Auditing Changes Made to AD Objects
Another important
change to Active Directory that can be enabled in a Windows Server 2008
or Windows Server 2008 R2 functional domain is the concept of auditing
changes made to Active Directory objects. Previously, it was difficult
to tell when changes were made, and AD-specific auditing logs were not
available. Windows Server 2008 RTM/R2 allows administrators to be able
to determine when AD objects were modified, moved, or deleted.
To enable AD object auditing on a Windows Server 2008 RTM/R2 domain controller, perform the following steps:
1. | From a member server or domain controller, click Start, All Programs, Administrative Tools, Group Policy Management.
| 2. | Navigate to <forest name>, Domains, <domain name>, Domain Controllers, Default Domain Controllers Policy.
| 3. | Click Edit.
| 4. | In
the GPO window, navigate to Computer Configuration, Policies, Windows
Settings, Security Settings, Local Policies, Audit Policy.
| 5. | Under the Audit Policy setting, right-click on Audit Directory Service Access, and click Properties.
| 6. | Check the Define These Policy Settings check box, and then check the Success and Failure check boxes, as shown in Figure 7.
| 7. | Click OK to save the settings.
|
Global AD DS auditing on
all DCs will subsequently be turned on. Audit event IDs will be
displayed as Event ID 5136, 5137, 5138, 5139, or 5141, depending on if
the operation is a modify, create, undelete, move, or delete
respectively.
Reviewing Additional Active Directory Services
Five separate technologies
in Windows Server 2008 R2 now contain the Active Directory moniker in
their title. Some of the technologies previously existed as separate
products, but they have all come under the global AD umbrella. These
technologies are as follows:
Active Directory Lightweight Directory Services (AD LDS)—
AD LDS, previously referred to as Active Directory in Application Mode
(ADAM), is a smaller-scale directory service that can be used by
applications that require a separate directory. It can be used in
situations when a separate directory is needed, but the overhead and
cost of setting up a separate AD DS forest is not warranted.
Active Directory Federation Services (AD FS)—
AD FS in Windows Server 2008 R2 is an improvement to the older
standalone versions of the ADFS product previously offered by Microsoft.
AD FS provides for Single Sign-On technology to allow for a user logon
to be passed to multiple web applications within a single session. Active Directory Certificate Services (AD CS)—
AD CS refers to the latest version of Windows Certificate Services. AD
CS provides for the ability to create a Public Key Infrastructure (PKI)
environment and assign PKI certificates to AD users and machines. These
certificates can be used for encryption of traffic, content, or logon
credentials.
Active Directory Rights Management Services (AD RMS)— AD
RMS is the evolution of the older Windows Rights Management Server
technology. AD RMS is a service that protects confidential information
from data leakage by controlling what can be done to that data. For
example, restrictions can be placed on documents, disallowing them from
being printed or programmatically accessed (such as by cutting/pasting
of content).
Examining Additional Windows Server 2008 R2 AD DS Improvements
In addition to the changes listed in the preceding sections, AD DS in Windows Server 2008 R2 supports the following features:
Read-Only Domain Controller (RODC) support—
Windows Server 2008 R2 includes the ability to deploy domain
controllers with read-only copies of the domain. This is useful for
remote branch office scenarios where security might not be tight.
Group Policy central store—
Administrative templates for group policies are stored in the SYSVOL on
the PDC emulator in Windows Server 2008 R2, resulting in reduced
replication and reduced SYSVOL size. DFS-R Replication of the SYSVOL—
A Windows Server 2008 RTM/R2 functional domain uses the improved
Distributed File System Replication (DFS-R) technology rather than the
older, problematic File Replication Service (FRS) to replicate the
SYSVOL. Active Directory database mounting tool (DSAMain)— The Active Directory database mounting tool (DSAMain.exe)
allows administrators to view snapshots of data within an AD DS or AD
LDS database. This can be used to compare data within databases, which
can be useful when performing AD DS data restores.
GlobalNames DNS zone—
Windows Server 2008 R2 DNS allows for creation of the concept of the
GlobalNames DNS zone. This type of DNS zone allows for a global
namespace to be spread across multiple subdomains. For example, a client
in the asia.companyabc.com subdomain would resolve the DNS name portal.asia.companyabc.com to the same IP address as a client in a different subdomain resolving portal.europe.companyabc.com. This can improve DNS resolution in multizone environments.
Reviewing Legacy Windows Server 2003 Active Directory Improvements
It is important to understand
that AD DS is a product in constant development since its release with
Windows 2000. From humble beginnings, Active Directory as a product has
developed and improved over the years. The first major set of
improvements to AD was released with the Windows Server 2003 product.
Many of the improvements made with Windows Server 2003 AD still exist
today in Windows Server 2008 R2 AD DS. It is subsequently important to
understand what functionality in AD was born from Windows Server 2003.
The following key improvements were made in this time frame:
Windows Server 2003 Active Directory Domain Rename Tool—
Windows Server 2003 originally introduced the concept of Domain Rename,
which has continued to be supported in Windows Server 2008 R2. This
gives administrators the ability to prune, splice, and rename AD DS
domains. Given the nature of corporations, with restructuring,
acquisitions, and name changes occurring constantly, the ability of AD
DS to be flexible in naming and structure is of utmost importance. The
Active Directory Domain Rename Tool was devised to address this very
need. Before AD DS
domains can be renamed, several key prerequisites must be in place
before the domain structure can be modified. First, and probably the
most important, all domain controllers in the entire forest must be
upgraded to Windows Server 2003 or 2008 in advance. In addition, the
domains and the forest must be upgraded to at least Windows Server 2003
functional level. Finally, comprehensive backups of the environment
should be performed before undertaking the rename. The
domain rename process is complex and should never be considered as
routine. After the process, each domain controller must be rebooted and
each member computer across the entire forest must also be rebooted
(twice).
Cross-forest transitive trust capabilities—
Windows Server 2003 Active Directory introduced the capability to
establish cross-forest transitive trusts between two disparate AD DS
forests. This capability allows two companies to share resources more
easily, without actually merging the forests. Note that both forests
must be running at least at Windows Server 2003 functional levels for
the transitive portion of this trust to function properly. AD DS replication compression disable support—
Another feature introduced in Windows Server 2003 AD was the ability to
turn off replication compression to increase domain controller
performance. This would normally be an option only for organizations
with very fast connections between all their domain controllers. Schema attribute deactivation—
Developers who write applications for AD DS continue to have the
ability, introduced in Windows Server 2003, to deactivate schema
attributes, allowing custom-built applications to utilize custom
attributes without fear of conflict. In addition, attributes can be
deactivated to reduce replication traffic. Incremental universal group membership replication—
Before Windows Server 2003, Windows 2000 Active Directory had a major
drawback in the use of universal groups. Membership in those groups was
stored in a single, multivalued attribute in AD DS. Essentially, what
this meant was that any changes to membership in a universal group
required a complete re-replication of all membership. In other words, if
you had a universal group with 5,000 users, adding number 5,001 would
require a major replication effort because all 5,001 users would be
re-replicated across the forest. Windows Server 2003 and 2008 simplify
this process and allow for incremental replication of universal group
membership. In essence, only the 5,001st member is replicated in Windows
Server 2003/2008. AD–integrated DNS zones in application partitions—
Windows Server 2003 improved DNS replication by storing DNS zones in
the application partition. This basically meant that fewer objects
needed to be stored in AD, reducing replication concerns with DNS. AD lingering objects removal—
Another major improvement originally introduced with Windows Server
2003 and still supported in 2008 is the ability to remove lingering
objects from the directory that no longer exist.
|
