Domain and Forest Upgrades Made Simple; DCPROMO Improvements
In addition to being able to clone VDCs, the upgrade and promotion process has been completely reworked and made far simpler. In Windows Server 8 AD, you can upgrade your domains and forest from a previous version to the Windows Server 8 version entirely from Server Manager. Unlike with previous versions, you don’t have to log on to different DCs with different sets of credentials, find the right version of ADPREP, run /FORESTPREP in the forest, run /DOMAINPREP in each domain, and choose when to update SYSVOL—it’s all taken care of for you. (If you do want to run an a la carte upgrade step by step, that’s still available.) The DCPROMO process has also been simplified and includes significant built-in troubleshooting, because this area was one of the highest call generators to Microsoft’s Customer Service and Support (CSS) division.
Active Directory Administrative Center PowerShell History Viewer
The third goal of Windows Server 8 AD is to make it easier to manage. In keeping with the pervasive PowerShell management theme found throughout the OS, it’s now possible to do pretty much any administrative task in AD with PowerShell. Since PowerShell has increased its coverage of administrative tasks from 200 to more than 2,300 cmdlets, this actually makes your life easier because instead of having to script up a number of PowerShell cmdlets to get something done, you can very probably find a dedicated cmdlet for what you want to do.
Although other AD actions have been PowerShell-ized, interestingly the AD Recycle Bin (a welcome addition to Windows Server 2008 R2 that was PowerShell only) has gained a GUI. Personally, I’m all for a Recycle Bin GUI; when someone has fat-fingered an account or group into oblivion, no one wants to spend time looking for the PowerShell syntax to restore it!
Additionally, the Windows Server 8 Active Directory Administrative Center (ADAC) has a new pane at the bottom called the PowerShell History Viewer. Although it’s hidden by default, you can expand the History Viewer pane to see what PowerShell commands are executed “under the covers” as a result of the actions you’re taking in ADAC. This way, you can learn the syntax of AD-related PowerShell cmdlets by watching them flow by. You can also easily copy the cmdlets to paste them into a script of your own, or combine cmdlets into tasks with the Tasks feature in the pane. The history is retained between ADAC sessions, so you can go back days to find the syntax of a particular command you ran a while ago. By the way, the venerable Active Directory Users and Computers (ADUC) console isn’t going away any time soon because it has extensibility that ADAC currently lacks, but ADUC isn’t being enhanced. An appropriate maxim might be, “ADUC is dead; long live ADAC!”
AD-Integrated Product Activation
Another feature that falls under the “easy to manage” goal is something that simply makes sense: Product activation now uses AD instead of a separate infrastructure. It uses LDAP for communication with its clients instead of RPC, and no data is written back to the directory. You won’t be getting rid of KMS for a while, though, as it’s still required for down-level (e.g., everything that’s in production today) licensing.
AD FS Takes One More Step Toward Integration
Active Directory Federation Services (AD FS) has become a little more integrated into the mainstream server bits than its previous releases. In Windows Server 8, AD FS is installed as a role within Server Manager instead of as a downloadable add-on. It hasn’t yet taken the much larger architectural step of becoming an AD component, but it’s a step in the right direction. With the addition of claims into the Kerberos token (see "Exploring Windows Server 8 Dynamic Access Control"), AD FS will be able to extract and use these claims from the token, and also use static device claims (such as what department a notebook belongs to).
Active Directory and Dynamic Access Control
Finally, Windows Server 8 AD is an integral component of a huge new feature in the identity and security area for the OS: Dynamic Access Control, a far more powerful, flexible, and natural way of managing access to files on NTFS volumes. You can find more information about this authorization engine in my related article, "Exploring Windows Server 8 Dynamic Access Control."
Windows Server 8 Active Directory has made a number of much-appreciated improvements in virtualization, deployment, and management designed to ease the frustration and support headaches of the tens of thousands of IT pros that aren’t dedicated AD specialists. They improvement help to “lower the friction of deployment” of Windows Server (to quote Jeffry Snover). And many smaller changes to AD are underpinnings for a wide variety of new features in the OS. As the product goes into full beta it’ll be interesting to see what tweaks and adjustments are made to one of Microsoft’s most widely deployed enterprise applications.