In the last four parts of this series we talked about the new roles and
features in Windows Longhorn. From this part onwards, we shall focus on the
Active Directory and its added features. We shall also see how to deploy Active
Directory in Windows Server 2008. Let's look at the new features:
Read-only Domain Controller: Read-only Domain Controller or RODC is a
great concept for branch offices and places with lower physical security. Let's
assume that you have a head office where the data center (DC) is deployed with
full physical security. Apart from this, you have five different branch offices
across the globe and you have deployed local domain controllers to all branches.
All domain controllers get connected over VPN to the global domain controller
sitting at the datacenter and replicate data amongst themselves.
|
Now, let's assume that your branch offices don't have the same level of
physical security that you have in your datacenter. So, somebody manages to get
into the server room of any of the branch office. Now as he is physically
present in the server room, he can easily install malicious tools on it and get
the admin password. He can easily enter and modify any settings in the global DC
through the system and breach your network security. In such cases RODC can come
in handy. It's essentially a form of DC that is completely read-only. This
implies that there wouldn't be any local copy of the passwords. For instance, if
someone even gets admin rights to the RODC, he cannot modify the schema at all.
The users on the network can connect to an RODC and get authenticated by it, but
when it comes to doing any modification, even for changing a password, he has to
connect to a writable domain controller.
AD Lightweight Directory Service: ADLDS is a new concept in MS Windows
Server 2008. It is essentially a dedicated directory service for specific
applications. This is ideal for cases where specific applications require
directory services but do not require a complete Active Directory to be
installed. With ADLDS, one can have multiple instances of Directory Services
(dedicated for different applications) running simultaneously on a single
machine.
Active Directory Rights Management Service: By installing Active
Directory Rights Management Service Role on a Server and installing ADRMS
clients on workstations, one can enable rights management features in
applications such as word processors, email clients, etc. One can even define
which document or email will be accessible to whom and that too in which manner.
For instance, you can define a policy for your document/email saying that it can
only be read by Mr X, whereas Mr Y can read and print the document, Mr Z can
forward the document and even print it, and so on. The users can even create
pre-defined policy templates such as 'Non-printable Documents' or 'Confidential
— ReadOnly,' etc and directly apply those on documents when required.
Installing Active Directory
Installing Active Directory in its basic form is not very different from the
older versions of Windows Servers. But there are some changes. So, we will go
through the ADS installation steps briefly.
To start the installation process, the first thing you have to do is install
the Active Directory role. And to install a new role, you have to go to the
Server Manager interface. So, start the Server Manager Windows from
Administrative Tools. Now click on the Role Option at the left side pane of the
window. On the right side of the window, click on 'Add Role' option. A new
window will open. Here you will see the complete list of all available server
roles. Here select the 'Active Directory Domain Service' and then click on
'Install'. A wizard will open. There's not much to do in the wizard window, so
keep pressing Next till you've fully installed Active Directory Domain Service
on your machine.
Some useful new server roles have been added, such as Rights mgmt, which enable rights mgmt for desktop apps like word processors, spreadsheets, etc |
But this will only install the service on your machine and not build it as a
Domain Controller. So you have to run the good old dcpromo command to make your
Windows Server 2008 box a domain controller. While running dcpromo, you will
feel pretty much at home as the wizard is quite similar to the older version.
However, if you are new to it, you have to run the dcpromo.exe command from
either the command prompt or the run button.
Running the command will open up a wizard window. Here the wizard will ask
you whether you want to create a Domain in a New Forest or want to add a domain
to an existing one. Select the New domain in a New Forest option and proceed.
In the next step you will be asked to provide an FQDN for the domain and the
server. Here, give a full name to your domain. If the domain is mapped against a
website on the Internet or you have a VPN with an Internet domain name, and you
have a domain name booked for it; then provide that name in its place. This
could be somedomain.com, etc. Else give a suitable name with “.local” as the top
level domain. This will ensure that your DNS system doesn't always connect to
the Internet while searching for a local machine.
Select the last option if and only if you are going to have all data centers on Windows Server 2008 |
At the next step the wizard will ask you to select the Forest
Functionality level. Here, if you have just one domain controller or even if you
have many but all are Windows Server 2008, then select functionality level to
Windows Server 2008. Else depending on other domain controllers on the Forest
select the Functionality level. Changing the Functionality from Windows Server
2008 will depreciate some of the latest functionality of Windows Server 2008.
But as it's a test setup and you must be having just one Domain controller, we
recommend you to go for the Windows Server 2008 Functionality level.
In the next screen the wizard will ask you to install a DNS system on the
machine. If you already have a DNS server, then don't select the check box else
select and proceed. Now more or less your Windows Server 2008 Active Directory
is up and running. All you need to do is to click next twice and then provide
the password for the domain when asked. Once you click on the Next button on the
password screen, it will start the installation process and will take around ten
to twenty minutes depending on the speed of your machine. Once it's done, you
will be asked for a reboot and your ADS is ready. Next month, we will see how we
can deploy a ReadOnly ADS on a Windows Server 2008 machine using the dcpromo
command.