Technically speaking…

Microsoft has supported a combination of the Domain Name Service (DNS) and the Windows Internet Naming Service (WINS) for quite a long time. Beginning in Windows Server 2000, the primary naming service was DNS and the Microsoft WINS efforts were becoming lesser needed.

In Windows Server 2008 the need for WINS has been essentially eliminated, although it remains supported for backward compatibility. In place of WINS, for the latest server version of Windows Microsoft has introduced Link Local Multicast Resolution (LLMR). This tip will discuss LLMR and the benefits this new naming method brings to the table.

The Windows Internet Naming Service was a good method for allowing Windows client and server computers to communicate using NetBIOS names. This technology works well within local networks that use only IPv4 addresses.

LLMR provides peer to peer address resolution, supports both IPv4 and IPv6 addressing, and can function without a WINS or DNS server being present. Because it operates only on a local level LLMR does not replace the functionality of DNS.

Windows Server 2008 and Windows Vista support LLMR which is designed to resolve computer names when there is not another service available to do so, such as in the following scenarios:

• Ad Hoc networks
• Small Office or Home networks
• Corporate environments where DNS is not available

It is in these instances where LLMR can really improve name resolution and allow client and server computers to function more efficiently. LLMR is enabled on any systems running Windows Vista or Windows Server 2008 and when used, the name resolution works as follows:

A host computer requests information from its preferred local DNS server, if this request fails it attempts the request against the configured alternate DNS server. If this attempt fails, the request fails over to LLMR.

The host computer sends a multicast request for an IP address for the computer name being looked up over UDP.

Note: The request is only sent to computers on the same subnet.

Computers that support LLMR, those running Vista and Windows Server 2008, receive the LLMR request and compare the computer name to their own host name. If the computer name does not match the host name of a recipient host, the request is discarded. On the other hand, if the host name being looked up matches one of the local computers a unicast response is returned containing the matching computers IP address.

There are no configuration steps needed to use this new technology, since it is enabled by default in Windows Vista and later, however it can be disabled in the registry. The LMMR also supports reverse lookups; it handles these lookups by sending a unicast query to an IP address requesting the host name.

Note: LLMR requires computer names to be unique on the local subnet.

Link Local Multicast Resolution is a much better application for name resolution than WINS because it supports the up and coming IPv6 technology as well as existing IP technologies.

The Domain Controller has been a cornerstone of Windows networking as far back as Windows NT. While the functionality of the Domain Controller has evolved from a primary and backup configuration in NT to the flexible single master of operations model used with Active Directory, the Domain Controller remains the central concept in Windows Server 2008.

In Windows Server 2008 however there have been enhancements made to the Domain Controller concept to allow read only Domain Controllers. These are Domain Controllers that contain a copy of Active Directory information but do not allow the information to be changed by the read only DC.

For example, suppose a company has a large corporate office where the network consists of three Domain Controllers, two member servers, and 100 client PCs and users. The company then decides to open a smaller office about thirty miles away where they will move a few staff members to expand the operation of the company. Because of the small size of the branch office, the company elects to place a read only Domain Controller (RODC) in the branch office to allow most of the AD information to be stored in the branch office without allowing changes made in the branch office to propagate back to the other DCs on the network.

Note: Password information cannot be stored on a RODC, which will increase security. When this information is needed for authentication it is requested from a writeable Domain Controller.

To configure a read only Domain Controller, simply check the read-only Domain Controller box displayed during the Domain Controller installation wizard.

Note: Updates to the directory partition received by an RODC must be pulled from a Domain Controller running Windows Server 2008 in the same domain. The domain and forest must be at least at the Windows Server 2003 functional level.

To configure a read only Domain Controller to also handle DNS for the remote site, you will also need to run the adprep /rodc command once per forest to allow DNS permissions to be updated across all DNS partitions in the forest.

When using DNS on a read only Domain Controller, be aware that this server cannot register name server resource records for any Integrated DNS zones which it hosts. In the event that a resource registration is requested a referral to another DNS server is returned, allowing the client to request this registration through a writeable Domain Controller.

Note: A read only Domain Controller cannot function as a Global Catalog server because the GC requires a writeable Domain Controller.

There are several restrictions that come into play when deploying Read Only Domain Controllers; however they can be deployed with little worry in offices which may not be as physically secure as needed for a completely writeable copy of Active Directory.

Windows Server 2008 has introduced another new feature for this iteration of Active Directory, Restart-able Active Directory Domain Services. All DCs running Windows Server 2008 support restartable domain services.

Active Directory Domain Services will appear in the services applet on all Windows Server 2008 Domain Controllers in your Active Directory environment. The modes available for Active Directory Domain Services are:

• Active Directory Started – In this state, the Active Directory services are running and will function similarly to Domain Controllers in Windows 2000 Server and Windows Server 2003. When in the started state, a Windows Server 2008 Domain Controller can provide authentication services for a domain.
• Active Directory Stopped – In this state the Domain Controller cannot provide authentication and logon services for an Active Directory environment. While in a stopped state the Domain Controller behaves similarly to a Member Server or Server started in Directory Services Restore Mode (DSRM). The server will accept logins with cached credentials, smart cards, or biometrics like a member server, while also taking the its directory services database offline, like DSRM.
• Directory Services Restore Mode – In this state the Domain Controller is in restore mode and behaves much like a Windows Server 2003 Domain Controller in Restore Mode. The Directory Services database is offline and maintenance, including an authoritative restore can be performed.

Stopping the Active Directory Services will allow maintenance tasks to be performed that would previously require the server to be restarted. This can save a great deal of time for administrators and other users in your environment. Other domain controllers within an environment will handle logon requests and other resource needs while a server’s Active Directory services are stopped. If your environment has only one Domain Controller, and no other methods of authentication are supported, an administrator could still logon using the Active Directory Restore Mode user account and password.

Other methods of authentication which will work when AD Domain Services are stopped are:

• Cached Credentials
• Smart Cards
• Biometrics

Another thing to note, like any other Windows service, AD DS will stop dependent services when it is stopped. This includes the File Replication, Intersite Messaging, and Kerberos Key Distribution Center services. If these services are still running when Active Directory restarts, they will be restarted.

Note: When starting a Domain Controller, you cannot start Active Directory Domain Services in a stopped state. To stop this service, the Windows Server 2008 system must be started first ad then, using the services applet the AD DS service can be stopped.

Active Directory (AD) has been around since Windows 2000 and has changed the way that many administrators think about and actually manage domain environments. Microsoft has upped the ante again for the Windows Server 2008 version of AD. This tip will look at some of the newly reshaped services for Active Directory included with Windows Server 2008.

The 2008 release of AD has allowed Microsoft to configure more server side items to function as a part of the directory service. Active Directory for Windows Server 2008 includes the following services:

• Active Directory Certificate Services (AD CS) – provides functionality within AD to manage the issuing and revocation of certificates for users, client computers, and servers.
• Active Directory Domain Services (AD DS) – provides essential services for domain creation and data storage within the directory service. This service is the core of Active Directory and has been retooled for Windows Server 2008.
• Active Directory Federation Services (AD FS) – compliments domain services by allowing web clients to authenticate internally hosted web applications using the credentials authenticated by Active Directory. This will allow web applications to make use of Active Directory logons rather than requiring users to authenticate separately to access web services.
• Active Directory Lightweight Directory Services (AD LDS) – provides a data store for Active Directory enabled applications that do not require installation on a Domain Controller. AD LDS does not run as a service and will operate in both domain and workgroup environments. All applications that run on a server can make use of their own data store if necessary.
• Active Directory Rights Management Services (AD RMS) – allows data to be protected inside and outside of the enterprise. Email messages, internet content, and internal documents can be protected against unauthorized access. AD RMS uses a certificate to verify the user, computer, or service should be able to access the resource. When AD RMS trusts a resource, users can assign rights to information.

The newly integrated services have existed in previous versions of Windows as individual server components, however in Windows Server 2008 the functionalities have been Active Directory Integrated for simplified management and control.

Now that Windows Server 2008 has been released and I have had a chance or two to dig into some of the new Server OS I will be posting here as I learn more about the new platform and feel confident that information I learn will be of use to someone.

I have a few posts scheduled for release this week and the Windows 2008 items among them will be posted hopefully with a good deal more to follow.

But enough with the administrative babble let’s get back to regularly scheduled content.