Improvements in the
functionality and reliability of AD DS are of key importance to the
development team at Microsoft. It is, therefore, no small surprise that
Windows Server 2008 R2 introduces improvements in AD DS. From the
ability to have multiple password policies in a domain to improvements
in domain controller deployment with the RODC role, the changes made to
the structure of AD DS warrant a closer look.
Windows Server 2008
itself introduced multiple changes to AD DS functionality above and
beyond the Windows Server 2003 and Windows Server 2003 R2 Active
Directory versions. Windows Server 2008 R2 then introduced additional
features and functionalities above those introduced with the RTM version
of Windows Server 2008. The Windows Server 2008 R2 enhancements include
the following:
Active Directory Recycle Bin— Provides for the ability to restore deleted AD DS objects
Offline Domain Join— Allows for prestaging of the act of joining a workstation to the AD DS domain
Managed Service Accounts— Provides a mechanism for controlling and managing AD DS service accounts
Authentication Mechanism Assurance—
Allows for administrators to grant access to resources differently
based on whether a user logs on with a smart card or multifactor
authentication source or whether they log on via traditional techniques
Enhanced Administrative Tools—
Includes newly designed and powerful utilities such as Active Directory
Web Services, Active Directory Administrative Center, Active Directory
Best Practice Analyzer, a new AD DS Management Pack, and an Active
Directory Module for Windows PowerShell
The previous version of AD DS
introduced with the release of Windows Server 2008 included the
following key features that are still available with Windows Server 2008
R2. If upgrading from any of the Windows Server 2003 versions of Active
Directory or Windows 2000 Active Directory, all of these new features
will be made available:
Ability to create multiple fine-grained password policies per domain— Lifts the restrictions of a single password policy per domain
Ability to restart AD DS on a domain controller— Allows for maintenance of an AD DS database without shutting the machine down
Enhanced AD DS auditing capabilities— Provides useful and detailed item-level auditing capabilities in AD DS without an overwhelming number of logs generated
Restoring Deleted AD DS Objects Using the Active Directory Recycle Bin
One of the most
significant additions to Windows Server 2008 R2’s implementation of AD
DS is the Active Directory Recycle Bin. A Windows Server 2008 R2 Active
Directory forest and domain now allows for the recovery of deleted OUs,
users, groups, or other AD objects. There are a few prerequisites that
must be satisfied, however, before the AD Recycle Bin can be enabled:
The AD DS forest and domain must be in Windows Server 2008 R2 functional level.
When
restoring objects, the OU in which they previously existed must first
be restored. If the object resided in a nested OU structure, the
top-level OU must first be restored, followed by the next-highest child
OU, and so on.
Membership in the Enterprise Administrators group is required to enable the AD Recycle Bin.
The process of enabling the AD Recycle Bin is nonreversible.
Enabling the AD Recycle Bin
To enable the Active Directory Recycle Bin, perform the following steps:
1. | Click
Start, All Programs, Administrative Tools. Right-click on Active
Directory Module for Windows PowerShell and then click Run As
Administrator.
|
2. | From the PowerShell prompt, type the following command, as shown in Figure 1.
Enable-ADOptionalFeature –Identity 'CN=Recycle Bin Feature,CN=Optional
Features,CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=companyabc,DC=com' –Scope
ForestOrConfigurationSet –Target 'companyabc.com'
Replace companyabc.com and DC=companyabc,DC=com with the appropriate
name of the domain where the AD Recycle Bin will be enabled.
|
3. | When prompted, type Y to confirm and press Enter.
|
4. | To
validate that the Recycle Bin is enabled, go to the CN=Partitions
container, using an editor such as ADSIEdit. In the details pane, find
the msDS-EnabledFeature attribute, and confirm that the value includes the Recycle Bin target domain name that you typed in step 2.
|
Recovering Deleted Items Using the AD Recycle Bin
Deleted objects can be restored using the LDP.exe
utility, or they can be recovered using Windows PowerShell. PowerShell
offers a much more straightforward approach to recovery of deleted
items, and is recommended in most cases.
To recover a deleted object,
use the Get-ADObject cmdlet from the Active Directory Module for Windows
PowerShell, being sure to open the module using the Run As
Administrator option. Get-ADObject can be used to find objects, which
can then be recovered using the Restore-ADObject cmdlet. For example,
the following syntax, shown in Figure 2, recovers a deleted user account for user Zachary Sefanov:
Get-ADObject –Filter {displayName –eq "Zachary Sefanov"} –IncludeDeletedObjects |
Restore-ADObject
For more information about these cmdlets, type Get-Help Get-AdObject of Get-Help Restore-ADObject from PowerShell.
Restarting AD DS on a Domain Controller
Windows Server 2008 originally
introduced new capabilities to start or stop directory services running
on a domain controller without having to shut it down. This allows
administrators to perform maintenance or recovery on the Active
Directory database without having to reboot into Directory Services
Restore Mode.
In addition to allowing
for maintenance and recovery, turning off the domain controller
functionality on an AD DC essentially turns that domain controller into a
member server, allowing for a server to be quickly brought out of DC
mode if necessary. Microsoft has also removed the need for local
Administrators on the DC to have Domain Admin rights as well, which
improves overall security in places where administration of the DC
server is required, but full Domain Admin rights are not needed.
To take a Windows Server 2008 R2 DC offline, perform the following steps:
1. | Open up the Services MMC (Start, All Programs, Administrative Tools, Services).
|
2. | From the Services MMC, select the Active Directory Domain Services service, as shown in Figure 3. Right-click it and choose Stop.
|
3. | When
prompted that stopping AD DS will stop other associated services such
as DNS, DFS, Kerberos, and Intersite Messaging, choose Yes to continue.
|
4. | To
restart AD DS, right-click the AD DS service and choose Start. Start
the Intersite Messaging Service and Kerberos Key Distribution Center
service as well.
|
