4. Restarting AD DS on a Domain Controller
Windows Server 2008 originally introduced new
capabilities to start or stop directory services running on a DC
without having to shut it down. This enables administrators to perform
maintenance or recovery on the Active Directory database without having
to reboot into Directory Services Restore Mode. This feature is also
present in Windows Server 2012 DCs.
In addition to allowing for maintenance and
recovery, turning off the DC functionality on an AD DC essentially
turns that DC into a member server, allowing for a server to be quickly
brought out of DC mode if necessary. In addition, with RODCs, Microsoft
has removed the need for local administrators on the DC to have Domain
Admin rights as well, which improves overall security in places where
administration of the DC server is required but full Domain Admin
rights are not needed.
To take a Windows Server 2012 DC offline, follow these steps:
1. Open up the Services MMC (Start, All Programs, Administrative Tools, Services).
2. From the Services MMC, select the Active Directory Domain Services service, as shown in Figure 3. Right-click it and choose Stop.
Figure 3.. Restarting AD DS on a Domain Controller
3. When prompted that
stopping AD DS will stop other associated services such as DNS, DFS,
Kerberos, and Intersite Messaging, choose Yes to continue.
4. To restart AD DS, right-click the AD DS service and choose Start.
5. Implementing Multiple Password Policies per Domain
Another Windows Server 2008 addition to AD DS
is the ability to implement granular password policies across a single
domain. Previously, this was only an option with third-party
password-change utilities installed on the DCs in a forest. With
Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012,
administrators can define which users have more complex password
policies and which will be able to use more lenient policies.
You need to understand a few key points about this technology before implementing it, as follows:
• Domain mode must be set to Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 level.
• Fine-grained password policies always win over a domain password policy.
• Password policies can be applied to groups, but they must be global security groups.
• Fine-grained password policies applied to a user always win over settings applied to a group.
• The Password Settings objects (PSOs)
are stored in the Password Settings Container in AD (that is,
CN=Password Settings Container,CN=System,DC=companyabc,DC=com).
• Only one set of password policies can
apply to a user. If multiple password policies are applied, the policy
with the lower-number precedence wins.
To create a custom password policy for a
specific user, a PSO must be created using ADAC, an improvement over
Windows Server 2008 and Windows Server 2008 R2, which required creation
of the PSOs using ADSIEdit.
To create a new PSO, open ADAC and follow these steps:
1. Navigate to domain root - System - Passwords Settings Container.
2. Under Tasks, select New - Password Settings.
3. Enter the information into the dialog box, shown in Figure 4, using Table 1 as a reference.
Figure 4.. Creating a PSO.
Table 1. PSO Attributes
4. Click OK to finalize the creation of the PSO.
