Thursday, November 20, 2008  
Google
Web pcquest.com

CIOL Network sites

Search by Issue | CD Search | Sitemap | Advanced Search

"Ad: Nortel data network solutions are 40% more energy efficient" "Ad:Discover Green Intelligence, make your business strong"
   
 Home > Enterprise

ADS in Windows Server 2008

A read only domain controller for branch offices, a light weight version, better rights management are just a few new additions to the latest MS Active Directory Service (ADS)

Anindya Roy

Thursday, January 03, 2008

In the last four parts of this series we talked about the new roles and features in Windows Longhorn. From this part onwards, we shall focus on the Active Directory and its added features. We shall also see how to deploy Active Directory in Windows Server 2008. Let's look at the new features:

Read-only Domain Controller: Read-only Domain Controller or RODC is a great concept for branch offices and places with lower physical security. Let's assume that you have a head office where the data center (DC) is deployed with full physical security. Apart from this, you have five different branch offices across the globe and you have deployed local domain controllers to all branches. All domain controllers get connected over VPN to the global domain controller sitting at the datacenter and replicate data amongst themselves.

Direct Hit!
Applies To: CIOs
USP: Key features in the new ADS and how its installation differs
Primary Link: www.shortenurl. com/6ufja
Google Keywords: Windows
2008 ADS

Now, let's assume that your branch offices don't have the same level of physical security that you have in your datacenter. So, somebody manages to get into the server room of any of the branch office. Now as he is physically present in the server room, he can easily install malicious tools on it and get the admin password. He can easily enter and modify any settings in the global DC through the system and breach your network security. In such cases RODC can come in handy. It's essentially a form of DC that is completely read-only. This implies that there wouldn't be any local copy of the passwords. For instance, if someone even gets admin rights to the RODC, he cannot modify the schema at all. The users on the network can connect to an RODC and get authenticated by it, but when it comes to doing any modification, even for changing a password, he has to connect to a writable domain controller.

AD Lightweight Directory Service: ADLDS is a new concept in MS Windows Server 2008. It is essentially a dedicated directory service for specific applications. This is ideal for cases where specific applications require directory services but do not require a complete Active Directory to be installed. With ADLDS, one can have multiple instances of Directory Services (dedicated for different applications) running simultaneously on a single machine.

Active Directory Rights Management Service: By installing Active Directory Rights Management Service Role on a Server and installing ADRMS clients on workstations, one can enable rights management features in applications such as word processors, email clients, etc. One can even define which document or email will be accessible to whom and that too in which manner. For instance, you can define a policy for your document/email saying that it can only be read by Mr X, whereas Mr Y can read and print the document, Mr Z can forward the document and even print it, and so on. The users can even create pre-defined policy templates such as 'Non-printable Documents' or 'Confidential – ReadOnly,' etc and directly apply those on documents when required.

Installing Active Directory
Installing Active Directory in its basic form is not very different from the older versions of Windows Servers. But there are some changes. So, we will go through the ADS installation steps briefly.

To start the installation process, the first thing you have to do is install the Active Directory role. And to install a new role, you have to go to the Server Manager interface. So, start the Server Manager Windows from Administrative Tools. Now click on the Role Option at the left side pane of the window. On the right side of the window, click on 'Add Role' option. A new window will open. Here you will see the complete list of all available server roles. Here select the 'Active Directory Domain Service' and then click on 'Install'. A wizard will open. There's not much to do in the wizard window, so keep pressing Next till you've fully installed Active Directory Domain Service on your machine.

Some useful new server roles have been added, such as Rights mgmt, which enable rights mgmt for desktop apps like word processors, spreadsheets, etc

But this will only install the service on your machine and not build it as a Domain Controller. So you have to run the good old dcpromo command to make your Windows Server 2008 box a domain controller. While running dcpromo, you will feel pretty much at home as the wizard is quite similar to the older version. However, if you are new to it, you have to run the dcpromo.exe command from either the command prompt or the run button.

Running the command will open up a wizard window. Here the wizard will ask you whether you want to create a Domain in a New Forest or want to add a domain to an existing one. Select the New domain in a New Forest option and proceed.

In the next step you will be asked to provide an FQDN for the domain and the server. Here, give a full name to your domain. If the domain is mapped against a website on the Internet or you have a VPN with an Internet domain name, and you have a domain name booked for it; then provide that name in its place. This could be somedomain.com, etc. Else give a suitable name with “.local” as the top level domain. This will ensure that your DNS system doesn't always connect to the Internet while searching for a local machine.

Select the last option if and only if you are going to have all data centers on Windows Server 2008

 At the next step the wizard will ask you to select the Forest Functionality level. Here, if you have just one domain controller or even if you have many but all are Windows Server 2008, then select functionality level to Windows Server 2008. Else depending on other domain controllers on the Forest select the Functionality level. Changing the Functionality from Windows Server 2008 will depreciate some of the latest functionality of Windows Server 2008. But as it's a test setup and you must be having just one Domain controller, we recommend you to go for the Windows Server 2008 Functionality level.

In the next screen the wizard will ask you to install a DNS system on the machine. If you already have a DNS server, then don't select the check box else select and proceed. Now more or less your Windows Server 2008 Active Directory is up and running. All you need to do is to click next twice and then provide the password for the domain when asked. Once you click on the Next button on the password screen, it will start the installation process and will take around ten to twenty minutes depending on the speed of your machine. Once it's done, you will be asked for a reboot and your ADS is ready. Next month, we will see how we can deploy a ReadOnly ADS on a Windows Server 2008 machine using the dcpromo command.

Page(s)   1  



Untitled 1


Does your business have Green Intelligence

What is SDSIASWODB?

No.1 Linux platform for SAP Applications
   
 


 
 

Magazine Subscription | RQS | Contact Us | Team PCQuest

 
 
 
 
   

Copyright © CyberMedia. All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.
Usage of this web site is subject to terms and conditions.
Broken links? Problems with site? Send email to webmasterciol@cybermedia.co.in