7/30/2019 Active Directory Server 2008 R2 Features

1/4

Active Directory Domain Services

Active Directory Domain Services (AD DS), formerly known as Active Directory Directory

Services, is the central location for configuration information, authentication requests, and

information about all of the objects that are stored within your forest. Using Active Directory,

you can efficiently manage users, computers, groups, printers, applications, and other directory-enabled objects from one secure, centralized location.

Auditing. Changes made to Active Directory objects can be recorded so that you know what

was changed on the object, as well as the previous and current values for the changed attributes.

Fine-Grained Passwords. Password policies can be configured for distinct groups

within the domain. No longer does every account have to use the same password policy

within the domain.

Read-Only Domain Controller. A domain controller with a read-only version of the

Active Directory database can be deployed in environments where the security of the

domain controller cannot be guaranteed, such as branch offices where the physical

security of the domain controller is in question, or domain controllers that host additionalroles, requiring other users to log on and maintain the server. The use of Read-Only

Domain Controllers (RODCs) prevents changes made at branch locations from

potentially polluting or corrupting your AD forest via replication. RODCs also eliminatethe need to use a staging site for branch office domain controllers, or to send installation

media and a domain administrator to the branch location.

Restartable Active Directory Domain Services. Active Directory Domain Services can

be stopped and maintained. Rebooting the domain controller and restarting it in Directory

Services Restore Mode is not required for most maintenance functions. Other services on

the domain controller can continue functioning while the directory service is offline.

Database Mounting Tool. A snapshot of the Active Directory database can be mountedusing this tool. This allows a domain administrator to view the objects within the

snapshot to determine the restore requirements when necessary.

Active Directory Rights Management Services

Your organizations intellectual property needs to be safe and highly secure. Active Directory

Rights Management Services, a component of Windows Server 2008, is available to help makesure that only those individuals who need to view a file can do so. AD RMS can protect a file by

identifying the rights that a user has to the file. Rights can be configured to allow a user to open,

modify, print, forward, or take other actions with the rights-managed information. With ADRMS, you can now safeguard data when it is distributed outside of your network.

Application Support. Support for AD RMS is already included within Windows Vista.

Internet Explorer 7 and the 2007 Microsoft Office system already have support for AD

RMS. The AD RMS client can also be installed on other Windows operating systems.

7/30/2019 Active Directory Server 2008 R2 Features

2/4

Persistent Protection. Your content can be protected on the go. You specify who can

open, modify, print, or manage the content, and the rights stay with the contenteven

after it has been transferred outside of your organization.

Usage Policy Templates. If you have a common set of rights that you use to control

access to information, a Usage Policy Template can be created and applied to content.

This alleviates the need to recreate the usage rights settings for every file you want toprotect.

AD RMS Software Development Kit. The AD RMS Software Development Kit (SDK)

can be used by independent software vendors (ISVs) to rights-enable their applications,

meaning the application investments youve already made may be (or will become)

compatible with AD RMS.

Active Directory Federation Services

Active Directory Federation Services is a highly secure, highly extensible, and Internet-scalable

identity access solution that allows organizations to authenticate users from partnerorganizations. Using AD FS in Windows Server 2008, you can simply and very securely grant

external users access to your organizations domain resources. AD FS can also simplify

integration between untrusted resources and domain resources within your own organization.

Availability As an Integrated Server Role. AD FS is a server role within Windows

Server 2008 that can be easily deployed and managed using Server Manager, instead of

handled as an added feature, as in Windows Server 2003 R2.

Integration with Microsoft Office SharePoint Server 2007. AD FS can be used to

facilitate a single sign-on solution for Office SharePoint Server 2007.

Integration with Active Directory Rights ManagementServices (AD RMS). AD FScan integrate with AD RMS to support the sharing of rights-protected content betweenorganizations without requiring AD RMS to be deployed in both organizations.

Improved Administration. Importing and exporting trust information has been

enhanced so that each organization can quickly export or import XML files to facilitate

the configuration of trust information.

Active Directory Certificate Services

Most organizations use certificates to prove the identity of users or computers, as well as to

encrypt data during transmission across unsecured network connections. Active DirectoryCertificate Services (AD CS) enhances security by binding the identity of a person, device, orservice to their own private key. Storing the certificate and private key within Active Directory

helps securely protect the identity, and Active Directory becomes the centralized location for

retrieving the appropriate information when an application places a request.

Enrollment Agent Templates. Delegated enrollment agents can be assigned on a per-

template basis.

7/30/2019 Active Directory Server 2008 R2 Features

3/4

Integrated Simple Certificate Enrollment Protocol (SCEP). Certificates can be issued

to network devices, such as routers.

Online Responder. Certificate Revocation List (CRL) entries can be returned to the

requestor as a single certificate response instead of the entire CRL. This reduces the total

amount of network traffic consumed when clients validate certificates.

Enterprise PKI (PKI View). A new management tool for AD CS, this tool allows a

Certificate Services administrator to manage Certification Authority (CA) hierarchies to

determine the overall health of the CAs and to easily troubleshoot errors.

Active Directory Lightweight Directory Services

Active Directory Lightweight Directory Service (AD LDS), formerly known as Active Directory

Application Mode, can be used to provide directory services for directory-enabled applications.Instead of using your organizations AD DS database to store the directory-enabled application

data, AD LDS can be used to store the data. AD LDS can be used in conjunction with AD DS so

that you can have a central location for security accounts (AD DS) and another location tosupport the application configuration and directory data (AD LDS). Using AD LDS, you can

reduce the overhead associated with Active Directory replication, you do not have to extend the

Active Directory schema to support the application, and you can partition the directory structureso that the AD LDS service is only deployed to the servers that need to support the directory-

enabled application.

Install from Media Generation. The ability to create installation media for AD LDS by

using Ntdsutil.exe or Dsdbutil.exe.

Auditing. Auditing of changed values within the directory service.

Database Mounting Tool. Gives you the ability to view data within snapshots of the

database files.

Active Directory Sites and Services Support. Gives you the ability to use Active

Directory Sites and Services to manage the replication of the AD LDS data changes.

Dynamic List of LDIF files. With this feature, you can associate custom LDIF files with

the existing default LDIF files used for setup of AD LDS on a server.

Recursive Linked-Attribute Queries. LDAP queries can follow nested attribute links to

determine additional attribute properties, such as group memberships.

Additional Active Directory Improvements

The Active Directory Installation Wizard includes several improvements over earlier versions.

These improvements make it easier for an administrator to control the installation of domaincontrollers within the domain. Enhancements include:

7/30/2019 Active Directory Server 2008 R2 Features

4/4

New Forest Functional Level. Windows Server 2008 R2 includes a new Active

Directory forest functional level. Many of the new features in the Active Directory server

roles require the Active Directory forest to be configured with this new functional level. Enhanced Command Line and Automated Management. Windows PowerShell

cmdlets provide the ability to fully manage Active Directory server roles.

Improved Automated Monitoring and Notification. An updated System Center

Manager 2007 Management Pack helps improve the monitoring and management of

Active Directory server roles.

Better Management with Server Manager. Server Manager, the Windows Server 2008

R2 server management tool, allows an administrator to pre-stage domain controllers.

When the domain controller role is added from the Server Manager console, the files that

are needed to perform the installation of the directory service are copied to the server.When an administrator starts the Installation Wizard, dcpromo.exe, the files are already

cached and available.

Improved Compliance with Established Standards and Best Practices. WindowsServer 2008 R2 includes an integrated Best Practices Analyzer for each of the server

roles. The Best Practices Analyzer creates a checklist within Server Manager for the role,which you can use to help perform all the configuration tasks.

Answer File Creation. If several domain controllers use the same settings when they are

installed, the Summary page allows you to export the settings from the currentinstallation into an answer file. The password used for your Directory Services Restore

Mode administrator account is not exported with the answer file, and you can specify that

the user who is installing the domain controller is always prompted for the administratorpassword. This way, passwords are not accessible to users who have access to the

location where the answer files are stored. Read-Only Domain Controller Installation The Read-Only Domain Controller role can

be installed using the Installation Wizard. When installing a Read-Only Domain

Controller, you can define who is allowed to install and manage the domain controller. In

the first phase of the installation, a domain administrator can define the account that caninstall the Read-Only Domain Controller. Once defined, the user that is associated with

the Read-Only Domain Controller will have the rights to install the directory service.