Windows Server 2008 R2 and Windows 7 include new features in Active Directory, that were announced and explained at Microsoft’s Tech∙Ed Europe Middle East & Africa (EMEA) conference for IT Professionals in Barcelona (Spain) from November 3rd, 2008 to November 7th, 2008.

Note:
This post represents the plans and progress made for Windows Server 2008 R2 and Windows 7 during the Milestone 3 timeframe, builds 6801 through 6937.

Active Directory Administrative Center

Windows Server 2008 R2 comes with new administrative tools. These tools offer a new Management experience. Biggest change is the management Console, called the Active Directory Administrative Center. This is a Microsoft Management Console (MMC) version 4 console and is task oriented. The Administrative Center replaces the current Active Directory Users and Computers (ADUC) MMC Snap-in (dsa.msc).

The new Management Console is a graphical shell for Powershell. After clicking together your commands, the administrative center shows the corresponding Powershell command on the screen and then execute it. This is the same way the Exchange 2007 Management Tools and Virtual Machine Manager 2008 work.

A feature called “Progressive Disclosure” is there to limit the information the tool returns to the administrator. This is useful for beginner administrators, but might also prove useful in delegation scenarios.

Best Practices Analyzer

Accompanying the Active Directory Administrative Center is the Active Directory Best Practices Analyzer (ADBPA), which will help Active Directory administrators to correct Active Directory problems proactively and compare Active Directory performance with previously made baselines.

Administrators, managing Exchange Servers will immediately recognize this tool as the Active Directory flavor of the Exchange Server Best Practices Analyzer (ExBPA), which provides them with help to correct the causes of unexpected behavior. The Active Directory Best Practices Analyzer (ADBPA) is a tool that goes beyond the Exchange Server Best Practices Analyzer (ExBPA), and integrates with the Server Manager, which in turn in Windows Server 2008 R2 receives a tremendous overhaul. (many roles will receive the ‘BPA’ treatment)

The version of the Active Directory Best Practices Analyzer (ADBPA) included in Windows Server 2008 R2 (version 1.0) focuses mainly on DNS problems, because they cause the most problems for Active Directory environments. Updates to the Active Directory Best Practices Analyzer (ADBPA) can be made available using Windows Update to address problems that might arise during the lifecycles of your Domain Controllers.

Powershell Cmdlets

Powershell CMDlets are the basis of the new streamlined management experience. The team said there were approximately 85 Active Directory Services and Active Directory Lightweight Services related CMDlets available, most of them starting with Get-AD and Set-AD. These new Powershell CMDlets replace the current Active Directory command line tools. (dsget.exe, dsmod.exe, dsadd.exe, dsmove.exe, dsquery.exe and others)

The power of Powershell is not to be dismissed in Windows Server 2008 R2. For all you command line avoiders out there: there’s Graphical Powershell. This tool provides a Graphical User Interface (GUI), that allows you to interactively create and debug Powershell scripts within an integrated development environment similar to Visual Studio:

The Powershell CMDlets (and thus the Administrative Center) will use AD Web Services and the Windows Communication Foundation (WCF) instead of the common RPC and LDAP interfaces we use nowadays. According to the team this is the first step for leaving the RPC model and embracing a web services approach. The Active Directory team has plans to release a download of AD Web Services for previous versions of Windows Server. (Windows Server 2003 and Windows Server 2008)

Since the new AD Web Services require .Net, however, the new AD Web Service will not be compatible with Windows Server 2008 Server Core domain controllers (non-R2), since it lacks .Net framework. The new Active Directory Administrative Center and the Active Directory Powershell CMDlets cannot be used with Windows Server 2008 Server Core domain controllers.

Recycle Bin for Active Directory

Restoring deleted objects from Active Directory Directory Services and Active Directory Lightweight Directory Services in current versions of Windows Server, using the Directory Services Restore Mode, is not for the faint of heart. In this time of economic turmoil proposing an expensive 3rd party application for this purpose to the CFO isn’t for the faint of heart either…

Windows Server 2008 therefore comes with a Recycle Bin for Active Directory, that can be enabled. This features enables administrators to quickly undo an accidental deletion from Active Directory. It works like the Recycle Bin on a Windows client and allows an administrator to fully undelete a deleted object, because an object will not get tombstoned (immediately) but made inactive, while all the attributes and values are kept intact for a period of 180 days. After this period it will get recycled for 180 days, which effectively has the same function as the tombstone period.

To make the recycle bin possible a new forest level is introduced.

Managed Service Accounts

The Active Directory team created a new Active Directory object type, called a Managed Service Account. This object type, based on the workstation account allows for easier management of service accounts in Active Directory.

Since the new object type is based upon the computer account it is not hindered by account policies, like the password policy and the account lockout policy. Additionally it doesn’t offer interactive logons, which is an added layer of security. (but can also be a layer of trouble when a service needs to logon interactively)

Managed Service Accounts are related to Computer Accounts. You can add multiple Managed Service Accounts to one Computer Accounts, but you can’t, however, assign a Managed Service Account to multiple Computer Accounts.

The Managed Service Accounts feature requires the Windows Server 2008 R2 Domain level.

Offline Domain Join

One of the new features of Windows 7 and Windows Server 2008 R2 is their ability to join an Active Directory domain, without a direct communication path between the client wanting to become a member of the domain and a Domain Controller.

This is achieved through restructuring the way a client joins the domain in Windows 7 and Windows Server 2008 R2. You can use this feature with your existing Windows Server 2003 and Windows Server 2008 Domain Controllers.

A tool is made available named djoin.exe. It can be used to pre-provision a client at the Domain Controller and create the blob of data required to join a computer to the domain. On Windows 7 and Windows Server 2008 R2 clients the same tool can be used to load the blob in a way that it can be used to join the computer to the domain when it is rebooted.

Authentication Assurance

Active Directory Federated Services in Windows Server 2008 R2 includes a new feature known as Authentication Assurance. This feature allows administrators to establish authentication policies for accounts that are authenticated in federated domains. This enables a variety of advanced authentication scenarios, such as smart cards, for example.

In a Windows Server 2008 R2 level domain Administrators can map various properties, including authentication type and authentication strength to an identity and based on information during authentication, these identities are added to Kerberos tickets (such as use of smartcard for logon or the certificate used 2048 bit encryption) to provide access to federated resources. This way authentication methods (and thus identification) get assured.

Authentication Assurance requires the Windows Server 2008 R2 Domain Level.

Health model and Management Packs

Monitoring Active Directory with System Center Operations Manager (SCOM) has not been easy, with the absence of a specific Management Pack and Health Model. In System Center Operations Manager (SCOM) a Management Pack describes what to monitor and are made of XML files, containing classes, discoveries and monitors. The monitors are part of the Health model, which describes how to monitor.

The Active Directory team is working on completing the Management Pack and Health model to proactively monitor the availability and performance of Active Directory, so problems can be identified faster and resolved more accurately. The Health model is reused in the Best Practices Analyzer. One of the big advantages will be the ability for administrators to drill down in System Center Operations Manager to identify an underlying problem with Active Directory.

Concluding

A lot of advancements are being made to Active Directory management. In Windows Server 2008 R2 not only do we have more reliable authentication and service accounts, but also we can undelete objects in an easier way, join machines to the domains in an easier way and resolve problems more easily and without expensive 3rd party programs.

Further reading

[Video] Windows Server 2008 R2 AD: What's Coming Up? (Robert DeLuca and Alain Lissoir)
[DOC] Windows Server 2008 R2 Reviewers Guide
Windows Server 2008 R2 Features | TechHead.co.uk
Just a few of the new features to expect in Windows Server 2008 R2
Windows Server 2008 R2 Overview
Some Windows 7 and Server 2008 R2 Information
Windows Server 2008's Enterprise Ambitions
Preview: Windows Server 2008 R2
Introduction to PowerShell/AD/PowerGUI
Server 2008 R2 Active Directory
Tech-Ed EMEA 2008: Windows Server 2008 R2 Overview
Windows Server 2008 R2 Features
Day 3: Windows Server 2008 R2 Overview
Windows Server 2008 R2 and Active Directory
Announcing Windows Server 2008 R2
Windows Server 2008 R2 (or should it be called Windows Server 2009?)
574 Reasons Why We Are So Proud and Optimistic About W7 and WS08R2

Disclaimer Beta Software

The information on this webpage applies to software from Microsoft that was in testing phase but utilizable by experienced users by the time the webpage was written. This software has not been released for sale, distribution or usage for the general public. The information on this webpage and the beta software are provided "as is" without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.