Blog Post

Microsoft Entra Blog
5 MIN READ

Active Directory in Longhorn Server

Alex Simons (AZURE)'s avatar
Sep 07, 2018
First published on CloudBlogs on Feb, 13 2007

Recently I posted saying that I’d give a preview of Longhorn Server Active Directory.  Well, here it is.  I will caution all who read this to take into account that we are still in a beta production phase, so some or all of these items could change (or perhaps not make it in the product if they don’t meet the high bar of testing we have) before Longhorn is released to manufacturing and available for your servers.  After hearing about the features it will have, though, I strongly suspect that you’ll really want everything to be in the final product as is and in full force.  So, let's get started.

Roles

Services in Longhorn are all about roles, which can be loosely defined as sets of features that provide services.  Active Directory Services is one role, as is Directory Lightweight Services or LDS (previously known as ADAM).    If you’ve been doing your reading then you about Server Core.  ADS, LDS and DNS are all installable on Server Core Longhorn installs.  In all except for Server Core, roles will be added via Server Manager as a central snapin interface.  Look for wizards taking you on through the addition of the role and the specifics of what will be needed to install as you need.

Read-Only Domain Controllers (RODCs)

Longhorn will add a new type of domain controller: RODC.  This is a DC which has a read-only copy of the domain partition it is a DC for.  The RODC will host an abbreviated copy of the domain partition and will, by default, not host passwords.    It can be set to host those as well if you choose.    No changes will be written on the RODC, not for SYSVOL and not for AD.  All changes (updates, really) will come from other, writable, Longhorn DCs.

The RODC is designed to be provide a smaller security silhouette as well as less manageability concern for smaller, remote business locations and branch offices.  RODCs will need Windows 2003 forest functional level (they use LVR), and require at least one Longhorn DC (not RODC) for their own domain to replicate from.  From what I understand, Read-Only Partial Attribute Set (PAS) for RODC will be published to MSDN’s schema repository in the same way GC PAS (isMemberOfPartialAttributeSet) items are for reference purposes, and utilizable in a similar manner for your schema.  For now, expect frequently accessed attributes to be the defaults as present objects and attributes on a RODC.

As an additional security enhancement the Krbtgt account, used for issuance of TGTs to domain principals (users, computers and the like), will be unique to each RODC.  Group membership, useraccountcontrol value and other unique domain controller details will be different for RODC accounts-no “strong” security group memberships like Enterprise Domain Controllers, for example.

RODC replication will be unidirectional with all changes flowing into the RODC from a full writable Longhorn DC of the same domain.

Admin role separation will allow you to make a “branch office admin” capable of administering all aspects of the RODC without fear of compromising your domain, forest or enterprise.

The ADPREP process is essentially the same as in Server 2003 where the domain and forest must be prepared for the introduction of the first Longhorn DCs.  The exception is for RODCs: first addition of an RODC will require a /RODCPREP action-but not necessary if you decide not to add RODCs.

DCPROMO

DCPROMO has been lifting weights.  Everyone is familiar with the unattended install options where you can provide an answer file to automate the promotion that we’ve had.   Longhorn builds on this.  For one thing, when you complete a promotion, you can choose to export the selections you chose in that promotion to an answer file for use with other similar promotions-all with the press of a button.

DCPROMO will also have the ability to use NTDSUTIL to create “seed” media for IFM (install from media) DCPROMOs, sanitized for RODC IFM specifically (if you choose), no passwords, or other sensitive data present.

Prestaging of DC accounts will also be an option.  You can run through DCPROMO to add a new DC (from another machine), then later rerun it from the actual machine you mean to promote.  This can help for RODC installs or if you’d like to prestage (and thereby limit) other particulars of the new DC’s details (like name or site for example).

Enhanced Reliability

DC promotions and demotions previously required reboots for nearly every step.  Efforts have been made to reduce the need for reboots for most actions.  In addition, Active Directory is a discrete, restartable or stoppable service on the DC in Longhorn.  In prior versions you could attempt to prevent some actions (like authentication or replication) by stopping the netlogon service, but this would not necessarily prevent all services from doing their jobs (like FRS for example).   Not with Longhorn-just stop the service for downtime if needed or to apply a fix.

Under the hood there is some added error correcting for some less common database page checksum problems which can occur.    Also, instead of FRS replication will be DFSR, with the compression it provides, as the new method for replicating SYSVOL to all replicas, including RODCs.

Disaster Recovery

An extremely cool concept: the Snapshot Browser.  This is the idea of using Volume Shadow Copy to do a snapshot of your directory and to store that info in the living AD as a reference for comparison purposes.  Though not a backup tool itself, this technique can be used to compare items following the recovery from a disaster to verify that all is as it was before the disaster.  The idea would be to take a snapshot using NTDSUTIL (which could be batched and ran periodically as a task) and be able to query it using traditional tools like ADSIEDIT.MSC or via a LDAP querying tool or method.  There’s also some discussion of a snapshot browser tool for selecting to “undelete” some objects if you aren’t in a full “restore everything” true disaster situation.

Globalization and Standards

Longhorn ADS will support IPV6 inherently for all roles (DNS Server, ADS, LDS et cetera).   For folks in regions it will be helpful in, phonetic sorting in the directory is being added (for language usage in Japanese for example).

DNS Server

AD will continue to rely on DNS and so some focus has been on making that experience better as well.  A new “Instant On” feature will prevent advertisement delays and service startup timing issues.  Another consideration is single label domain names being supported by use of a new “Global Names Zone”.

Also…teasers…

Improved directory auditing

DC locator site locality enhancements

So there we have a good overview of what you can expect with Longhorn AD.  It is not a comprehensive list (there’s more), but I hope it wets your appetite.

Now, let’s all recite the Microsoft blog poster mantra together:

These postings are provided "AS IS" with no warranties, and confer no rights.

I encourage you all to provide feedback on these features, as well as the accidental object deletion feature discussed in my prior post this month.  Your opinions matter, and your help is appreciated.    You can email me directly from this blog, or post your comment.

On a final note, it’s Valentine’s Day here in the USA, so I hope everyone has a significant other to enjoy the holiday with-Happy Valentine’s Day!

Published Sep 07, 2018
Version 1.0
No CommentsBe the first to comment