Active Directory Domain Services: UI changes in Server 2008 - Part 2

To improve the installation and management of Active Directory Domain Services (AD DS), Windows Server 2008 includes some changes in the user interface of the "Active Directory Domain Services Installation Wizard" (dcpromo), but also to the Microsoft Management Console (MMC) snap-in functions that manage AD DS.

We already covered the "Active Directory Domain Services Installation Wizard" (dcpromo) in a previous post.
Let's continue the overview with the administration tools:

1. Active Directory Users and Computers (dsa.msc)
2. Active Directory Sites & Services  (dssite.msc)
3. Active Directory Domains & Trusts (domain.msc)
4. Active Directory Schema
5. AdsiEdit (adsiedit.msc)

1. Active Directory Users & Computers

All objects - Protected objects

Windows Server 2008 ADU&C introduces Active Directory object protection to protect against accidental deletion by placing an extra Deny ACL on the object (see below). The object protection is available on all AD objects and appears afterwards in the Object tab (Advanced Features view).

Notice that only newly created OU objects are protected (with an ACL) by default.  Existing objects (such as Domain Controllers OU) are not protected by such an ACL.
The same interface is also available through the ADU&C snapin included in RSAT (Remote Server Administration Tools).
This functionality is independent of Windows Server 2008 Active Directory... it's just a GUI thing!

Unprotected	Protected

For more information, read Ulf's blog post on "Protecting Objects from accidental deletion"

All objects - Attribute Editor

By default, a low level attribute editor is available on any object (when switching on the Advanced Features view) which allows you to populate/modify any attribute on the object that might not be display through the GUI.  Great feature, but don't touch it if you don't know what you are doing!!

Filter View

Domain Controller objects - DC Type

When looking at domain controller objects, you will notice a number of changes.
First of all, you are able to quickly determine the type of domain controller (Global Catalog, Read Only).
Also, when connecting to other domain controllers, you can easily identify what domain controller (and sites) you are dealing with from the interface and their availability (online/offline).
Notice the option to connect to other LDAP instances (eg: ADAM instances and/or Active Directory Mount point instances).

Domain Controller objects - NTDS settings

If the domain controller is a global catalog, you're able to change it through the ADU&C (Active Directory Users & Computers) interface now, by connecting to the NTDS settings object.
Quick and easy!

Domain Controller Objects - Deleting Computer Object

When deleting domain controller objects, you will notice the interface below depending the type of domain controller:

• Read-Only DC (RODC)
• Read/Writable DC (RWDC)

Delete RODC object

Delete RWDC object

Read Only Domain Controller (RODC) objects - Password Replication Policy

To help manage RODCs, there is now a Password Replication Policy tab on the domain controller computer objects.
By clicking the Advanced button on this tab, an administrator can see the following things:

What passwords have been sent to the RODC

What passwords are currently stored on the RODC

What accounts have authenticated to the RODC, including accounts that are not currently defined in the security groups that are allowed or denied replication. As a result, the administrator can see who is using the RODC and determine whether to allow or deny password replication. Notice, that there is also a related Password Replication tab on user/computer objects.  More about this a few topics below.

Read Only Domain Controller (RODC) objects - Pre-population (to delegate RODC installation/administration)

First, a member of the Domain Admins group (or with delegated permissions) creates an RODC (computer) account by using the Active Directory Users and Computers Microsoft Management Console snap-in.
When you created the RODC (computer) account, you can delegate the installation and administration of that RODC to a user or better a security group.
On the server that will become the RODC, the user who has been delegated the permissions to install and administer it can then run dcpromo /UseExistingAccount:Attach at a command prompt to start the wizard.

	Pre-creating RODC account

RODC installation/administration delegated to Barcelona Admins.

User Objects - Password Replication

Password for user and computers are permanently stored on all writeable domain controllers and can be optionally stored/cached on read-only domain controllers (RODCs).
On a user and/or computer object you can find out on which read-only domain controllers the password in stored.

The Administrator password stored nowhere.

My password stored on the Barcelona RODC.

Computer account password not being replicated to any RODCs (empty list of RODCs).

User Objects - Reset User password

Sometimes small details can make a difference; resetting a user password and unlocking the account is one single step.

2. Active Directory Sites and Services

Find site

The Active Directory Sites and Services snap-in in Windows Server 2008 includes a Find command on the toolbar and in the Action menu.  This allows you to easily find a domain controller.

 

Create Subnet

Windows Server 2008 natively supports IPv6.

NTDS Objects - Replication

Selective replication from and to selected domain controllers.

Attribute Editor

By default, a low level attribute editor is available on any object (when switching on the Advanced Features view) which allows you to populate/modify any attribute on the object that might not be display through the GUI.  Great feature, but don't touch it if you don't know what you are doing!!

3. Active Directory Domains and Trusts

Nothing special to report...

4. Active Directory Schema

The Schema Management snapin (schmmgmt.dll) still requires registration.
 

5. AdsiEdit

Is now included in the Windows Server 2008 product and is installed as part of the Active Directory Domain Services Server Role including some other CLI tools listed below.

 
Screenshot from the Server Manager ADDS homepage.


Related posts:

Active Directory Domain Services: UI changes - Part 1

Active Directory Domain Services: Fine-grained Password Policies