Active Directory Domain Services Overview

Applies To: Windows Server 2008

By using the Active Directory® Domain Services (AD DS) server role in the Windows Server® 2008 operating system, you can create a scalable, secure, and manageable infrastructure for user and resource management, and you can provide support for directory-enabled applications, such as Microsoft® Exchange Server.

In the following sections, learn more about AD DS, features in AD DS, and software and hardware considerations. For more information about planning, deploying, and operating the AD DS server role, and for a technical reference that explains how AD DS works and the various tools and settings that it uses, see Active Directory Domain Services (https://go.microsoft.com/fwlink/?LinkID=48547).

What is the AD DS server role?

AD DS provides a distributed database that stores and manages information about network resources and application-specific data from directory-enabled applications. Administrators can use AD DS to organize elements of a network, such as users, computers, and other devices, into a hierarchical containment structure. The hierarchical containment structure includes the Active Directory forest, domains in the forest, and organizational units (OUs) in each domain. A server that is running AD DS is called a domain controller.

Organizing network elements into a hierarchical containment structure provides the following benefits:

  • The forest acts as a security boundary for an organization and defines the scope of authority for administrators. By default, a forest contains a single domain, which is known as the forest root domain.

  • Additional domains can be created in the forest to provide partitioning of AD DS data, which enables organizations to replicate data only where it is needed. This makes it possible for AD DS to scale globally over a network that has limited available bandwidth. An Active Directory domain also supports a number of other core functions that are related to administration, including network-wide user identity, authentication, and trust relationships.

  • OUs simplify the delegation of authority to facilitate the management of large numbers of objects. Through delegation, owners can transfer full or limited authority over objects to other users or groups. Delegation is important because it helps to distribute the management of large numbers of objects to a number of people who are trusted to perform management tasks.

Features in AD DS

Security is integrated with AD DS through logon authentication and access control to resources in the directory. With a single network logon, administrators can manage directory data and organization throughout their network. Authorized network users can also use a single network logon to access resources anywhere in the network. Policy-based administration eases the management of even the most complex network.

Additional AD DS features include the following:

  • A set of rules, the schema, that defines the classes of objects and attributes that are contained in the directory, the constraints and limits on instances of these objects, and the format of their names.

  • A global catalog that contains information about every object in the directory. Users and administrators can use the global catalog to find directory information, regardless of which domain in the directory actually contains the data.

  • A query and index mechanism, so that objects and their properties can be published and found by network users or applications.

  • A replication service that distributes directory data across a network. All writable domain controllers in a domain participate in replication and contain a complete copy of all directory information for their domain. Any change to directory data is replicated to all domain controllers in the domain.

  • Operations master roles (also known as flexible single master operations or FSMO). Domain controllers that hold operations master roles are designated to perform specific tasks to ensure consistency and eliminate conflicting entries in the directory.

Identity Management for UNIX

Identity Management for UNIX is a role service of AD DS that can be installed only on domain controllers. Two Identity Management for UNIX technologies, Server for NIS and Password Synchronization, make it easier to integrate computers running Windows® into your existing UNIX enterprise. AD DS administrators can use Server for NIS to manage Network Information Service (NIS) domains. Password Synchronization automatically synchronizes passwords between Windows and UNIX operating systems.

New features in Windows Server 2008 AD DS

Windows Server 2008 includes the new AD DS features in the following table.

Feature Description

Read-only domain controller (RODC)

An RODC is a new type of domain controller that hosts read-only partitions of the Active Directory database. An RODC is particularly useful in cases in which:

  • The physical security of a domain controller cannot be ensured or its location does not include administrators with the domain-wide authority that is required to administer a writable domain controller.

  • Branch office users can benefit from a more efficient logon process that is provided by a local domain controller in the branch office.

Staged installation of an RODC

This feature provides RODC installation in two stages. During the first stage, a member of the Domain Admins group creates an account for the RODC. During the second stage, a delegated user attaches a server to the RODC account.

RODC filtered attribute set

A set of secret-like attributes that is not replicated to an RODC. This prevents the attribute values from being revealed if an RODC is stolen. The RODC filtered attribute set can be configured dynamically for an application.

Administrator role separation

This feature allows domain administrators to delegate the installation and administration of an RODC to nonadministrative users.

Improved installation wizard

The Active Directory Domain Services Installation Wizard (dcpromo.exe) has improved support for unattended installations, site selection, staged installation for RODCs, and other advanced options.

Generate secure installation media

With this feature, you can use Ntdsutil.exe in Windows Server 2008 to create secure installation media for subsequent AD DS and Active Directory Lightweight Directory Services (AD LDS) installations.

In earlier versions of Windows Server, administrators were encouraged to use Ntbackup.exe to create domain controller installation media. In Windows Server 2008, administrators are encouraged to use Ntdsutil.exe to create installation media.

You can create media that does not contain cached secrets (such as passwords) to use it for an RODC installation. When you remove cached secrets from the installation media, a malicious user who gains access to the installation media cannot extract any secrets from it.

Restartable AD DS

You can use this feature to stop and restart AD DS without restarting the domain controller itself. Offline operations, such as offline defragmentation, can be completed more quickly because the domain controller does not have to be restarted in Directory Services Restore Mode.

Auditing AD DS changes

This feature sets up AD DS auditing with a new audit subcategory to log old and new values when changes are made to objects and their attributes.

Fine-grained password policy

This feature makes it possible for password and account lockout policies to be specified for certain users and global security groups in a domain. It uses new password-setting objects and precedence rules to remove the restriction of a single policy for each domain.

Dynamic MAPI ID Support

This feature makes it possible for Messaging API (MAPI) identifiers (IDs) to be assigned dynamically (that is, generated randomly from a reserved pool of MAPI IDs), in addition to being assigned statically. With dynamic MAPI IDs, you can extend your Active Directory schema and add custom attributes for Exchange Server.

Data mining tool

With this feature you can view AD DS and AD LDS data that is stored in snapshots or backups online. Although this feature does not enable you to restore deleted objects and containers, you can use it to compare data in snapshots or backups that are taken at different points in time to better decide which data to restore, without having to restart the domain controller or the AD LDS server.

Hardware and software considerations

You can use performance counters, testing in the lab, data from existing hardware in a production environment, and pilot roll-outs to determine the capacity needs for your server. Servers running Windows Server 2008 need at least 512 megabytes (MB) of RAM and 20 gigabytes (GB) of hard disk space.

Important

In addition to the minimum hard disk space requirements, upgrades of domain controllers that run Microsoft Windows Server 2003 to Windows Server 2008 also require twice as much space as is currently allocated for the Active Directory database, log files, and SYSVOL on their respective volumes. These requirements are necessary for rollback of an upgrade. The space is automatically reclaimed at the completion of the upgrade process.

The AD DS server role requires Domain Name System (DNS) services to locate computers, domain controllers, member servers, and network services by name. The DNS Server role provides DNS name resolution services for TCP/IP-based networks by mapping names to IP addresses, which makes it possible for computers to locate network resources in an AD DS environment.

In addition, AD DS must be installed on the network to implement other important Windows Server technologies, such Group Policy and Active Directory Certificate Services (AD CS).

Installing the AD DS server role

After you finish installing the operating system, you can use Initial Configuration Tasks or Server Manager to install server roles. To install the AD DS server role, click Add roles to start the Add Roles Wizard, and then click Active Directory Domain Services. Step through the Add Roles Wizard to install the files for the AD DS server role. After you complete the Add Roles Wizard, click the link to start the Active Directory Domain Services Installation Wizard.

Step through the Active Directory Domain Services Installation Wizard to complete the installation and configuration of your domain controller. Most wizard pages have a Help link for more information about the settings that you can configure.

To automate domain controller installations, you can use an answer file or you can specify unattended installation parameters at the command line. For more information about installing AD DS, see the AD DS Installation and Removal Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=110897).

Managing the AD DS server role

You can manage server roles with Microsoft Management Console (MMC) snap-ins. To manage a domain controller (that is, a server that is running AD DS), click Start, click Control Panel, click Administrative Tools, and then double-click the appropriate snap-in:

  • To manage user and computer accounts, click Active Directory Users and Computers.

  • To manage Active Directory trusts, functional levels, and forest-wide operations master roles, click Active Directory Domains and Trusts.

  • To manage Active Directory sites and site links, click Active Directory Sites and Services.

As an alternative, you can double-click the appropriate snap-in on the Active Directory Domain Services page in Server Manager.

Experienced programmers and system administrators can manage the Active Directory schema, but the Active Directory Schema snap-in is not installed by default. In addition, the schmmgmt.dll file must be registered before the snap-in can be installed.

To install the Active Directory Schema snap-in

  1. Click Start, right-click Command Prompt, and then click Run as administrator.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. Type the following command, and then press ENTER:

    regsvr32 schmmgmt.dll

  4. Click OK to close the dialog box that confirms that the operation succeeded.

  5. Click Start, click Run, type mmc, and then click OK.

  6. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  7. On the File menu, click Add/Remove Snap-in.

  8. Under Available snap-ins, click Active Directory Schema, click Add, and then click OK.

  9. To save this console, on the File menu, click Save.

  10. In the Save As dialog box, do one of the following:

    • To place the snap-in on the Administrative Tools menu, in File name, type a name for the snap-in, and then click Save.

    • To save the snap-in to a location other than the Administrative Tools folder, in Save in, navigate to a location for the snap-in. In File name, type a name for the snap-in, and then click Save.

Warning

Modifying the schema is an advanced operation that is best performed by experienced programmers and system administrators. For detailed information about modifying the schema, see Active Directory Schema (https://go.microsoft.com/fwlink/?LinkId=8273).

For more information

To learn more about the AD DS server role, you can view the Help on your server. To do this, open one of the snap-ins that are described in the previous section and then press F1, or search for and then double-click the appropriate Help file:

  • For information about the Active Directory Users and Computers snap-in, see domadmin.chm.

  • For information about the Active Directory Domains and Trusts snap-in, see dsadmin.chm.

  • For information about the Active Directory Sites and Services snap-in, see dssite.chm.

  • For information about the Active Directory Schema snap-in, see schmmgmt.chm.

For more information about the AD DS server role, see topics for Windows Server 2008 on the Web: