New Features in Active Directory since 2003

Major new features and benefits for Sysadmins. See full list at bottom of each, but the ones listed here are what I would expect 80% of us to care about.

For most/all of these you’ll need the domain/forest at the specific level. Just adding a newer Windows OS doesn’t usually do the trick. Remember to be at a certain level, all DC's must be that OS or newer.

2008

  • Now called AD DS “Active Directory Domain Services” and is a Role with Install Wizard
  • Fine-Grained Password Policies: Note that in this version there is no GUI, but in 2012 we get one. (about) (how-to)
  • Read-Only Domain Controllers: Sounds like good idea, but mostly only used when server location lacks physical security. Doesn’t provide site survivability by default. Rarely used in the wild. (about)
  • Restartable AD Services: Good for defrag of big AD DB's, but that's rare. (about)
  • DFSR Replaces FRS: Manual migration required, can be done in less than an hour, but not intuitive, so here's your step by step. Worth doing (FRS eventually gets depreciated).
  • Microsoft's What's New List

2008 R2

  • AD Recycle Bin: Must be manually enabled, not drag-n-drop friendly at this point, but valuable. (how-to)
  • AD in PowerShell: (about)
  • AD Administrative Center: Future replacement of ADUnC Admin GUI, but still prefer ADUnC at this point.
  • AD Web Services: Future of AD. Web API all the things.
  • Managed Service Accounts: Never worry about changing PW on domain-based Windows Services. (how-to)
  • Magical Offline Domain Join: djoin.exe (pre-create account, copy info to pc in txt file) (how-to)
  • Microsoft's What's New List

2012

  • We loose the start button, clippy cries.
  • Virtualization features supported (snapshots, cloning). We could still virtualize the server before, we just couldn't do fun VM things with it. (about)
  • dcpromo.exe gone, all now in Server Manager Wizard.
  • Fine-Grained Password and AD Recycle Bin get GUI (“Deleted Objects”) (about)
  • AD-Based Volume License Activation: No more need for KMS server, all Windows 8+/2012+ and Office 2013+ on domain magically gets activated. No minimums. (how-to)
  • Microsoft's What's New List

2012 R2

  • START BUTTON IS BACK, good times. Old dog learns new trick: (r-click start button to be exact).
  • Workplace Join: SSO for non-domain Windows 8.1 and iOS. Meh in this 1st release.
  • Web Application Proxy: A Reverse Web Proxy. The return of the best feature in TMG/ISA, now free in Windows Server as a Role. Listed here because it can be used as auth gateway to internal network apps, but uses ADFS to do that. Side note, this role is also a ADFS Proxy. (about).
  • ADFS Multi-Factor.
  • Microsoft's What's New List

Azure Active Directory vs. Windows Active Directory

  • Lots of confusion here, but unless you're BYOD-only, or only Windows 10+, you'll likely still want Windows Active Directory running on your Windows Server.
  • Think of Azure AD as Microsoft’s Live ID for Business, with your own auth database hosted by Azure. But, no Kerberos, LDAP, NTLM, Etc. Web Services Only. Lots of online services support it as single-sign-on.
  • You can keep same users/passwords in both by connecting the two together via Sync.
  • Got Office 365? Your Office 365 sign-on can be upgraded to full Azure Active Directory. This process keeps changing, so Google/Bing it and look for articles within last few months.
  • You can still run your Windows Active Directory servers on Azure VM's, but that's technically IaaS, not the SaaS that Azure Active Directory is.
  • Need AD Offsite? You can now build VM’s in Azure IaaS, and use site-to-site VPN for making an offsite AD site. Then give users Azure VPN Client, and have them route through Azure, and now you have off-site redundant AD.

Comments on HN