What are the new features in
windows 2008 server?
1) Hyper-V
and Live migration
2) File
Classification Infrastructure
3) Active
Directory and Pervasive PowerShell
4) IIS
7.5
5) Direct
Access
6) Branch
Cache
7) Remote
Desktop and Applications
8) Virtual
Desktop Infrastructure (VDI)
9) Active
Directory Administrative Center
10) RODC [Read Only
Domain Controllers]
11) WDS [Windows
Deployment Service] instead of RIS 2003 server
12) Shadow copies for
each and every folder
13) Boot sequence is
changed
14) Services are
known as role in it
Windows Server 2008 R2 Active Directory Features?
1) Active
Directory Administrative Center
2) Windows
Power shell and Windows Power shell cmdlets
3) Best
Practices Analyzer for Active Directory
4) Active
Directory Recycle Bin
5) Active
Directory Web Services
6) Managed
Service Accounts
7) Offline
Domain Join
8) Read
only domain controllers
9) Restart
able active directory domain service
10) Fine grained password policies
Active Directory Recycle Bin
The Active Directory recycle bin will
not be available until the forest level is at Windows Server 2008 R2.
When it is turned on it can restore
not only the object but also the attributes that go along with that user (Ex:
SID, Group Members etc).
Cannot recover anything deleted
before the active directory recycle bin is turned on. You will see
deleted objects in the recycle bin but it will not be able to recover them.
It is built on powershell so
everything has to be done from powershell, however, there are some great GUI
tools out there for the AD recycle bin feature. One of which is the
Active Directory Recycle Bin powerpack for Powergui: Link.
Also,
one thing to note about the Active Directory Recycle Bin is that once it is
turned on, it cannot be turned off.
The essentials of RODC’s are:
Read only domain controller
Administrative role separation
Credential caching
Read only DNS
Administrative Role
Separation:
You can delegate local
administrator permissions for the RODC server to any user in active directory.
The delegated user account will now be able to log onto the server and do
server maintenance tasks, without having any ADDS permissions and the user does
not have access to other domain controllers in active directory, this way security
is compromised for the domain..
Credential Caching:
By default the RODC doesn’t store
any user or computer credentials except the computer account of the RODC itself
and a special “krbgt” account that each RODC has.
The RODC can however be configured
to cache passwords, this is handled be the password replication policy. The
password replication policy determines if replication from the writable DC to
the RODC is allowed for the user or computer credentials. If a certain user is
allowed the users credentials are cached on the RODC at login.
When an account is successfully
authenticated against the RODC, the RODC attempts to contact a writable domain
controller at the HUB site. If a password is not cached, the RODC will forward
the authentication request to a writable DC, the DC receiving the request
recognizes that the request is coming from an RODC and checks with the password
replication policy.
The benefit of credential caching
is that is helps with password protection at branch offices and minimizes exposure
of credentials in case the RODC is compromised. When using credential caching
and if an RODC is stolen the user account and computer account can have their
passwords reset based on the RODC they belong to.
Credential caching can be left
disabled and this will limit the eventual exposure but if will also increase
when traffic, since all authentication request will be forwarded to the
writable DCS in the main hub site.
Read Only DNS:
In addition to the RODC it’s also
possible to install a DNS service. A DNS server running on an RODC doesn’t
support dynamic updates. But clients are able to use the DNS server to query
for name resolution.
Since the DNS is read only, clients
cannot update records on it. But if a client wants to update its own DNS record
the RODC will send a referral forward to a writable DNS. The single updated
record will afterwards be replicated from writable DNS server to the DNS server
on the RODC. This is a special single object (DNS record) replication, to keep
the RODC DNS servers up to date and give the clients in the branch office
faster name resolution.
Restartable Active Directory
Domain Service:
With windows server 2008 active
directory domain service (ADDS) are now Stoppable and Restartable , this means
that you can stop the ADDS to perform tasks and maintenance, which in prior
versions of windows server required a reboot into directory service restore
mode (DSRM), this is an excellent feature for scripting and automating those
tasks.
The possible states for ADDS are
ADDS – started
ADDS – stopped
ADDS – restore mode (DSRM)
It’s a benefit that tasks that used
to require a reboot to take the ADDS offline are now available directly from
the console. This gives administrators some flexibility towards maintaining and
performing offline ADDS operations more quickly.
Fine Grained Password Policy:
Prior to windows server 2008 you
could have only one password and account lockout policy per domain which
applied to all users in the domain. As something new in windows server 2008
ADDS, it is now possible with fine grained password policies to define
different sets of password or lockout policies to different set of users in the
same domain.
With fine grained password policies
the following settings are available.
Password Policy
Enforce password history
Maximum password age
Minimum password age
Minimum password length
Passwords must meet complexity
requirements
Store password using reversible
encryption
Lockout policy
Account lockout duration
Account lockout threshold
Reset account lockout after
Fine
grained password policies can be applied to user objects and global security
it’s not possible to apply them to OUs.
To
use fine grained password policies the domain functional level must be at
windows server 2008.
What is active directory
federation Services?
Active
directory federation services (ADFS) is a feature introduced with windows
server 2003 R2 that provides an identity access solution. It gives
browser based clients, which are inside or outside your network single sing on
(SSO) access to web based applications. It
is important to note that ADFS only works for web based applications. ADFS
can be used in web hosting or share point environments. It is very useful when
a company has web servers located in a DMZ or at a remote hosting vendor or
business partner and wants to control account credentials to their web
applications from the internal active directory.
Federation Services:
The federation service can be used
by one or more federation servers to share a common trust policy. Federation
servers are used to route authentication requires from user accounts in other
organizations or from client that may be located on the internet.
Federation Service Proxy:
The federation service proxy is a
proxy to the federation service in the perimeter network (DMZ). The federation
service proxy uses WS-federation passive requestor profile (WS-FPRP) protocols
to collect user credentials from browser clients and it sends the user
credentials to the federation service on their behalf.
Benefits of TS Gateway?
TS Gateway provides many benefits,
including the following.
TS Gateway enables remote users to
connect to internal network resources over the internet, by using an encrypted
connection without needing to configure virtual private network (VPN)
connections.
Difference between Windows
2003 Standard Editions and Windows 2003
Enterprise Editions?
|
Windows 2003 Features
|
Standard Ed
|
Enterprise Ed
|
|
Server Clusters
|
No
|
Yes
|
|
Active Directory Federation
Services
|
No
|
Yes
|
|
ADFS Proxy
|
No
|
Yes
|
|
Microsoft Identity Integration
Server 2003 MIIS Support
|
No
|
Yes
|
|
8-Way Symmetric Multiprocessing
(SMP) Support
|
No
|
Yes
|
|
Support for 32 GB of RAM
|
No
|
Yes
|
|
Support for 64 GB of RAM
|
No
|
Yes
|
What is
difference between windows 2000 server and windows 2003 server?
1) Domain
rename it is not possible in windows 2000
2) Windows
2000 IIS 5 and 2003 IIS6
3) Windows
2000 IE 5 and 2003 IE 6
4) Windows
2000 does not have 64 bit versions
5) DNS
Stub zone has introduced in 2003 server.
6) Shadow
Copying introduced
7) Schema
version has changed from Version 13 to Version 30
8) 2000
does not support dot net whereas 2003 support Microsoft .Net 2.0
9) In
Windows 2000 we can create 1 millions users and in Windows 2003 we can create 1
Billions users.
10) Windows 2000
supports 4 nodes clustering whereas Windows 2003 supports 8 nodes.
11) 2003 has service called ADFS (Active Directory
Federation Services) which is used to communicate between branches with safe
authentication.
12) Windows 2003
there is improved storage management using service File Server Resource Manager
(FSRM).
13) 2000 supports
IPV4 whereas 2003 supports IPV4 and IPV6.
No comments:
Post a Comment