Advantages of Windows Server 2008 Domain Functional Level

When we raise the Domain Functional Level to Windows Server 2008, we get all the features of Windows Server 2003 domain functional level and the following added features:

1- Distributed File System Replication support for SYSVOL.

2- Advanced Encryption Standard Support for the Kerberos protocol.

3- Last Interactive Logon Information: Last Interactive Logon information is useful for auditing purposes and also to prevent brute-force attacks.

GPO found in the following location displays information about the previous logons during user logon process: Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Logon as displayed below:

Last Interactive Logon logs the following 4 components:

a-      Total number of failed logon attempts.

b-      The time of the last fail logon attempts.

c-      The time of the last successful logon attempts.

d-     Total number of failed logon attempts after a successful logon.

4- Fined-grained Password Policies: Fine-grained password policies enables administrator to create multiple  password and account lockout policies within a domain. This means we can now define password policies for  specific users or groups also. ADSI Edit tool is required to implement Fine-grained password policies.

 

Windows Server 2008 Active Directory Restoration

There are two modes of restoring Active Directory in Windows 2008:

1-      Non-Authoritative Restoration

2-      Authoritative Restoration

Non-Authoritative Restore – This is the most common method for restoring Active Directory. When we use this method to restore Active Directory, all the settings on the server is restored and later after the restoration, latest Active Directory updates are replicated from the other domain controllers.

On Windows Server 2008, we can use Windows Server Backup utility or Directory Service Restore Mode or WEBADMIN to do a Non-Authoritative restore on a domain controller, but through Windows Server Backup is the easiest way.

Authoritative Restore – This method of restoration is used when we want to restore a single object or even the entire Active Directory object. During this restore, the data which need to be restored is marked as current and it prevents the replication from overwriting the data. Authoritative restore increases the Update Sequence number (USN) by 10,000 or more to let all other DC’s know to use this object in replication.

Authoritative Restore is used with a Normal Restore (Non-Authoritative Restore) and after that NTDSUTIL is used to perform the further process.

Case Scenarios:

For Non-Authoritative Restore:  When a domain controller is dead due to Hardware or OS failure and we need to restore that from the backup, then we will us Non-Authoritative Restore because it will restore the Active Directory back to the state where backup was last taken and after the restoration, latest updates will be replicated from the fellow domain controllers.

For Authoritative Restore: If due to some reason, any object such as an OU (Organizational Unit) is accidently deleted from the Active Directory and we need to restore those object back, then we cannot simply use Non-Authoritative Restore to restore the object. Because when the OU has been deleted from the Active Directory, then due to on-going replication process between Domain controllers, the change will be replicated to all the Active Directory servers in the domain. When Non-Authoritative restore will only be done, then still we will not get back the deleted OU because the restored domain controller will be replicated from the fellow domain controllers and as we know that fellow domain controllers has been already replicated after the OU deletion. So, in this case, we will do a Non-Authoritative Restore followed by NTDSUTIL, which marks the deleted object in the backup as current. Means every data will be replicated from the fellow domain controller after the restore, except for the data which we marked as current through NTDSUTIL i.e. OU.

In this article, I only focused on the prime difference between the Authoritative and Non-Authoritative Restore, but in the coming  blogs, I will try to explain the whole process of Active Directory restoration.