In the last four parts of this series we talked about the new roles and fea¬tures in Windows Longhorn. From
this part onwards, we shall focus on the Active Directory and its added features. We shall also see how to deploy Active Directory in Windows Server 2008. Let's look at the new
features:
Read-only Domain Controller: Read¬only Domain Controller or RODC is a great concept for branch offices and places with lower physical security. Let's assume that you have a head office where the data center (DC) is deployed with full physical security. Apart from this. you have five different branch of¬fices across the globe and you have deployed local domain controllers to all branches. All domain controllers get connected over VPN to the global do¬main controller sitting at the datacenter and replicate data amongst themselves.
Now, let's assume that your branch offices don't have the same level of phys¬ical security that you have in your data¬center. So. somebody manages to get into the server room of any of the branch office. Now as he is physically present in the server room, he can easily install malicious tools on it and get the admin password. He can easily enter and modify any settings in the global DC through the system and breach your network security. In such cases RODC can come in handy. It's essentially a form of DC that is completely read-only. This implies that there wouldn't be any local copy of the passwords. For instance, if someone even gets admin rights to the RODC, he cannot modify the schema at all. The users on the network can con¬nect to an RODC and get authenticated by it, but when it comes to doing any modification, even for changing a pass¬word, he has to connect to a writable do¬main controller.

AD Lightweight Directory Service:
ADLDS is a new concept in MS Windows Server 2008. It is essentially a dedicated directory service for specific applica¬tions. This is ideal for cases where spe¬cific applications require directory services but do not require a complete Active Directory to be installed. With ADLDS, one can have multiple instances of Directory Services (dedicated for different applications) running simultane¬ously on a single machine.


Active Directory Rights Manage¬ment Service: By installing Active Di¬rectory Rights Management Service Role on a Server and installing ADRMS clients on workstations, one can enable rights management features in ap¬plications such as word processors, email clients, etc. One can even define which document or email will be accessible to whom and that too in which manner. For instance. you can define a policy for your document/email saying that it can only be read by Mr X, whereas Mr Y can read and print the document, Mr Z can for¬ward the document and even print it, and so on. The users can even create pre-de¬fined policy templates such as ' on¬printable Documents' or 'Confidential¬ReadOnly.' etc and directly apply those on documents when required.

Installing Active Directory Installing Active Directory in its basic form is not very different from the older versions of Windows Servers. But there are some changes. So, we will go through the ADS installation steps briefly.

To start the installation process, the first thing you have to do is install the Ac¬tive Directory role. And to install a new role, you have to go to the Server Man¬ager interface. So, start the Server Man¬ager Windows from Administrative Tools. Now click on the Role Option at the left side pane of the window. On the right side of the window, click on 'Add Role' option. A new window will open. Here you will see the complete list of all avail¬able server roles. Here select the 'Active Directory Domain Service' and then click on 'Install'. A wizard will open. There's not much to do in the wizard window, so keep pressing Next till you've fully in¬stalled Active Directory Domain Service on your machine.

But this will only install the service on your machine and not build it as a Do¬main Controller. So you have to run the good old dcpromo command to make your Windows Server 2008 box a do¬main controller. While running dcpromo, you will feel pretty much at home as the wizard is quite similar to the older version. However, if you are new to it, you have to run the dcpromo.exe com¬mand from either the command prompt or the run button.

Running the command will open up a wizard window. Here the wizard will ask you whether you want to create a Do¬main in aNewForest or want to add a do¬main to an existing one. Select the New domain in a ew Forest option and proceed.
In the next step you will be asked to provide an FQDN for the domain and the server. Here, give a full name to your do¬main. If the domain is mapped against a website on the Internet or you have a VPN with an Internet domain name, and you have a domain name booked for it; then provide that name in its place. This could be somedomain.com, etc. Else give a suitable name with" .local" as the top level domain. This will ensure that your DNS system doesn't always connect to the Internet while searching for a local machine. At the next step the wizard will ask you to select the Forest Functionality level. Here, if you have just one domain controller or even if you have many but all are Windows Server 2008, then select functionality level to Windows Server 2008. Else depending on other domain controllers on the Forest select the Func¬tionality level. Changing the Functional¬ity from Windows Server 2008 will depreciate some of the latest functional¬ity of Windows Server 2008. But as it's a test setup and you must be having just one Domain controller. we recommend you to go for the Windows Server 2008 Functionality level.

In the next screen the wizard will ask you to install a DNS system on the ma¬chine. If you already have a DNS server. then don't select the check box else select and proceed. Now more or less your Win¬dows Server 2008 Active Directory is up and running. All you need to do is to click next twice and then provide the password for the domain when asked. Once you click on the Next button on the password screen, it will start the installation process and will take around ten to twenty minutes depending on the speed of your machine. Once it's done, you will be asked for a reboot and your ADS is ready. Next month, we will see how we can deploy a ReadOnly ADS on a Win¬dows Server 2008 machine using the dcpromo command.