Copyright line. Configuring Server Roles in Windows 2008 Exam Objectives New Roles in 2008 New Roles in 2008 Read-Only Domain Controllers (RODCs) Read-Only Domain Controllers (RODCs) Active Directory Lightweight Directory Service (LDS) Active Directory Lightweight Directory Service (LDS) Active Directory Rights Management Service (RMS) Active Directory Rights Management Service (RMS) Active Directory Federation Services (ADFS) Active Directory Federation Services (ADFS)

Copyright line. Slide 2 New Roles in 2008 With the release of Windows Server 2008, an Active Directory domain controller can be deployed in several new ways. With the release of Windows Server 2008, an Active Directory domain controller can be deployed in several new ways. Server Manager is a single solution that is used as a single source for managing identity and system information. Server Manager is a single solution that is used as a single source for managing identity and system information. Server Manager is enabled by default when a Windows 2008 server is installed. Server Manager is enabled by default when a Windows 2008 server is installed. Server Core is a minimal server installation option for Windows Server 2008 that contains a subset of executable files, as well as five server roles. Server Core is a minimal server installation option for Windows Server 2008 that contains a subset of executable files, as well as five server roles.

Copyright line. Slide 3 Read-Only Domain Controllers RODC holds all of the Active Directory Domain Services (AD DS) objects and attributes that a writable domain controller holds, with the exception of account passwords. RODC holds all of the Active Directory Domain Services (AD DS) objects and attributes that a writable domain controller holds, with the exception of account passwords. Unidirectional replication prevents RODCs from replicating information to a writable domain controller. Unidirectional replication prevents RODCs from replicating information to a writable domain controller. The installation of read-only domain controllers can be delegated to other users. The installation of read-only domain controllers can be delegated to other users.

Copyright line. Slide 4 Active Directory Lightweight Directory Service Active Directory Lightweight Director Service is a slimmed-down version of AD. Active Directory Lightweight Director Service is a slimmed-down version of AD. LDS is used when directory-aware applications need directory services, but there is no need for the overhead of a complete forest or domain structure. LDS is used when directory-aware applications need directory services, but there is no need for the overhead of a complete forest or domain structure. LDS has many new features over ADAM, including Auditing, Server Core Support, Support for Active Directory Sites and Services, and a Database Mounting Tool. LDS has many new features over ADAM, including Auditing, Server Core Support, Support for Active Directory Sites and Services, and a Database Mounting Tool.

Copyright line. Slide 5 Active Directory Rights Management Services RMS does require a Client Access License. RMS does require a Client Access License. The three main functions of AD RMS are creating rights-protected files and templates, licensing rights-protected information, and acquiring licenses to decrypt rights-protected content and apply usage policies. The three main functions of AD RMS are creating rights-protected files and templates, licensing rights-protected information, and acquiring licenses to decrypt rights-protected content and apply usage policies. The three new features of AD RMS are delegation of roles, integration with Federation Services, and self-enrollment. The three new features of AD RMS are delegation of roles, integration with Federation Services, and self-enrollment.

Copyright line. Slide 6 Active Directory Federation Services Federation Services were first available in Windows Server 2003 R2. Federation Services were first available in Windows Server 2003 R2. Federation Services provides an identity management solution that interoperates with WS-* Web Services Architecture-enabled security products. Federation Services provides an identity management solution that interoperates with WS-* Web Services Architecture-enabled security products. WS-Federation Passive Requestor Profile (WS-F PRP) also makes it possible for federation to work with solutions that do not use the Microsoft standard of identity management. WS-Federation Passive Requestor Profile (WS-F PRP) also makes it possible for federation to work with solutions that do not use the Microsoft standard of identity management. The WS-Federation specification defines an integrated model for federating identity, authentication, and authorization across different trust realms and protocols. The WS-Federation specification defines an integrated model for federating identity, authentication, and authorization across different trust realms and protocols. WS-Federation Passive Requestor Profile was created in conjunction between IBM, BEA Systems, Microsoft, VeriSign, and RSA Security. WS-Federation Passive Requestor Profile was created in conjunction between IBM, BEA Systems, Microsoft, VeriSign, and RSA Security.

Copyright line. Slide 7 FAQ Q:Can an RODC replicate to another RODC? Q:Can an RODC replicate to another RODC? A:No. RODCs can only replicate with full domain controllers. This is a feature of the RODC, which is meant to beas the name impliesa read-only server. Since neither RODC would have write capabilities in this example, it would be pointless to have them replicate to one another. A:No. RODCs can only replicate with full domain controllers. This is a feature of the RODC, which is meant to beas the name impliesa read-only server. Since neither RODC would have write capabilities in this example, it would be pointless to have them replicate to one another.

Copyright line. Slide 8 FAQ Q:Can I federate with a Windows Server 2003 R2 forest? Q:Can I federate with a Windows Server 2003 R2 forest? A:Yes, you can, but keep in mind that they will not have all of the same functionality. Federation was introduced in Windows Server 2003 R2 to allow IT organizations to take advantage of the basics of federation. However, features such as integration with other applications like AD RMS and Office Sharepoint Server 2007 are not available. A:Yes, you can, but keep in mind that they will not have all of the same functionality. Federation was introduced in Windows Server 2003 R2 to allow IT organizations to take advantage of the basics of federation. However, features such as integration with other applications like AD RMS and Office Sharepoint Server 2007 are not available.

Copyright line. Slide 9 FAQ Q:Can an RODC exist in a mixed-mode (Windows 2003 and Windows 2008) domain? Q:Can an RODC exist in a mixed-mode (Windows 2003 and Windows 2008) domain? A:Yes, but you must run adprep with the proper switches in order for it to succeed. If the domain is not prepped for this new Windows Server 2008 role, the RODC installation will fail almost immediately. adprep is required to add the appropriate schema modifications for RODC. A:Yes, but you must run adprep with the proper switches in order for it to succeed. If the domain is not prepped for this new Windows Server 2008 role, the RODC installation will fail almost immediately. adprep is required to add the appropriate schema modifications for RODC.

Copyright line. Slide 10 FAQ Q:LDS sounds pretty cool. Can I just run that for my AD environment? Q:LDS sounds pretty cool. Can I just run that for my AD environment? A:The short answer is yes, but if you are running AD internally, you would probably want the full functionality of Domain Services. LDS is meant for smaller environments, such as a DMZ, where additional functionalityin particular, managementis not a requirement. A:The short answer is yes, but if you are running AD internally, you would probably want the full functionality of Domain Services. LDS is meant for smaller environments, such as a DMZ, where additional functionalityin particular, managementis not a requirement.

Copyright line. Slide 11 FAQ Q:Does Rights Management work with mobile devices? Q:Does Rights Management work with mobile devices? A:Yes, there is a mobile module for Rights Management Services. However, only Windows Mobile devices are supported with Rights Management. Check with your wireless vendor or mobile manufacturer for support and availability on particular models. A:Yes, there is a mobile module for Rights Management Services. However, only Windows Mobile devices are supported with Rights Management. Check with your wireless vendor or mobile manufacturer for support and availability on particular models.

Copyright line. Slide 12 FAQ Q:Ive heard that Server Core is only supported in 64-bit edition. Is that true? Q:Ive heard that Server Core is only supported in 64-bit edition. Is that true? A:No. Server Core works in both 32-bit and 64-bit editions, Hyper-V (virtualization) only runs on 64-bit. It should be noted that as of the writing of this book, Windows Server 2008 is expected to be the final 32-bit server operating system released by Microsoft. A:No. Server Core works in both 32-bit and 64-bit editions, Hyper-V (virtualization) only runs on 64-bit. It should be noted that as of the writing of this book, Windows Server 2008 is expected to be the final 32-bit server operating system released by Microsoft.

Copyright line. Slide 13 FAQ Q:Do I have to use Server Manager for role deployment? Q:Do I have to use Server Manager for role deployment? A:No. You can also use scripting tools to deploy roles. Also, depending on the role, role bits (the actual files that make up the role) can sometimes be added automatically. For example, if you forget to add the Directory Services role prior to running dcpromo.exe, dcpromo will add the role for you. However, this is not the case with all roles. A:No. You can also use scripting tools to deploy roles. Also, depending on the role, role bits (the actual files that make up the role) can sometimes be added automatically. For example, if you forget to add the Directory Services role prior to running dcpromo.exe, dcpromo will add the role for you. However, this is not the case with all roles.

Copyright line. Slide 14 Test Day Tip It is possible to stage an RODC and delegate rights to complete an RODC installation to a user or group. In order to do this, you must first create an account in Active Directory for the RODC in Active Directory Users and Computers. Once inside of ADU&C, you must right-click the Domain Controllers OU container, and select Pre-create Read-Only Domain Controller Account. From here, you can set the alternate credential for a user who can then finish the installation. On the server itself, the user must type dcpromo /UseExistingAccount:Attach in order to complete the process.