What are the features of Active Directory Services?

Answer 1

Windows Server 2012 R2

Protected Users Security Group

Authentication Policy and Authentication Policy Silos

Windows Server 2012

Virtualization safeguards and Virtualized domain controller cloning

Improved upgrade preparation and installation

Dynamic Access Control

DirectAccess Offline Domain Join

AD FS built in as a server role

Windows PowerShell History Viewer

Fine-grained password Policy UI

Active Directory Recycle Bin UI

Active Directory Replication and Topology Windows PowerShell cmdlets

Active Directory-based Activation

Group Managed Service Accounts

RID Improvements

Deferred Index Creation

Kerberos enhancements

Windows Server 2008 R2

Active Directory Recycle Bin (requires Windows Server 2008 R2 forest functional level)

Active Directory module for Windows PowerShell and Windows PowerShell cmdlets

Active Directory Best Practices Analyzer

Active Directory Web Services

Active Directory Administrative Center

Authentication mechanism assurance

Offline domain join

Managed Service Accounts

New logic for bridgehead server selection

Windows Server 2008

Auditing Improvements

Fine-grained password policies (requires Windows Server 2008 domain functional level)

Read-only domain controllers (requires Windows Server 2003 functional level)

Restartable Active Directory

AD database mounting tool

UI improvements

Owner rights

DFSR replication of SYSVOL (requires Windows Server 2008 domain functional level)

DSRM password sync

Active Directory Application Mode (ADAM) rebranded as Active Directory Lightweight Directory Service (AD LDS) and included in Windows Server 2008 as a server role.

Windows Server 2003

Multiple selection of user objects

Drag and drop functionality

Efficient search capabilities

Saved queries

New Active Directory command-line tools, such as adprep.exe

InetOrgPerson class

Application directory partitions

Ability to add additional domain controllers by using backup media

Universal group membership caching

Secure Lightweight Directory Access Protocol (LDAP) traffic

Partial synchronization of the global catalog

Active Directory quotas

Answer 2

Security-Having only one domain means better security through a single security policy and a single set of administrators. If you have multiple domains and forests, each has its own administrator. One weak but trusted domain exposes all the other forests and domains. With only a single domain, it's also far easier to enforce an organization-wide security policy Single platform - a single directory service or Global Catalog (GC) means a single platform for all other directory-ware services, including monitoring and messaging.

Faster deployment-starts in an organization with just a single domain and shared account database solutions need only be deployed once, which means company-wide deployments are much faster than if the organization has multiple and separate domains. Single management infrastructure-Having a single management infrastructure means there is just one infrastructure for all other directory services tasks, such as software deployment, inventory, and object managment sharing and delegation (such as for user accounts). Single Group Policy container (GPC)-With a single GPC, management polices need to be defined only once, and can be used throughout the entire enterprise without the need to manually export and import Group Policy Objects (GPOs). . Backup and recovery-Having only a single domain means better resiliency because every location has a full domain backup. Less hardware-In an organization with multiple domains, every location needs two domain controllers (DCs). With a single domain, each location needs only a single DC because if the local DC fails, the locations can use hub DCs. Reduced hardware also means fewer licenses, less management software, and less overhead for server management. There's also no need to back up remote DCs because the remote DCs just hold the same information as the central DCs-assuming the DCs only perform directory services

Answer 3

Flexible Single Master Operations (FSMO)

Windows 2000 Domains work using a multiple master designwith restricted master operations on a master domain controller. This was done to distribute the load on domain controllers but there are some operations that can only be done on a single or "master" controller.

There are a set of Flexible Single Master Operations (FSMO) which can only be done on a single controller. An administrator determines which operations must be done on the master controller. These operations are all set up on the master controller by default and can be transferred later. FSMO operations types include:

• Schema Master - Makes changes to the database schema. Applications may remotely connect to the schema master.
• Domain Naming Master - Adds or removes domains to or from the forest.
• PDC Emulator - When Active Directory is in mixed mode, the computer Active Directory is on acts as a Windows NT PDC. The first server that becomes a Windows 2000 domain controller takes the role of PDC emulator by default. Functions pewrformed by the PDC emulator:
  • User account changes and password changes.
  • SAM directory replication requests.
  • Domain master browser requests.
  • Authentication requests.
  The NTLM protocol is used by the PDC emulator to contact non-Windows 2000 clients and servers for exchange of authentication information. When contacting Windows 2000 servers , the Windows 2000 protocol is used.
• Relative ID Master (RID Master) - All objects have a Security Identifier (SID) and a domain SID. The RID assigns relative IDs to each domain controller.
• Infrastructure Master - Updates group membership information when users from other domains are moved or renamed. If you transfer this function, it should not be transferred to the domain controller that is the global catalog server. If this is done, the Infrastructure Master will not function