What’s new in Windows 2008 R2 Active Directory

While I’ve been going through the documentation of Windows Server 2008 R2 I’ve come across few geeky stuff  which you (systems admins) must know. I’m so excited about few of the enhancements.  I’ve compiled them in the form of tips.

Read-Only Domain Controllers
A read-only domain controller (RODC) is a new type of domain controller in the Windows Server® 2008 operating system. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed. An RODC hosts read-only partitions of the Active Directory® Domain Services (AD DS) database.

Fine-grained password policies

You can use fine-grained password policies to specify multiple password policies within a single domain. You can use fine-grained password policies to apply different restrictions for password and account lockout policies to different sets of users in a domain.

For example, you can apply stricter settings to privileged accounts and less strict settings to the accounts of other users. In other cases, you might want to apply a special password policy for accounts whose passwords are synchronized with other data sources.

Restartable Active Directory Domain Services
Administrators can stop and restart Active Directory® Domain Services (AD DS) in the Windows Server® 2008 operating system by using Microsoft Management Console (MMC) snap-ins or the command line.

Restartable AD DS reduces the time that is required to perform certain operations. AD DS can be stopped so that updates can be applied to a domain controller; also, administrators can stop AD DS to perform tasks such as offline defragmentation of the Active Directory database, without restarting the domain controller. Other services that are running on the server and that do not depend on AD DS to function, such as Dynamic Host Configuration Protocol (DHCP), remain available to satisfy client requests while AD DS is stopped.

Active Directory Recycle Bin
Information technology (IT) professionals can use Active Directory Recycle Bin to undo an accidental deletion of an Active Directory object. Accidental object deletion causes business downtime. Deleted users cannot log on or access corporate resources. This is the number one cause of Active Directory recovery scenarios. Active Directory Recycle Bin works for both AD DS and Active Directory Lightweight Directory Services (AD LDS) objects. This feature is enabled in AD DS at the Windows Server 2008 R2 forest functional level. For AD LDS, all replicas must be running in a new “application mode.”

Active Directory module for Windows PowerShell and Windows PowerShell™ cmdlets
The Active Directory module for Windows PowerShell provides command-line scripting for administrative, configuration, and diagnostic tasks, with a consistent vocabulary and syntax. It provides predictable discovery and flexible output formatting. You can easily pipe cmdlets to build complex operations. The Active Directory module enables end-to-end manageability with Exchange Server, Group Policy, and other services.

Active Directory Administrative Center
The Active Directory Administrative Center has a task-oriented administration model, with support for larger datasets. The Active Directory Administrative Center can help increase the productivity of IT professionals by providing a scalable, task-oriented user experience for managing AD DS. In the past, the lack of a task-oriented user interface (UI) could make certain activities, such as resetting user passwords, more difficult than they had to be. The Active Directory Administrative Center enumerates and organizes the activities that you perform when you manage a system. These activities may be maintenance tasks, such as backup; event-driven tasks, such as adding a user; or diagnostic tasks that you perform to correct system failures.

Active Directory Best Practices Analyzer
The Active Directory Best Practices Analyzer (BPA) identifies deviations from best practices to help IT professionals better manage their Active Directory deployments. BPA uses Windows PowerShell cmdlets to gather run-time data. It analyzes Active Directory settings that can cause unexpected behavior. It then makes Active Directory configuration recommendations in the context of your deployment. The Active Directory BPA is available in Server Manager

Active Directory Web Services
Active Directory Web Services (ADWS) provides a Web service interface to Active Directory domains and AD LDS instances, including snapshots, that are running on the same Windows Server 2008 R2 server as ADWS

Authentication mechanism assurance
Authentication mechanism assurance makes it possible for applications to control resource access based on authentication strength and method. Administrators can map various properties, including authentication type and authentication strength, to an identity. Based on information that is obtained during authentication, these identities are added to Kerberos tickets for use by applications. This feature is enabled at the Windows Server 2008 R2domain functional level.
Resource – http://technet.microsoft.com/en-us/library/cc754718(WS.10).aspx