Domain Controllers, Member Servers, and Domain Services
When you install Windows Server 2012 on a new system, you can configure the server to be a member server, a domain controller, or a standalone server. The differences between these types of servers are extremely important. Member servers are part of a domain but don’t store directory information. Domain controllers are distinguished from member servers because they store directory information and provide authentication and directory services for the domain. Standalone servers aren’t part of a domain. Because standalone servers have their own user databases, they authenticate logon requests independently.
Working with Active Directory
Windows Server 2012 supports a multimaster replication model. In this model, any domain controller can process directory changes and then replicate those changes to other domain controllers automatically. Windows Server distributes an entire directory of information, called a data store. Inside the data store are sets of objects representing user, group, and computer accounts as well as shared resources such as servers, files, and printers.
Domains that use Active Directory are referred to as Active Directory domains. Although Active Directory domains can function with only one domain controller, you can and should configure multiple domain controllers in the domain. This way, if one domain controller fails, you can rely on the other domain controllers to handle authentication and other critical tasks.
Microsoft changed Active Directory in several fundamental ways for the original release of Windows Server 2008. As a result, Microsoft realigned the directory functionality and created a family of related services, including the following:
- Active Directory Certificate Services (AD CS) AD CS provides functions necessary for issuing and revoking digital certificates for users, client computers, and servers. AD CS uses certificate authorities (CAs), which are responsible for confirming the identity of users and computers and then issuing certificates to confirm these identities. Domains have enterprise root CAs, which are the certificate servers at the root of certificate hierarchies for domains and the most trusted certificate servers in the enterprise, and subordinate CAs, which are members of a particular enterprise certificate hierarchy. Workgroups have standalone root CAs, which are the certificate servers at the root of nonenterprise certificate hierarchies, and standalone subordinate CAs, which are members of a particular nonenterprise certificate hierarchy.
- Active Directory Domain Services (AD DS) AD DS provides the essential directory services necessary for establishing a domain, including the data store that stores information about objects on the network and makes that information available to users. AD DS uses domain controllers to manage access to network resources. Once users authenticate themselves by logging on to a domain, their stored credentials can be used to access resources on the network. Because AD DS is the heart of Active Directory and is required for directory-enabled applications and technologies, I typically refer to it simply as Active Directory rather than Active Directory Domain Services or AD DS.
- Active Directory Federation Services (AD FS) AD FS complements the authentication and access-management features of AD DS by extending them to the World Wide Web. AD FS uses web agents to provide users with access to internally hosted web applications and proxies to manage client access. Once AD FS is configured, users can use their digital identities to authenticate themselves over the Web and access internally hosted web applications with a web browser such as Internet Explorer.
- Active Directory Lightweight Directory Services (AD LDS) AD LDS provides a data store for directory-enabled applications that do not require AD DS and do not need to be deployed on domain controllers. AD LDS does not run as an operating system service and can be used in both domain and workgroup environments. Each application that runs on a server can have its own data store implemented through AD LDS.
- Active Directory Rights Management Services (AD RMS) AD RMS provides a layer of protection for an organization’s information that can extend beyond the enterprise, allowing email messages, documents, intranet webpages, and more to be protected from unauthorized access. AD RMS uses a certificate service to issue rights account certificates that identify trusted users, groups, and services; a licensing service that provides authorized users, groups, and services with access to protected information; and a logging service to monitor and maintain the rights management service. Once trust has been established, users with a rights account certificate can assign rights to information. These rights control which users can access the information and what they can do with it. Users with rights account certificates can also access protected content to which they’ve been granted access. Encryption ensures that access to protected information is controlled both inside and outside the enterprise.
Microsoft introduced additional changes in Windows Server 2012. These changes include a new domain functional level, called Windows Server 2012 domain functional level, and a new forest functional level, called Windows Server 2012 forest functional level. The many other changes are discussed in Chapter 6, “Using Active Directory.”
Using Read-Only Domain Controllers
Windows Server 2008 and later releases support read-only domain controllers and Restartable Active Directory Domain Services. A read-only domain controller (RODC) is an additional domain controller that hosts a read-only replica of a domain’s Active Directory data store. RODCs are ideally suited to the needs of branch offices, where a domain controller’s physical security cannot be guaranteed. Except for passwords, RODCs store the same objects and attributes as writable domain controllers. These objects and attributes are replicated to RODCs through unidirectional replication from a writable domain controller that acts as a replication partner.
Because RODCs by default do not store passwords or credentials other than for their own computer account and the Kerberos Target (Krbtgt) account, RODCs pull user and computer credentials from a writable domain controller that is running Windows Server 2008 or later. If allowed by a password replication policy that is enforced on the writable domain controller, an RODC retrieves and then caches credentials as necessary until the credentials change. Because only a subset of credentials is stored on an RODC, this limits the number of credentials that can possibly be compromised.
Using Restartable Active Directory Domain Services
Restartable Active Directory Domain Services is a feature that allows an administrator to start and stop AD DS. In the Services console, the Active Directory Domain Services service is available on domain controllers, allowing you to easily stop and restart AD DS in the same way as for any other service that is running locally on the server. While AD DS is stopped, you can perform maintenance tasks that would otherwise require restarting the server, such as performing offline defragmentation of the Active Directory database, applying updates to the operating system, or initiating an authoritative restore. While AD DS is stopped on a server, other domain controllers can handle authentication and logon tasks. Cached credentials, smart cards, and biometric logon methods continue to be supported. If no other domain controller is available and none of these logon methods applies, you can still log on to the server using the Directory Services Restore Mode account and password.
All domain controllers running Windows Server 2008 or later support Restartable Active Directory Domain Services—even RODCs. As an administrator, you can start or stop AD DS by using the Domain Controller entry in the Services utility. Because of Restartable Active Directory Domain Services, domain controllers running Windows Server 2008 or later have three possible states:
- Active Directory Started Active Directory is started, and the domain controller has the same running state as a domain controller running Windows 2000 Server or Windows Server 2003. This allows the domain controller to provide authentication and logon services for a domain.
- Active Directory Stopped Active Directory is stopped, and the domain controller can no longer provide authentication and logon services for a domain. This mode shares some characteristics of both a member server and a domain controller in Directory Services Restore Mode. As with a member server, the server is joined to the domain. Users can log on interactively using cached credentials, smart cards, and biometric logon methods. Users can also log on over the network by using another domain controller for domain logon. As with Directory Services Restore Mode, the Active Directory database (Ntds.dit) on the local domain controller is offline. This means you can perform offline AD DS operations, such as defragmentation of the database and application of security updates, without having to restart the domain controller.
- Directory Services Restore Mode Active Directory is in restore mode. The domain controller has the same restore state as a domain controller running Windows Server 2003. This mode allows you to perform an authoritative or nonauthoritative restore of the Active Directory database.
When working with AD DS in the Stopped state, you should keep in mind that dependent services are also stopped when you stop AD DS. This means that File Replication Service (FRS), Kerberos Key Distribution Center (KDC), and Intersite Messaging are stopped before Active Directory is stopped, and that even if they are running, these dependent services are restarted when Active Directory restarts. Further, you can restart a domain controller in Directory Services Restore Mode, but you cannot start a domain controller in the Active Directory Stopped state. To get to the Stopped state, you must first start the domain controller normally and then stop AD DS.