Anticipating the new Longhorn Active Directory

Just as Windows Server 2003 made significant improvements to Active Directory, Longhorn promises to follow suit. When AD was first deployed under Windows 2000, managing a Windows domain became much easier. With Server 2003, Microsoft kicked it up a notch, adding such functionality as group editing, simpler object editing and a more fluid management interface.

But AD was still far from a glowing example of form and function.

Longhorn promises to take the next logical step and then some. Microsoft has been saving up numerous features, fixes and functions to include in the next-generation Windows server platform and, if it delivers, it will be a distinct benefit to any Windows network.

One of the banes of Windows 2000/ 2003 AD is the relative fragility of DCs (domain controllers). Once functioning and operational, a Windows 2003 DC is generally stable — but if problems do occur with a specific DC, repairing it has never been a simple task, requiring a server rebuild in many cases.

One of the more significant additions to Longhorn is the ability to use dcpromo to repair a domain controller, rather than promoting and demoting a server to that role. In addition, the AD services will be restartable, and will not require a server reboot for fixable problems with the AD core.

Also on the way are RODCs (read-only domain controllers). These are DCs that can perform authentication tasks but defer to another DC, thus providing a safety net for remote sites. A RODC does not store usernames or passwords locally, and provides unidirectional replication from other DCs.

In addition, Server Core — the GUI-less server base — can provide DNS and DC services, further reducing the footprints of remote DCs. All this can be dropped into an existing Windows Server 2003 domain, as long as the Primary Domain Controller Flexible Single Master Operation role is on a Longhorn server.

There are some other limitations, however, such as support for only one RODC per domain per site, and apparently no support for Microsoft Exchange.

The other biggie in Longhorn AD is Admin Role Separation. Most AD deployments have far too many accounts with Domain Admin privileges.

In Longhorn, there will be a local admin role for each RODC with limited admin privileges, preventing accidental domain changes at edge sites from affecting the domain as a whole.

So there’s a lot to look forward to — assuming these features make it all the way to the final press of Longhorn Server. If all this comes to pass, the main beneficiaries will be your domain security, stability and, hopefully, your sanity.