What's new in Active Directory Domain Services in Windows Server 2008

Hi All,

In Windows 2008, Active Directory has been renamed to Active Directory Domain Services (AD DS). AD DS refers to what used to be just called Active Directory in the past with the same tools, architectural design, and structure that was introduced in Windows 2000 and Windows 2003.

Below is a listing of introduced improvements with links to give you further details about each:

· AD DS: Restartable Active Directory Domain Services

Windows 2008 introduced new capabilities to start or stop directory services running on a domain controller without having to shut it down, allowing administrators to perform maintenance (offline defragmentation, security updates ,etc..) or recovery on the AD database without having to reboot into Directory Services Restore Mode


· AD DS: Fine-Grained Password Policies

One very significant change with Windows 2008 AD DS is the ability to implement granular password polices in a single domain. Fine-grained password polices always win over domain password policy and they can be applied to groups or users. For fine-grained password polices to be implemented, all DCs must be running windows 2008 and the domain must in windows 2008 functional mode.


· AD DS: Auditing

In Microsoft® Windows® 2000 Server and Windows Server 2003, Active Directory audit logs can show you who made changes to what object attributes, but the events do not display the old and new values. In Windows Server 2008 you can now set up AD DS auditing with a new audit subcategory (Directory Service Changes) to log old and new values when changes are made to objects and their attributes.


· AD DS: Read-Only Domain Controllers (RODC)

Windows 2008 includes the ability to deploy domain controllers that hosts read-only partitions of the Active Directory® Domain Services (AD DS) database. To deploy an RODC, at least one writable domain controller in the domain must be running Windows Server 2008. In addition, the functional level for the domain and forest must be Windows Server 2003 or higher.


· AD DS: Database Mounting Tool (Dsamain)

The active directory database mount tool (Dsamain.exe) is a command line tool that allows administrators to view snapshots of data within an AD DS database (can be used with AD Lightweight Directory Services databases also). The tool can improve recovery processes for your organization by providing means to compare data as it exists in snapshots or backups that are taken at different times so that you can better decide which data to restore after data loss. This eliminates the need to restore multiple backups to compare the Active Directory data that they contain.