Well... we all know what Josh thinks about the new Longhorn bits. I, on the other hand, have decided to blog about my three favorite Active Directory enhancements. I know they don't hold a candle to "Aero on a server"... but hopefully I'll break the 100 reader mark anyway.
1.) "Restartable" Active Directory Service: In previous versions of Windows Server, you were required to reboot the server into something called Directory Services Restore Mode to perform maintenance on the Active Directory database. Such maintenance might include an offline defrag, or possibly an authoritative restore of one or more objects. Rebooting into DSRM was necessary because there wasn't any other way to take AD offline. That's about to change with Longhorn Server. Take a look at the screen shot below to see the new 'Domain Controller' service:
There are quite a few new scenarios enabled by this change, but I'll give you my personal favorite. Let's just say you're cruising around in AD Users and Computers and accidentally delete the wrong object (say, the CEO instead of the maintenance guy). If you have a Domain Controller in another site, you can remotely stop the 'Domain Controller' service on that machine (via the MMC or command-line) and then perform an authoritative restore of the CEO's user account before anyone even notices. Granted, this is possible today... but the time required to reboot into DSRM, and the work-around required to gain remote access to a machine in DSRM should help you appreciate how cool this new feature really is. However, if you're not lucky enough to have more than one AD site, then you're in for some more work (i.e. DSRM, restore from tape, authoritative restore, etc.). Maybe it's time for another AD site, even if it's just a 'pretend' site in the same physical location. Give it some thought -- it might save your rear end one day.
2.) Improved Directory Services Auditing: This definitely isn't as sexy as Aero on a server... but for anyone dealing with internal/external auditors, Microsoft is about to make your life a lot easier. With the proper settings in place, it is now possible to not only see who made a change to what AD object, and when... but now you can also see the old & new values as well. For example, let's say I want to change the description of John Doe's account from Maintenance Guy to CEO. With Longhorn Server, I'll see two events in the Security Event Log with an ID of 5136. The important new information is in the details, as seen below (before and after screen shots - click to expand). Very cool... in a geeky kind of way.
3.) Read-Only Domain Controller: Last, but certainly not least, is the new Read-Only Domain Controller. This role is perfect for branch office environments with limited physical security (e.g. manufacturing facility, retail location, etc.). As we all know, current Active Directory DCs maintain read/write copies of the entire directory. This means that one compromised DC could result in the loss or corruption of an entire domain (and in some cases, even the forest). So the rule-of-thumb has always been to only install DCs in a locked and monitored server room (sorry, the telco closet doesn't count). I'm not saying everyone follows this rule, but it is highly recommended.
Now, with Read-Only as an option, you can feel free to install DCs just about anywhere. By default, Read-Only DCs don't even store passwords - so an offline attack against AD won't yield any critical data. However, this also means that each authentication request must traverse the network to find a read/write DC. If you feel comfortable taking a little risk - you can configure the Read-Only DC to cache passwords for a limited group of users (say, user accounts in the retail location containing the Read-Only DC). Either way, the choice is entirely up to you. And AD Users and Computers even has a new tab that shows which (if any) Read-Only DCs contain a copy of a users' credentials. Again... very cool.
That's enough fun stuff for today. Leave me a comment if you have any questions or concerns. And by all means, download and install Longhorn Server at your earliest convenience. Right now it's kind of a stealth product... not much hype, but a lot of new features. I hope they keep it that way. We don't need another Vista anytime soon. ;)