R2 Improves Active Directory Administration

With Windows Server 2008 R2, Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) gain significant administration improvements, including the ability to completely restore mistakenly deleted directory objects, a new console, and an enhanced PowerShell scripting platform to automate operations. While the updated AD can interoperate with older versions of Windows Server, taking full advantage of all of the changes will require an organization to upgrade all its AD servers to Windows Server 2008 R2.

AD DS, formerly known as just AD, is Windows Server’s distributed database of objects such as users, groups, computers, and policies, used to control authentication and access to resources. AD LDS (formerly AD Application Mode, or ADAM) is a Lightweight Directory Access Protocol (LDAP) directory service that provides data storage and retrieval for directory-enabled software, such as a human resources application.

The Recycle Bin

The most important new feature is the Recycle Bin, which allows an administrator to restore a deleted AD DS or AD LDS object, such as a user account, with all of the object’s group memberships and access rights. The restoration, which works both within and across domains, is possible because when the object is deleted Windows Server 2008 R2 preserves the object and the object’s attributes, such as group membership (the object’s member and memberOf properties), so that the object and its attributes are both restored to their consistent logical state prior to deletion. This is a major improvement over existing methods, which made recovery of the object relatively simple but reconstruction of its attributes more troublesome and complex.