Here are my notes from today’s “Windows Server 2008 R2 Active Directory: What’s Coming Up?” session at IT Forum (TechEd EMEA IT Pro) by Robert DeLuca and Alain Lissoir.
Looks like this is going to be a pretty big release for the AD team with a lot of exciting features in it: recycle bin, managed service accounts, PowerShell… Here are some details:
The way this is implemented is that they are adding a new state in which the objects can be (recycled or whatever is the name). So basically if you delete an account it gets recycled for 180 days, and then tombstoned for 180 days after that.
When an object is recycled you can restore it with all attributes (all backlinks, group membership – everything) as they were when the object was deleted.
- Big one: This functionality will require 2008 R2 functional level
- Minor one: There won’t be any admin UI for that but the APIs are very simple, so getting a freeware utility (or PowerPack) is going to be an hour of work.
Managed Service accounts:
They have new kind of domain accounts (inherited from computer account objects) – managed service accounts. Like computer accounts these will automatically get passwords re-generated by netlogon. The idea is that you can use these as service accounts on your member servers and not care about failures when a password changes.
- In R2 timeframe these accounts cannot spawn servers. I.e. one managed service account can be used on only one server (but for multiple services).
- At the moment Task Scheduler cannot use those. This might get fixed by the time R2 releases.
They have about 80 PowerShell cmdlets and a provider (i.e. drive-like representation). These rely on web services. Yes, the roadmap is to stop relying on LDAP and make web services the main API. The web services will ship with R2 but the plan is to make them a free download for 2003 and 2008.
The cmdlets can be used against AD, ADLDS (ADAM) or snapshots – like Quest’s cmdlets today. Overall, a very similar syntax which will provide for fairly easy transition path. Plus there are a few nice additional features like advanced server-side filters.
Overall, the team’s commitment was to (over time) move all tools and command-line utilities (like ntdsutil) to PowerShell.
The web services will be very much unified between AD and ILM v2 but cmdlets will not work against ILM v2 because the data model is different.
And, yes, PowerShell and AD cmdlets will be supported on Server Core.
The new UI for account management (replacing ADUC) is built on the new version of MMC – MUX – all other UIs will for the moment stay on the old MMC 3.0. MUX will only become available with R2, but after that (much like MMC 3.0 today) other Microsoft teams and 3rd parties will be able to start using it in their products.
This new UI will be based on PowerShell but in the R2 timeframe will not expose the code behind your clicks. However, eventually in the post-R2 timeframe there is a dream to make it PowerGUI-like generating scripts for anything you do in the UI.
Offline domain join:
There will be a djoin command-line utility (not a cmdlet 😦 ) you can run it on any server in the domain and it will create the proper computer account in AD and output a blob for subsequent client update. Then you can use that very same utility to import that blob into the client (or VHD) registry. Next time the client (Windows 7 or 2008 R2) boots up it will detect that blob and automatically join the domain (even if it is not in the network.)
What is not going to be added or changed:
Will not change in R2 timeframe. They are considering revamping it (based on PowerShell) after R2.
They are not going to add dynamic security groups or policy-based access control (e.g. give London helpdesk ability to reset passwords for London users) – like 3-rd party products such as ActiveRoles Server provide today – anything policy-based is supposed to go into Identity Lifecycle Manager (ILM) v2.