6. Auditing Changes Made to AD Objects
Another important change to Active Directory
that can be enabled in a Windows Server 2008 or Windows Server 2012
functional domain is the concept of auditing changes made to Active
Directory objects. Previously, it was difficult to tell when changes
were made, and AD-specific auditing logs were not available. Windows
Server 2008/2012 enables administrators to determine when AD objects
were modified, moved, or deleted.
To enable AD object auditing on a Windows Server 2012 DC, follow these steps:
1. From Server Manager, click Tools, Group Policy Management
2. Navigate to forest name, Domains, domain name, Domain Controllers, Default Domain Controllers Policy.
3. Right-click the Default Domain Controllers Policy and click Edit.
4.
In the GPO window, navigate to Preferences, Computer Configuration,
Windows Settings, Security Settings, Local Policies, Audit Policy.
5. Under the Audit Policy setting, right-click Audit Directory Service Access and click Properties.
6. Check the Define These Policy Settings check box, and then check the Success and Failure check boxes, as shown in Figure 5.
Figure 5. Enabling AD DS object auditing.
7. Click OK to save the settings.
Global AD DS auditing on all DCs
will subsequently be turned on. Audit event IDs will be displayed as
Event ID 5136, 5137, 5138, or 5139, depending on whether the operation
is a modify, create, undelete, or move, respectively.
7. Reviewing Additional Active Directory Services
Five separate technologies in Windows Server
2012 contain the Active Directory moniker in their title. Some of the
technologies previously existed as separate products, but they have all
come under the global AD umbrella. These technologies are as follows:
• Active Directory Lightweight Directory Services (AD LDS)—AD
LDS, previously referred to as Active Directory in Application Mode
(ADAM), is a smaller-scale directory service that can be used by
applications that require a separate directory. It can be
used in situations when a separate directory is needed but the overhead
and cost of setting up a separate AD DS forest is not warranted.
• Active Directory Federation Services (AD FS)—AD
FS in Windows Server 2012 is an improvement over the older standalone
versions of the ADFS product previously offered by Microsoft. AD FS
2.1, included in Windows Server 2012 provides for Single Sign-On
technology to allow for a user logon to be passed to multiple web
applications within a single session.
• Active Directory Certificate Services (AD CS)—AD
CS is a newly formed term that refers to the new version of Windows
Certificate Server. AD CS provides for the ability to create a public
key infrastructure (PKI) environment and assign PKI certificates to AD
users and machines. These certificates can be used for encryption of
traffic, content, or logon credentials.
• Active Directory Rights Management Services (AD RMS)—AD
RMS is the evolution of the older Windows Rights Management Server
technology. AD RMS is a service that protects confidential information
from data leakage by controlling what can be done to that data. For
example, restrictions can be placed on documents, disallowing them from
being printed or programmatically accessed (such as by cutting/pasting
of content).
8. Examining Additional Windows Server 2012 AD DS Improvements
In addition to the changes listed in the preceding sections, AD DS in Windows Server 2012 supports the following new features:
• Read-only domain controller (RODC) support—Windows
Server 2012 includes the ability to deploy DCs with read-only copies of
the domain. This is useful for remote branch office scenarios where
security might not be tight.
• Group Policy central store—Administrative
templates for group policies are stored in the SYSVOL on the PDC
emulator in Windows Server 2012, resulting in reduced replication and
reduced SYSVOL size.
• DFS-R replication of the SYSVOL—A
Windows Server 2008 RTM/R2 functional domain uses the improved
Distributed File System Replication (DFS-R) technology rather than the
older, problematic File Replication Service (FRS) to replicate the
SYSVOL.
• Active Directory database mounting tool—The
Active Directory database mounting tool (DSAMain.exe) enables
administrators to view snapshots of data within an AD DS or AD LDS
database. This can be used to compare data within databases, which can
prove useful when performing AD DS data restores.
• GlobalNames DNS zone—Windows
Server 2012 DNS allows for creation of the concept of the GlobalNames
DNS zone. This type of DNS zone allows for a global namespace to be
spread across multiple subdomains. For example, a client in the asia.companyabc.com
subdomain would resolve the DNS name portal.asia.companyabc.com to the
same IP address as a client in a different subdomain resolving
portal.europe.companyabc.com. This can improve DNS resolution in
multizone environments.
9. Reviewing Legacy Windows Server 2003 Active Directory Improvements
It is important to understand that AD DS is a
product that has been in constant development since its release with
Windows 2000. From humble beginnings, Active Directory as a product has
developed and improved over the years. The first major set of
improvements to AD was released with the Windows Server 2003 product.
Many of the improvements made with Windows Server 2003 AD still exist
today in Windows Server 2012 AD DS. Therefore, it is important to
understand what functionality in AD was born from Windows Server 2003.
The following key improvements were made in this time frame:
• Windows Server 2003 Active Directory Domain Rename Tool—Windows
Server 2003 originally introduced the concept of domain rename, which
has continued to be supported in Windows Server 2012. This enables
administrators to prune, splice, and rename AD DS domains. Given the
nature of corporations, with restructuring, acquisitions, and name
changes occurring constantly, the ability of AD DS to be flexible in
naming and structure is of utmost importance. The Active Directory
Domain Rename Tool was devised to address this very need.
Before AD DS domains can be renamed,
several key prerequisites must be in place before the domain structure
can be modified. First, and probably the most important, all DCs in the
entire forest must be upgraded to Windows Server 2003 or 2008 in
advance. In addition, the domains and the forest must be upgraded to at
least Windows Server 2003 functional level. Finally, comprehensive
backups of the environment should be performed before undertaking the
rename.
The domain rename process is complex
and should never be considered as routine. After the process, each DC
must be rebooted and each member computer across the entire forest must
also be rebooted (twice).
• Cross-forest transitive trust capabilities—Windows
Server 2003 Active Directory introduced the capability to establish
cross-forest transitive trusts between two disparate AD DS forests.
This capability allows two companies to share resources more easily,
without actually merging the forests. Note that both forests must be
running at least at Windows Server 2003 functional levels for the
transitive portion of this trust to function properly.
• AD DS replication compression disable support—Another
feature introduced in Windows Server 2003 AD was the ability to turn
off replication compression to increase DC performance. This would
normally be an option only for organizations with very fast connections
between all their DCs.
• Schema attribute deactivation—Developers
who write applications for AD DS continue to have the ability,
introduced in Windows Server 2003, to deactivate schema attributes,
allowing custom-built applications to use custom attributes without
fear of conflict. In addition, attributes can be deactivated to reduce
replication traffic.
• Incremental universal group membership replication—Before
Windows Server 2003, Windows 2000 Active Directory had a major drawback
in the use of universal groups. Membership in those groups was stored
in a single, multivalued attribute in AD DS. Essentially, what this
meant was that any changes to membership in a universal group required
a complete re-replication of all membership. In other words, if you had
a universal group with 5,000 users, adding number 5,001 would require a
major replication effort because all 5,001 users would be re-replicated
across the forest. Windows Server 2003 and 2008 simplify this process
and allow for incremental replication of universal group membership. In
essence, only the 5,001st member is replicated in Windows Server
2003/2008.
• AD-integrated DNS zones in application partitions—Windows
Server 2003 improved DNS replication by storing DNS zones in the
application partition. This basically meant that fewer objects needed
to be stored in AD, reducing replication concerns with DNS.
• AD lingering objects removal—Another
major improvement originally introduced with Windows Server 2003 and
still supported in 2008 is the ability to remove lingering objects from
the directory that no longer exist.