Module 1: Introduction to

Active Directory Technology in

Windows Server 2008

Table of Contents
Module Overview 1-1
Lesson 1: Active Directory Improvements 1-2
Lab: Introduction to Active Directory Technology in
Windows Server 2008 1-16
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any
real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or
should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting
the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement from
Microsoft, the furnishing of this document does not give you any license to these patents, trademarks,
copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft
makes no representations and warranties, either expressed, implied, or statutory, regarding these
manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or
product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to
third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the
contents of any linked site or any link contained in a linked site, or any changes or updates to such sites.
Microsoft is not responsible for webcasting or any other form of transmission received from any linked site.
Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply
endorsement of Microsoft of the site or the products contained therein.

© 2007 Microsoft Corporation. All rights reserved.

Microsoft, Microsoft Press, Active Directory, ActiveSync, ActiveX, BitLocker, BizTalk, ForeFront, Internet
Explorer, MSDN, Outlook, PowerPoint, SharePoint, SQL Server, Visual Studio, Windows, Windows Media,
Windows Mobile, Windows NT, Windows PowerShell, Windows Server, Windows Vista, and WinFXare either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

Version 1.1
 Module 1: Introduction to Active Directory Technology in Windows Server 2008 1-1

Module Overview

Microsoft® Windows Server® 2008 incorporates several changes that affect Active
Directory® management. The server installation process creates a minimally configured
platform. After the initial configuration tasks are complete, several Active Directory roles
can be added to a server. Roles are added using the Server Manager tool. Several new
Active Directory components, including Active Directory Lightweight Directory Services
(AD LDS) and the Read Only Domain Controller role, enhance Active Directory
functionality.

Objectives
After completing this module, you will have the information to:
• List improvements in Active Directory roles
• Describe how to configure roles on Windows Server 2008
1-2 Module 1: Introduction to Active Directory Technology in Windows Server 2008

Lesson 1: Active Directory Improvements

After the Windows Server 2008 installation process and initial configuration tasks are
complete, server roles can be added. There are several Active Directory roles that can be
added, depending upon the intended server function. The Server Manager console is used
to add these roles.

Objectives
After completing this module, you will have the information to:
• List improvements in Active Directory roles
• Describe how to configure roles on Windows Server 2008
 Module 1: Introduction to Active Directory Technology in Windows Server 2008 1-3

Active Directory Service Server Roles

Windows Server 2008 uses roles to define discrete components of server functionality.
Several server roles provide functionality related to Active Directory Services.
Server Role
Active Directory Certificate Services
(AD CS)
Active Directory Domain Services (AD DS)
Active Directory Federation Services
(AD FS)
Active Directory Lightweight Directory
Services (AD LDS)
Active Directory Rights Management
Services (AD RMS)
Functionality
Active Directory Certificate Services (AD CS)
enables creation and management of digital
certificates for users, computers, and organizations
as part of a public key infrastructure.
Windows Server 2003 Active Directory Domain
Services functionality has been carried forward into
Windows Server 2008, along with an improved setup
wizard.
Active Directory Federation Services (AD FS)
provides simplified, encrypted identity federation and
Web single sign-on (SSO).
The Active Directory® Lightweight Directory
Services (AD LDS) server role is a Lightweight
Directory Access Protocol (LDAP) directory service.
It provides data storage and retrieval for directory-
enabled applications, without the dependencies that
are required for Active Directory Domain Services
(AD DS).
Active Directory Rights Management Services is
information protection technology that works with
Active Directory Rights Management Services
applications to help safeguard digital information
from unauthorized use.
1-4 Module 1: Introduction to Active Directory Technology in Windows Server 2008

(continued)
Server Role Functionality
Supporting Server Role Functionality
Domain Name System (DNS) DNS is required to provide name resolution services
for Active Directory.
Windows Internet Name Service (WINS) WINS may be used in some environments to
provide name resolution services for previous clients
or where a simple, flat namespace is adequate.
Note: The new GlobalName zone type of Windows
Server 2008 DNS may allow some organizations to
retire WINS.
Dynamic Host Configuration Protocol DHCP is used in many environments to provide IP
(DHCP) address assignment.
 Module 1: Introduction to Active Directory Technology in Windows Server 2008 1-5

Demonstration: Server Features

In this demonstration, you will see how to add Server Features using Server Manager.
• Show how Server Manager can be used to manage server features
• Show how Server Manager automates dependency-checking when adding features

Key Points
The key points of this demonstration are…
• The Server Manager interface is used to add—and remove— features
• Server Manager helps automate the process by checking dependencies
1-6 Module 1: Introduction to Active Directory Technology in Windows Server 2008

Windows Server 2008 Installation Results

The following table shows some default settings that are configured by the Windows
Server 2008 installation process. Commands available in the Initial Configuration Tasks
window allow you to modify these defaults.
Setting Default Configuration
Administrator password The Administrator account password is blank by default.
Computer name The computer name is randomly assigned during installation.
You can modify the computer name by using commands in
the Initial Configuration Tasks window.
Domain membership The computer is not joined to a domain by default; it is joined
to a workgroup named WORKGROUP.
Windows Update Windows Update is turned off by default.
Network connections All network connections are set to obtain IP addresses
automatically by using DHCP.
Windows Firewall Windows Firewall is turned on by default.
Roles installed File Server is installed by default.
 Module 1: Introduction to Active Directory Technology in Windows Server 2008 1-7

Server Manager Console

The new Server Manager console simplifies the task of managing and securing server
roles with Windows Server 2008. The Server Manager in Windows Server 2008 provides
tools for:
• Managing a server’s identity
• Displaying current server status
• Identifying problems with server role configurations
• Managing all roles designated for the server

In short, the Server Manager provides a single point for managing a server.
The Server Manager console uses integrated wizards to step the user through adding or
removing server roles. You can use Server Manage to add several roles at once, even if
they are unrelated. For example, a server being provisioned for a branch office could
have the DNS Server, DHCP Server, and Print Server roles added at once. The Server
Manager Wizards performs all the necessary dependency checks and conflict resolution
so the server is stable, reliable, and secure.
1-8 Module 1: Introduction to Active Directory Technology in Windows Server 2008

The Server Manager can also be used as a portal for regular ongoing server management.
The Server Manager console reports on server status, exposes key management tasks, and
guides administrators to advanced management tools. A key component of the Server
Manger is the server role home pages. These pages provide an integrated view of server
roles including their current status and current configurations. Some of these consoles
include a filtered event viewer that displays recent events related specifically to that role.
Server role home pages offer controls where you can diagnose problems by selectively
stopping and starting role services. These role-specific summaries highlight potential
problem and offer relevant troubleshooting tools.
 Module 1: Introduction to Active Directory Technology in Windows Server 2008 1-9

New Active Directory Features

Domain Name System (DNS)

DNS provides the name resolution services required by Active Directory. The DNS
server in Windows Server 2008 complies with the set of Requests for Comments (RFCs)
that define and standardize the DNS protocol. Because the DNS Server service is RFC-
compliant and it can use standard DNS data file and resource record formats, it can work
successfully with most other DNS server implementations, such as DNS implementations
that use the Berkeley Internet Name Domain (BIND) software.
The DNS Server service in Windows Server 2008 includes many new and enhanced
features, compared with the DNS Server service that was available in the Microsoft
Windows NT® Server, Windows® 2000 Server, and Windows Server® 2003 operating
systems.
New DNS Feature Description
Background Zone Loading A DNS server running Windows Server 2008 now loads zone data
from AD DS in the background while it restarts, so that it can
respond to requests for data from other zones. Because the task of
loading zones is performed by separate threads, the DNS server is
able to respond to queries while zone loading is in progress.
Support for IPv6 Addresses DNS servers running Windows Server 2008 now support IPv6
addresses as fully as they support IPv4 addresses. For example, in
the DNS snap-in, wherever an IP address is typed or displayed, the
address can display as an IPv4 address or an IPv6 address. The
dnscmd command-line tool also accepts addresses in either format.
DNS servers can now send recursive queries to IPv6-only servers,
and the server forwarder list can contain both IPv4 and IPv6
addresses. DHCP clients can also register IPv6 addresses in
addition to IPv4 addresses. Finally, DNS servers now support the
ip6.arpa domain namespace for reverse mapping.
1-10 Module 1: Introduction to Active Directory Technology in Windows Server 2008

(continued)
New DNS Feature
Read Only Domain
Controller Support
GlobalNames Zone
Description
Windows Server 2008 introduces a new type of domain controller,
the read-only domain controller (RODC). To support RODCs, a
DNS server running Windows Server 2008 supports a new type of
zone, the primary read-only zone (also sometimes referred to as a
branch office zone).
So that organizations can more quickly retire WINS and move to
an all-DNS environment (or to provide the benefits of global, single-
label names to all-DNS networks), the DNS Server service
in Windows Server 2008 now supports a new zone, called
GlobalNames, to hold these names. In typical cases, the replication
scope of this zone is the entire forest, which ensures that the zone
has the desired effect of providing unique, single-label names
across the entire forest.

Active Directory Certificate Services (ADCS)

Active Directory Certificate Services (AD CS) enables creation and management of
digital certificates for users, computers, and organizations as part of a public key
infrastructure.

Active Directory Domain Services (AD DS, used for RODC also)
To improve the installation and management of Active Directory® Domain Services
(AD DS), Windows Server 2008 includes an updated Active Directory Domain Services
Installation Wizard. Windows Server 2008 also includes changes to the Microsoft
Management Console (MMC) snap-in functions that are used to manage AD DS.
AD DS user interface improvements provide new installation options for domain
controllers. Furthermore, the updated Active Directory Domain Services Installation
Wizard streamlines and simplifies AD DS installation.
AD DS user interface improvements also provide new management options for AD DS
features such as read-only domain controllers (RODCs). Additional changes to the
management tools improve the ability to find domain controllers throughout the
enterprise. They also provide important controls for new features such as the Password
Replication Policy for RODCs.
AD DS user interface improvements do not require any special considerations. The
improvements to the Active Directory Domain Services Installation Wizard are all
available by default. However, some wizard pages appear only if the check box for
UseAdvanced mode installation is selected on the Welcome page of the wizard. For
example, use the advanced option if you want to identify the source domain controller for
AD DS replication.
 Module 1: Introduction to Active Directory Technology in Windows Server 2008 1-11

Advanced mode installation provides experienced users with more control over the
installation process, without confusing newer users with configuration options that might
not be familiar. For users who do not select the UseAdvanced mode installation check
box, the wizard uses default options that apply to most configurations.

Note: Although it is not a user interface improvement, new options for running
unattended installation of AD DS are available in Windows Server 2008. Unlike
unattended installation in the Microsoft Windows Server 2003 operating system,
unattended installation in Windows Server 2008 does not require a response to any
user interface prompt, such as a prompt to restart the domain controller. This is
necessary to install AD DS on a Server Core installation of Windows Server 2008,
a new installation option for Windows Server 2008 that does not provide user
interface options, such as the interactive Active Directory Domain Services
Installation Wizard.

Active Directory Federation Services (AD FS)

Active Directory Federation Services (AD FS) is a feature of the Windows Server 2008
operating system that provides an identity access solution giving browser-based clients
(inside or outside your network) single sign-on access to protected, Internet-facing
applications, even when user accounts and applications are located in completely
different networks or organizations.

Active Directory Lightweight Directory Services (AD LDS)

The Active Directory Lightweight Directory Services (AD LDS) server role is a
Lightweight Directory Access Protocol (LDAP) directory service. It provides data
storage and retrieval for directory-enabled applications, without the dependencies that are
required for Active Directory Domain Services (AD DS).
AD LDS in Windows Server 2008 encompasses the functionality that was provided by
Active Directory Application Mode (ADAM), which is available for Microsoft®
Windows® XP Professional and the Windows Server® 2003 operating systems.
AD LDS gives organizations flexible support for directory-enabled applications. A
directory-enabled application uses a directory—rather than a database, flat file, or other
data storage structure—to hold its data. Directory services (such as AD LDS) and
relational databases both provide data storage and retrieval, but they differ in their
optimization. Directory services are optimized for read processing, whereas relational
databases are optimized for transaction processing. Many off-the-shelf applications and
many custom applications use a directory-enabled design. Examples include:
• Customer relationship management (CRM) applications
• Human Resources (HR) applications
• Global address book applications

AD LDS provides much of the same functionality as AD DS (and, in fact, is built on the
same code base), but it does not require the deployment of domains or domain controllers.
1-12 Module 1: Introduction to Active Directory Technology in Windows Server 2008

You can run multiple instances of AD LDS concurrently on a single computer, with an
independently managed schema for each AD LDS instance or configuration set (if the
instance is part of a configuration set). Member servers, domain controllers, and stand-
alone servers can be configured to run the AD LDS server role.
AD LDS differs from AD DS primarily in that it does not store Windows security
principals. While AD LDS can use Windows security principals, such as domain users, in
Access Control Lists (ACLs) that control access to objects in AD LDS, Windows cannot
authenticate users stored in AD LDS or use AD LDS users in its ACLs. AD LDS does
not support domains and forests, Group Policy, or global catalogs.
Applications that were designed to work with ADAM do not require changes in order to
function with AD LDS.

Active Directory Rights Management Services (AD RMS)

Active Directory Rights Management Services (AD RMS) can help protect information
from unauthorized use. Active Directory Rights Management Services is information
protection technology that works with ADRMS applications, to help safeguard digital
information from unauthorized use. Content owners can define exactly how a recipient
can use the information, such as who can open, modify, print, forward, or take other
actions with the information. Organizations can create custom usage rights templates
such as “Confidential—Read Only” that can be applied directly to information such as
financial reports, product specifications, customer data, and e-mail messages.

Read Only Domain Controller (RODC)

A read-only domain controller (RODC) is a new type of domain controller in the
Windows Server 2008 operating system. With an RODC, organizations can easily deploy
a domain controller in locations where physical security cannot be guaranteed. An RODC
hosts a read-only replica of the database in Active Directory Domain Services (AD DS)
for a given domain. The RODC is also capable of running the Global Catalog Role.
Beginning with Windows Server 2008, an organization can deploy an RODC to address
scenarios with limited WAN bandwidth or poor physical security for computers. As a
result, users in this situation can benefit from:
• Improved security
• Faster logon times
• More efficient access to resources on the network
 Module 1: Introduction to Active Directory Technology in Windows Server 2008 1-13

RODC Feature Explanation

Read-only Active Directory Except for account passwords, an RODC holds all the Active
database Directory objects and attributes that a writable domain controller
holds. However, changes cannot be made to the replica that is
stored on the RODC. Changes must be made on a writable domain
controller and replicated back to the RODC.
Unidirectional replication Because no changes are written directly to the RODC, no changes
originate at the RODC. Accordingly, writable domain controllers that
are replication partners do not have to pull changes from the RODC.
This reduces the workload of bridgehead servers in the hub and the
effort required to monitor replication.
Credential caching Credential caching is the storage of user or computer credentials.
Credentials consist of a small set of approximately 10 passwords
that are associated with security principals. By default, an RODC
does not store user or computer credentials. The exceptions are the
computer account of the RODC and a special krbtgt (Kerberos key
distribution service center account.) account that each RODC has.
You must explicitly allow any other credential caching on an RODC.
Administrator role You can delegate the local administrator role of an RODC to any
separation domain user without granting that user any user rights for the
domain or other domain controllers. This permits a local branch user
to log on to an RODC and perform maintenance work on the server,
such as upgrading a driver. However, this does not give the branch
user the right to log on to any other domain controller or perform any
other administrative task in the domain.
Read-only Domain Name You can install the Domain Name System (DNS) Server service on
System an RODC. An RODC is able to replicate all application directory
partitions that DNS uses, including ForestDNSZones and
DomainDNSZones. If the DNS server is installed on an RODC,
clients can query it for name resolution as they would query any
other DNS server.

RODC Prerequisites
The prerequisites for deploying an RODC are as follows:
• The domain controller that holds the primary domain controller (PDC) emulator
operations master role for the domain must be running Windows Server 2008. This is
necessary for creating the new krbtgt account for the RODC and for ongoing RODC
operations.
• The RODC needs to forward authentication requests to a global catalog server
running Windows Server 2008 in the site that is closest to the site with the RODC.
The Password Replication Policy is set on this domain controller to determine if
credentials are replicated to the branch location for a forwarded request from the
RODC.
• The domain functional level must be Windows Server 2003 so that Kerberos
constrained delegation is available. Constrained delegation is used for security calls
that need to be impersonated under the context of the caller.
1-14 Module 1: Introduction to Active Directory Technology in Windows Server 2008

• The forest functional level must be Windows Server 2003, so that linked-value
replication is available. This provides a higher level of replication consistency.
• You must run adprep /rodcprep one time in the forest. This will update the
permissions on all of the DNS application directory partitions in the forest to
facilitate replication between RODCs that are also DNS servers.
• Multiple RODCs for the same domain in the same site are not supported because
RODCs in the same site do not share information with each other. Therefore,
deploying multiple RODCs for the same domain in the same site can lead to
inconsistent logon experiences for users, if the writable domain controllers cannot be
reached on the network.

Active Directory Domain Services Auditing

In Windows Server 2008, you can now set up Active Directory Domain Services
(AD DS) auditing with a new audit policy subcategory (Directory Service Changes) to
log old and new values when changes are made to AD DS objects and their attributes.

Note: This new auditing feature also applies to Active Directory Lightweight
Directory Services (AD LDS). However, this discussion refers only to AD DS.

The global audit policy Audit directory service access controls whether auditing for
directory service events is enabled or disabled. This security setting determines whether
events are recorded in the Security log when certain operations are carried out on objects
in the directory. You can control what operations to audit by modifying the system access
control list (SACL) on an object. In Windows Server 2008, this policy is enabled by
default.
If you define this policy setting, by modifying the default Domain Controllers Policy, you
can specify whether to audit successes, audit failures, or not audit at all. Success audits
generate an audit entry when a user successfully accesses an AD DS object that has a
SACL specified. Failure audits generate an audit entry when a user unsuccessfully
attempts to access an AD DS object that has a SACL specified.
You can set a SACL on an AD DS object on the Security tab in that object’s properties
dialog box. Audit directory service access is applied in the same manner as Audit object
access; however, it applies only to AD DS objects, and not to file system objects and
registry objects. Previously, AD DS auditing only logged the name of the attribute that
was changed; it did not log the previous and current values of the attribute.
 Module 1: Introduction to Active Directory Technology in Windows Server 2008 1-15

Demonstration: Server Manager Console

In this demonstration, we will examine the Server Manager, and see how it streamlines
Windows Server 2008 server management. We’ll tour the Server Role home pages, and
see how they help manage the roles and applications installed on a server.
• Show how role management is integrated to Server Manager

Key Points
The key points of this demonstration are…
• Server Manager is a unified interface for role management
1-16 Module 1: Introduction to Active Directory Technology in Windows Server 2008

Lab: Introduction to Active Directory Technology in

Windows Server 2008

After completing this lab, you will have the information to:
• Configure Roles and Features in Windows Server 2008
• Configure Role Services

Estimated time to complete this lab: 60 minutes

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the
lab, you must:
• Start the SEA-SRV-01, SEA-SRV-02, and SEA-DC-01 virtual machines
 Module 1: Introduction to Active Directory Technology in Windows Server 2008 1-17

Exercise 1: Use Three Phases to Configure a Server

In this exercise, you will install Windows Server 2008 and perform configuration tasks.
The principal tasks for this exercise are as follows:
• Build a Server from bare metal
• Use the Initial Configuration Tasks interface
• Perform Advanced Server Customization

Tasks Supporting information

1. Build a Server from bare • Install Windows Server 2008 on SEA-SRV-01.

metal. Record the Preferred System Requirements for Windows
Server 2008 Server Core:
RAM: _____________________________________ (>= 2GB)

Processor: _________________________________

Disk Space: ________________________________

Q What does the New option on the Where do you want

to install Windows page do?

A Creates a new partition on the selected drive.

• After the installation program begins the copying files phase, turn
off the SEA-SRV-01 virtual machine.
1-18 Module 1: Introduction to Active Directory Technology in Windows Server 2008

(continued)

Tasks Supporting information

2. Use the Initial Configuration • Use Initial Configuration Tasks to perform the following actions
Tasks. on SEA-SRV-02.
• Change the Administrator password.
Q What are the characteristics of a strong administrator
password?

A >= 7 chars; contains letters, numbers & symbols;

significantly different from previous passwords; does not
contain administrator’s name or username; not a
common word or easily-guessed.

• Configure IPv4 settings:

a. Configure Local Area Connection
b. IP address: 192.168.16.4
c. Subnet mask: 255.255.240.0
d. Preferred DNS server: 192.168.16.2
e. Alternate DNS server: 192.168.16.4
• Change the computer name to SEA-SRV-02.
• Change the domain membership to contoso.com.
• Explore the Initial Configuration Tasks window.
Q What is the default setting for Windows automatic
updating?

A Never ask for updates from Windows Updates.

3. Perform Advanced Server • Add the following server Roles:

Customization. • Active Directory Domain Services
• File Services
• Use System Properties to enable Remote Desktop connections.

Note: The answers to the practices and labs are on the Student Materials CD.
 Module 1: Introduction to Active Directory Technology in Windows Server 2008 1-19

Exercise 2: Deploy New Server Roles and Features

In this exercise, you will use Server Manager to work with server Roles and Features.
The principal tasks for this exercise are:
• Add new Roles and Features to SEA-SRV-02

Tasks Supporting information

• Add the Fax Server role. • Add the Fax Server role.
Q What Role services are available with the Print Server role?
A Print Service (selected by default), LPD Service, and
Internet Printing.

• Add the Terminal Services, Network Access Services, and

Windows Deployment Services roles.
• In the left pane, notice the options listed below Before You Begin.
Q What options are listed below Before You Begin?
A Select Server Roles, Terminal Services, Role Services,
Network Policy and Access Services, Role Services, WDS,
Role Services, Confirm Installation Selections, Installation
Progress, Installation Results

• Explore the Add Features wizard.

Note: The answers to the practices and labs are on the Student Materials CD.
1-20 Module 1: Introduction to Active Directory Technology in Windows Server 2008

Exercise 3: Change a Server’s Role

In this exercise, you will remove a server Role and add a new server Role to
SEA-SRV-02.
The principal tasks for this exercise are:
• Remove a Role from SEA-SRV-02

Tasks Supporting information

• Remove the Active • Remove the Print Services role from SEA-SRV-02.
Directory Domain Services
role.

Note: The answers to the practices and labs are on the Student Materials CD.
 Module 1: Introduction to Active Directory Technology in Windows Server 2008 1-21

Exercise 4: Change Role Services and Features

In this exercise, you will add new Role Services to a role that is already installed.
The principal tasks for this exercise are:
• Add a new Role Service to the Print Services role.

Tasks Supporting information

• Add a new Role Service to • Add the Internet Printing Role Service to Print Services.
SEA-SRV-02.

Note: The answers to the practices and labs are on the Student Materials CD.

Lab Shutdown
After you complete the lab, you must shut down the virtual machines and discard any
changes.

Important: If the Close dialog box appears, ensure that Turn off and delete
changes is selected, and then click OK.