What's New in AD DS in Windows Server 2008
Updated: May 21, 2008
Applies To: Windows Server 2008
In Windows Server® 2008, organizations can use Active Directory® Domain Services (AD DS) to manage users and resources, such as computers, printers, or applications, on a network. AD DS includes many new features that are not available in previous versions of Windows Server Active Directory. These new features make it possible for organizations to deploy AD DS more simply and securely and to administer it more efficiently. This topic provides an overview of the improvements in AD DS. For details about the improvements, see the following topics that describe the new features in Windows Server 2008 AD DS:
AD DS: Auditing
AD DS: Fine-Grained Password Policies
AD DS: Read-Only Domain Controllers
AD DS: Restartable Active Directory Domain Services
AD DS: Database Mounting Tool (Snapshot Viewer or Snapshot Browser)
AD DS: User Interface Improvements
AD DS: Owner Rights
AD DS in Windows Server 2008 includes improvements to help you deploy AD DS more simply and securely. For example, AD DS includes a new type of domain controller called a read-only domain controller (RODC). An RODC hosts read-only partitions of the Active Directory database. RODCs provide a way for you to deploy domain controllers in scenarios in which physical security cannot be guaranteed, such as branch office locations, or scenarios in which local storage of all domain passwords is considered a primary threat, such as in extranets or in an application-facing role. Because you can delegate RODC administration to a domain user or security group, RODCs are well suited for sites that should not have a user who is a member of the Domain Admins group.
AD DS in Windows Server 2008 also includes an updated Active Directory Domain Services Installation Wizard and changes to the Microsoft Management Console (MMC) snap-in functions that manage AD DS so that you can manage users and resources more efficiently.
AD DS includes fine-grained password policies that make it possible for you to apply different password and account lockout policies to users and global security groups in the same domain. This can reduce the number of domains that you might need to manage. You can use restartable AD DS to stop AD DS so that you can perform offline operations such as offline defragmentation of Active Directory objects. This decreases the time necessary to perform such operations because the domain controller no longer has to be restarted in Directory Services Restore Mode as it does in Windows Server 2003.
With the database mounting tool, you can view Active Directory data that is stored in snapshots online. Although you cannot use this feature to restore deleted objects and containers, you can use it to compare data in snapshots that are taken at different points in time to decide which data to restore, without having to restart the domain controller.