Outlining AD DS Changes in Windows Server 2008 R2 (part 3) - Auditing Changes Made to AD Objects

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
1/20/2011 3:13:54 PM

Auditing Changes Made to AD Objects

Another important change to Active Directory that can be enabled in a Windows Server 2008 or Windows Server 2008 R2 functional domain is the concept of auditing changes made to Active Directory objects. Previously, it was difficult to tell when changes were made, and AD-specific auditing logs were not available. Windows Server 2008 RTM/R2 allows administrators to be able to determine when AD objects were modified, moved, or deleted.

To enable AD object auditing on a Windows Server 2008 RTM/R2 domain controller, perform the following steps:

From a member server or domain controller, click Start, All Programs, Administrative Tools, Group Policy Management.

Navigate to <forest name>, Domains, <domain name>, Domain Controllers, Default Domain Controllers Policy.

Click Edit.

In the GPO window, navigate to Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, Audit Policy.

Under the Audit Policy setting, right-click on Audit Directory Service Access, and click Properties.

Check the Define These Policy Settings check box, and then check the Success and Failure check boxes, as shown in Figure 7.

Figure 7. Enabling AD DS object auditing.

Click OK to save the settings.

Global AD DS auditing on all DCs will subsequently be turned on. Audit event IDs will be displayed as Event ID 5136, 5137, 5138, 5139, or 5141, depending on if the operation is a modify, create, undelete, move, or delete respectively.

Reviewing Additional Active Directory Services

Five separate technologies in Windows Server 2008 R2 now contain the Active Directory moniker in their title. Some of the technologies previously existed as separate products, but they have all come under the global AD umbrella. These technologies are as follows:

  • Active Directory Lightweight Directory Services (AD LDS)— AD LDS, previously referred to as Active Directory in Application Mode (ADAM), is a smaller-scale directory service that can be used by applications that require a separate directory. It can be used in situations when a separate directory is needed, but the overhead and cost of setting up a separate AD DS forest is not warranted.

  • Active Directory Federation Services (AD FS)— AD FS in Windows Server 2008 R2 is an improvement to the older standalone versions of the ADFS product previously offered by Microsoft. AD FS provides for Single Sign-On technology to allow for a user logon to be passed to multiple web applications within a single session.

  • Active Directory Certificate Services (AD CS)— AD CS refers to the latest version of Windows Certificate Services. AD CS provides for the ability to create a Public Key Infrastructure (PKI) environment and assign PKI certificates to AD users and machines. These certificates can be used for encryption of traffic, content, or logon credentials.

  • Active Directory Rights Management Services (AD RMS)— AD RMS is the evolution of the older Windows Rights Management Server technology. AD RMS is a service that protects confidential information from data leakage by controlling what can be done to that data. For example, restrictions can be placed on documents, disallowing them from being printed or programmatically accessed (such as by cutting/pasting of content). 

Examining Additional Windows Server 2008 R2 AD DS Improvements

In addition to the changes listed in the preceding sections, AD DS in Windows Server 2008 R2 supports the following features:

  • Read-Only Domain Controller (RODC) support— Windows Server 2008 R2 includes the ability to deploy domain controllers with read-only copies of the domain. This is useful for remote branch office scenarios where security might not be tight.

  • Group Policy central store— Administrative templates for group policies are stored in the SYSVOL on the PDC emulator in Windows Server 2008 R2, resulting in reduced replication and reduced SYSVOL size.

  • DFS-R Replication of the SYSVOL— A Windows Server 2008 RTM/R2 functional domain uses the improved Distributed File System Replication (DFS-R) technology rather than the older, problematic File Replication Service (FRS) to replicate the SYSVOL.

  • Active Directory database mounting tool (DSAMain)— The Active Directory database mounting tool (DSAMain.exe) allows administrators to view snapshots of data within an AD DS or AD LDS database. This can be used to compare data within databases, which can be useful when performing AD DS data restores.

  • GlobalNames DNS zone— Windows Server 2008 R2 DNS allows for creation of the concept of the GlobalNames DNS zone. This type of DNS zone allows for a global namespace to be spread across multiple subdomains. For example, a client in the subdomain would resolve the DNS name to the same IP address as a client in a different subdomain resolving This can improve DNS resolution in multizone environments.

Reviewing Legacy Windows Server 2003 Active Directory Improvements

It is important to understand that AD DS is a product in constant development since its release with Windows 2000. From humble beginnings, Active Directory as a product has developed and improved over the years. The first major set of improvements to AD was released with the Windows Server 2003 product. Many of the improvements made with Windows Server 2003 AD still exist today in Windows Server 2008 R2 AD DS. It is subsequently important to understand what functionality in AD was born from Windows Server 2003. The following key improvements were made in this time frame:

  • Windows Server 2003 Active Directory Domain Rename Tool— Windows Server 2003 originally introduced the concept of Domain Rename, which has continued to be supported in Windows Server 2008 R2. This gives administrators the ability to prune, splice, and rename AD DS domains. Given the nature of corporations, with restructuring, acquisitions, and name changes occurring constantly, the ability of AD DS to be flexible in naming and structure is of utmost importance. The Active Directory Domain Rename Tool was devised to address this very need.

    Before AD DS domains can be renamed, several key prerequisites must be in place before the domain structure can be modified. First, and probably the most important, all domain controllers in the entire forest must be upgraded to Windows Server 2003 or 2008 in advance. In addition, the domains and the forest must be upgraded to at least Windows Server 2003 functional level. Finally, comprehensive backups of the environment should be performed before undertaking the rename.

    The domain rename process is complex and should never be considered as routine. After the process, each domain controller must be rebooted and each member computer across the entire forest must also be rebooted (twice).

  • Cross-forest transitive trust capabilities— Windows Server 2003 Active Directory introduced the capability to establish cross-forest transitive trusts between two disparate AD DS forests. This capability allows two companies to share resources more easily, without actually merging the forests. Note that both forests must be running at least at Windows Server 2003 functional levels for the transitive portion of this trust to function properly.

  • AD DS replication compression disable support— Another feature introduced in Windows Server 2003 AD was the ability to turn off replication compression to increase domain controller performance. This would normally be an option only for organizations with very fast connections between all their domain controllers.

  • Schema attribute deactivation— Developers who write applications for AD DS continue to have the ability, introduced in Windows Server 2003, to deactivate schema attributes, allowing custom-built applications to utilize custom attributes without fear of conflict. In addition, attributes can be deactivated to reduce replication traffic.

  • Incremental universal group membership replication— Before Windows Server 2003, Windows 2000 Active Directory had a major drawback in the use of universal groups. Membership in those groups was stored in a single, multivalued attribute in AD DS. Essentially, what this meant was that any changes to membership in a universal group required a complete re-replication of all membership. In other words, if you had a universal group with 5,000 users, adding number 5,001 would require a major replication effort because all 5,001 users would be re-replicated across the forest. Windows Server 2003 and 2008 simplify this process and allow for incremental replication of universal group membership. In essence, only the 5,001st member is replicated in Windows Server 2003/2008.

  • AD–integrated DNS zones in application partitions— Windows Server 2003 improved DNS replication by storing DNS zones in the application partition. This basically meant that fewer objects needed to be stored in AD, reducing replication concerns with DNS.

  • AD lingering objects removal— Another major improvement originally introduced with Windows Server 2003 and still supported in 2008 is the ability to remove lingering objects from the directory that no longer exist.

  •  Personalizing Windows 7 (part 2) - Choosing Your Desktop Background
  •  Personalizing Windows 7 (part 1) - Fine-Tuning Your Window Colors and Experience Level
  •  Windows Server 2008 R2 Active Directory Domain Services Primer : Outlining the Role of DNS in AD DS
  •  Windows Server 2008 R2 Active Directory Domain Services Primer : Explaining AD DS Replication
  •  Windows Server 2008 R2 Active Directory Domain Services Primer : Outlining the Role of Groups in an AD DS Environment
  •  Understanding Windows 7 Personalization
  •  Windows 7 : Understanding User Account Control and Its Impact on Performance
  •  Windows Server 2008 R2 Active Directory Domain Services Primer : Understanding Domain Trusts
  •  Windows Server 2008 R2 Active Directory Domain Services Primer : Outlining AD DS’s Components
  •  Windows Server 2008 R2 Active Directory Domain Services Primer : Examining AD DS’s Structure
    Top 10
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
    - Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
    - Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
    - First look: Apple Watch

    - 3 Tips for Maintaining Your Cell Phone Battery (part 1)

    - 3 Tips for Maintaining Your Cell Phone Battery (part 2)
    programming4us programming4us