, a health tool used to monitor the private key infrastructure (PKI) and cryptography services, moves from the Windows Server Resource Kit to the Windows Server product.

Active Directory Rights Management Services

AD Rights Management Services, originally introduced as a feature pack for Windows Server 2003, enables users to place restrictions (such as "do not print") on documents and messages and ensure that those restrictions are enforced across multiple computers and domains. Rights management is useful in organizations that are subject to formal confidentiality regulations or that have trade secrets and other intellectual property that they want to protect, as well as departments within all organizations where confidentiality is essential, such as legal and human resources.

In Windows Server 2008, AD Rights Management Services is integrated with the server product and therefore is a manageable and configurable server role.

AD Rights Management Services and AD Federation Services have been integrated so that organizations can take advantage of existing federated trust relationships to collaborate with external partners and share rights-protected content. For example, an organization that has deployed AD Rights Management Services can use AD Federated Services to set up federation with an external organization that allows the sharing of rights-protected content without requiring the other organization to deploy AD Rights Management Services.

In addition, a new MMC snap-in replaces the former Web-based administration console.

Active Directory Lightweight Directory Services

ADLDS is not significantly different in Windows Server 2008, except that it is now included with the OS rather than a separate feature pack.

Both ADDS and ADLDS can be run on Windows Server 2008 Core, and both are available as server roles in manage and configure server dialogs.

Availability and Resources

AD services are included in beta three of Windows Server 2008. The server is expected to release to manufacturing in late 2007 with general availability in 2008.

Microsoft's identity and access management tools are described in "Identity and Access Integration Under Way" on page 8 of the Aug. 2007 Update).

More information on AD services can be found at technet2.microsoft.com/windowsserver2008/en/library/cdd7ea3d-187b-4237-b0d9-414bfad492081033.mspx?mfr=true.

Windows Server 2008 information is available at www.microsoft.com/windowsserver2008/default.mspx.