Mấy ngày hôm nay ở nhà, mình có nhiều thời gian hơn đề nghiên cứu về hệ thống Windows Server 2008 để cập nhật kiến thức về IT Pro, mới nghiên cứu về Active Directory trên WS 2008 thấy có nhiều tính năng mới và hay nên viết một entries về chủ đề này. Vì có nhiều từ ngữ chuyên môn nên mình để nguyên văn English theo Document gốc mà không translate về Tiếng Việt.


  • Availability as an Integrated Server Role: AD FS is a server role within Windows Server 2008 that can be easily deployed and managed using Server Manager, instead of handled as an added feature, as in Windows Server 2003 R2.
  • Integration with Microsoft Office SharePoint Server 2007: AD FS can be used to facilitate a single sign-on solution for Office SharePoint Server 2007. 
  • Integration with Active Directory Rights Management Services (AD RMS): AD FS can integrate with AD RMS to support the sharing of rights-protected content between organizations without requiring AD RMS to be deployed in both organizations.
  • Improved Administration: Importing and exporting trust information has been enhanced so that each organization can quickly export or import XML files to facilitate the configuration of trust information.




  • Install from Media Generation: With this feature, you can use a one-step Ntdsutil.exe or Dsdbutil.exe process to create installation media for subsequent AD LDS installations.
  • Auditing: With this feature, you can set up AD LDS auditing with a new audit subcategory to log old and new values when changes are made to objects and their attributes.
  • Database Mounting Tool: With this feature, you can view directory data that is stored online in snapshots that are taken at different points in time to better decide which data to restore, without having to restart the server. This feature also applies to AD DS. For more information, see AD DS: Data Mounting Tool (http://go.microsoft.com/fwlink/?LinkId=94847).
  • Active Directory Sites and Services Support: With this feature, you can use the Active Directory Sites and Services snap-in to manage replication among AD LDS instances. To use this tool, you must import the classes in MS-ADLDS-DisplaySpecifiers.LDF to extend the schema of a configuration set that you want to manage. To connect to an AD LDS instance that hosts your configuration set, specify the computer name and the port number of a server that hosts this AD LDS instance.
  • Dynamic List of LDIF files: With this feature, you can make custom LDIF files available during AD LDS instance setup—in addition to the default LDIF files that are provided with AD LDS—by adding the files to the %systemroot%\ADAM directory.
  • Recursive Linked-Attribute Queries: With this feature, you can create a single LDAP query that can follow nested attribute links. This can be very useful in determining group membership and ancestry. For more information, see article 914828 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=94828).


  • Auditing: Changes made to Active Directory objects can be recorded so that you know what was changed on the object, as well as the previous and current values for the changed attributes.
  • Fine – Grained Password: Password policies can be configured for distinct groups within the domain. No longer does every account have to use the same password policy within the domain.
  • Read-Only Domain Controller: A domain controller with a read-only version of the Active Directory database can be deployed in environments where the security of the domain controller cannot be guaranteed, such as branch offices where the physical security of the domain controller is in question, or domain controllers that host additional roles, requiring other users to log on and maintain the server. The use of Read-Only Domain Controllers (RODCs) prevents changes made at branch locations from potentially polluting or corrupting your AD forest via replication. RODCs also eliminate the need to use a staging site for branch office domain controllers, or to send installation media and a domain administrator to the branch location.

  • Restartable Active Directory Domain Services: Active Directory Domain Services can be stopped and maintained. Rebooting the domain controller and restarting it in Directory Services Restore Mode is not required for most maintenance functions. Other services on the domain controller can continue functioning while the directory service is offline.
  • Database Mounting Tool: A snapshot of the Active Directory database can be mounted using this tool. This allows a domain administrator to view the objects within the snapshot to determine the restore requirements when necessary.





  • Application Support: Support for AD RMS is already included within Windows Vista. Internet Explorer 7 and the 2007 Microsoft Office system already have support for AD RMS. The AD RMS client can also be installed on other Windows operating systems.
  • Persistent Protection: Your content can be protected on the go. You specify who can open, modify, print, or manage the content, and the rights stay with the content—even after it has been transferred outside of your organization.
  • Usage Policy Templates: If you have a common set of rights that you use to control access to information, a Usage Policy Template can be created and applied to content. This alleviates the need to recreate the usage rights settings for every file you want to protect.
  • AD RMS Software Development Kit: The AD RMS Software Development Kit (SDK) can be used by independent software vendors (ISVs) to rights-enable their applications, meaning the application investments you’ve already made may be (or will become) compatible with AD RMS.


  • Enrollment Agent Templates: Delegated enrollment agents can be assigned on a per-template basis.
  • Integrated Simple Certificate Enrollment Protocol (SCEP): Certificates can be issued to network devices, such as routers.
  • Online Responder: Certificate Revocation List (CRL) entries can be returned to the requestor as a single certificate response instead of the entire CRL. This reduces the total amount of network traffic consumed when clients validate certificates.
  • Enterprise PKI (PKI View): A new management tool for AD CS, this tool allows a Certificate Services administrator to manage Certification Authority (CA) hierarchies to determine the overall health of the CAs and to easily troubleshoot errors.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: