The
decision to upgrade Active Directory to a newer version is more than
just making sure Active Directory is up to date; the organization should
keep in mind some of the benefits it receives when migrating to a newer
version of AD. If one or more of the improvements to Active Directory
Domain Services justifies an upgrade, it validates the decision to
migrate to AD 2008 or AD 2008 R2. Improvements were introduced in
Windows Server 2003 and yet more improvements in Windows 2008 and
Windows 2008 R2.
Benefits of Active Directory 2003
Active Directory 2000
was the first version of AD to ship from Microsoft and was the base
configuration of the directory. Microsoft made a number of major updates
to Active Directory 2003 extending the basic AD to include a number of
needed features and functions. The following list details some of the
many changes made to Active Directory in Windows Server 2003 that
improved on the original Windows 2000 Active Directory:
Domain rename capability—
Windows Server 2003 Active Directory supported the renaming of either
the NetBIOS name or the LDAP/DNS name of an Active Directory domain. The
Active Directory domain rename tool can be used for this purpose, but
only in domains that have completely upgraded to Windows Server 2003 or
later domain controllers.
Cross-forest transitive trusts—
Windows Server 2003 supports the implementation of transitive trusts
that can be established between separate Active Directory forests.
Windows 2000 supported only explicit cross-forest trusts, and the trust
structure did not allow for permissions to flow between separate domains
in a forest. This limitation has been lifted in Windows Server 2003 or
later.
Universal group caching—
One of the main structural limitations of Active Directory was the need
to establish very “chatty” global catalog servers in every site
established in a replication topology, or run the risk of extremely slow
client logon times and directory queries. Windows Server 2003 or later
enables remote domain controllers to cache universal group memberships
for users so that each logon request does not require the use of a local
global catalog server.
Intersite topology generator (ISTG) improvements—
The ISTG in Windows Server 2003 was improved to support configurations
with extremely large numbers of sites. In addition, the time required to
determine site topology has been noticeably improved through the use of
a more efficient ISTG algorithm.
Multivalued attribute replication improvements—
In Windows 2000, if a universal group changed its membership from 5,000
users to 5,001 users, the entire group membership had to be
re-replicated across the entire forest. Windows Server 2003 addressed
this problem and allowed incremental membership changes to be
replicated.
Lingering objects (zombies) detection— Domain
controllers that have been out of service for a longer period of time
than the Time to Live (TTL) of a deleted object could theoretically
“resurrect” those objects, forcing them to come back to life as zombies,
or lingering objects. Windows Server 2003 properly identified these
zombies and prevented them from being replicated to other domain
controllers.
AD-integrated DNS zones in application partitions—
Replication of DNS zones was improved and made more flexible in Windows
Server 2003 by storing AD-integrated zones in the application partition
of a forest, thus limiting their need to be replicated to all domain
controllers and reducing network traffic. Conversely, the DNS zones
could be configured to replicate them to the entire forest if that was
appropriate.
Benefits of Active Directory 2008
Five years after AD 2003
was released, Microsoft made a number of additional improvements to
Active Directory with the release of AD 2008. Windows 2008 Active
Directory retained all the updated features of Windows Server 2003
Active Directory and added several key new features. The updated AD 2008
features are as follows:
Fine-grained password policies— Password policies can be customized to different users within the same Active Directory domain.
Read-Only Domain Controllers—
These domain controllers are designed for branch offices and for
extranet scenarios, in that they allow directory information to be
accessed but not changed. This adds an element of security to scenarios
that require directory services but are not as secure as the corporate
data center.
Granular auditing—
The Active Directory auditing is much more granular and allows tracking
of some objects but not others. This reduces the volume of security
logs; however, it provides less information for the auditor or analyst
to review during an audit or information acquisition process.
Distributed File System Replication (DFSR)—
DFSR is now used for SYSVOL replication, replacing the File Replication
Service (FRS) that is used to replicate SYSVOL in Windows 2000 Server
and Windows Server 2003. This feature provides more robust and detailed
replication of SYSVOL contents and is available when the domain
functional level is raised to Windows Server 2008.
Benefits of Active Directory 2008 R2
Almost a decade
after Active Directory was first released, Microsoft has once again
updated the capabilities of Active Directory running on Windows 2008 R2.
The Windows 2008 R2 Active Directory retained all the new features of
Active Directory 2003 and Active Directory 2008, and added several key
new features. The new AD 2008 R2 features are as follows:
Recovery of deleted objects—
Active Directory 2008 R2 has a recycle bin that allows an administrator
to recover a deleted object and all of its corresponding and related
objects.
Managed service accounts— The
maintenance of passwords relative to service accounts in Active
Directory has always been a challenge for network administrators. As
passwords expire, all applications utilizing service accounts had to be
updated, usually resulting in service account passwords NOT being
changed, which created a security issue for the organization. Active
Directory 2008 R2 now supports managed service accounts where a password
change to a service account invokes a feature that automatically
updates the password for all services that use the service account.
Offline domain join—
With Active Directory 2008 R2, and administrator can take a workstation
or server and join it to Active Directory without that system being
connected to the network. An XML file is created that has all of the
information for the target computer and generates a key that allows the
target system to be added to the domain without even being connected to
the network. During a system imaging or refresh process, the target
system can be imaged and joined all offline so that the first time a
user logs on to the network is the first time the system is physically
connected to the network.
