Forum
http://technet.microsoft.com/en-us/library/cc755093.aspx
In Windows Server® 2008,
organizations can use Active Directory® Domain Services (AD DS) to
manage users and resources, such as computers, printers, or
applications, on a network. AD DS includes many new features that are
not available in previous versions of Windows Server Active Directory.
These new features make it possible for organizations to deploy AD DS
more simply and securely and to administer it more efficiently. This
topic provides an overview of the improvements in AD DS. For details
about the improvements, see the following topics that describe the new
features in Windows Server 2008 AD DS:
- AD DS: Auditing
- AD DS: Fine-Grained Password Policies
- AD DS: Read-Only Domain Controllers
- AD DS: Restartable Active Directory Domain Services
- AD DS: Database Mounting Tool
- AD DS: User Interface Improvements
Overview of the improvements in AD DS
AD DS
in Windows Server 2008 includes improvements to help you deploy AD DS
more simply and securely. For example, AD DS includes a new type of
domain controller called a read-only domain controller (RODC). An RODC
hosts read-only partitions of the Active Directory database. RODCs
provide a way for you to deploy domain controllers in scenarios in
which physical security cannot be guaranteed, such as branch office
locations, or scenarios in which local storage of all domain passwords
is considered a primary threat, such as in extranets or in an
application-facing role. Because you can delegate RODC administration
to a domain user or security group, RODCs are well suited for sites
that should not have a user who is a member of the Domain Admins group.
AD DS
in Windows Server 2008 also includes an updated Active Directory Domain
Services Installation Wizard and changes to the Microsoft Management
Console (MMC) snap-in functions that manage AD DS so that you can
manage users and resources more efficiently.
AD DS includes
fine-grained password policies that make it possible for you to apply
different password and account lockout policies to users and global
security groups in the same domain. This can reduce the number of
domains that you might need to manage. You can use restartable AD DS to
stop AD DS so that you can perform offline operations such as offline
defragmentation of Active Directory objects. This decreases the time
necessary to perform such operations because the domain controller no
longer has to be restarted in Directory Services Restore Mode as it
does in Windows Server 2003.
With the database mounting tool,
you can view Active Directory data that is stored in snapshots online.
Although you cannot use this feature to restore deleted objects and
containers, you can use it to compare data in snapshots that are taken
at different points in time to decide which data to restore, without
having to restart the domain controller.