17 Jan

Active Directory Domain Services and Windows Server 2008 R2 Service Pack 1

I’ve been doing some research on the changes to Active Directory Domain Services in Windows Server 2008 R2 Service Pack 1. Although Windows Server 2008 R2 SP 1 is still not RTM, there are many useful resources available. Here’s a summary of the changes specific to AD DS in Windows Server 2008 R2 Service Pack 1:

  1. Support for Managed Service Accounts (MSAs) in secure branch office scenarios
  2. SP1 enables enhanced support for managed service accounts (MSAs) to be used on domain-member services located in perimeter networks (also known as DMZs or extranets).

    Prior to SP1, there is a known issue whereby you cannot create or delete managed service accounts in a perimeter network. This requires a very specific scenario:

    • You configure a perimeter network.
    • The only domain controllers that this network contains are RODCs.
    • You try to add or remove MSAs on a computer that is running Windows Server 2008 R2 or Windows 7.
    • This computer is located in the network.

    With the above scenario, you cannot create or delete MSA. The reason for this is that MSAs do not support RODCs; MSAs require a writable domain controller. Microsoft released a hotfix to address this issue. However, Windows Server 2008 R2 SP1 now includes a fix for this as well.  After you install Windows Server 2008 R2 SP1, RODCs will know how to forward the request on to a writable domain controller for MSA operations.

  3. Support for increased volume of authentication traffic on domain controllers connected to high-latency networks
  4. As a greater volume of IT infrastructure migrates to cloud-based services, there is a need for higher thresholds of authentication traffic to domain controllers located on high-latency networks (such as the public Internet). SP1 allows for more granular control of the maximum number of possible concurrent connections to a domain controller, enabling a greater degree of performance tuning for service providers.

    Prior to SP1, there is a known issue whereby a time-out error occurs when many NTLM authentication requests are sent from a computer that is running Windows Server 2008 R2, Windows 7, Windows Server 2008, or Windows Vista in a high latency network. This too requires a specific scenario:

    • There is a high latency network between a domain controller and a computer that is running Windows Server 2008 R2, Windows 7, Windows Server 2008, or Windows Vista.
    • Many NTLM authentication requests must be sent to the domain controller .

    With the above scenario, some NTLM authentication requests fail and generate a time-out error. Netlogon uses a function, MaxConcurrentAPI, to control the maximum number of simultaneous calls over a secure channel. Prior to Windows Server 2008 R2 SP1, the MaxConcurrentAPI function had a maximum limit of 10. Effectively, a maximum of 10 concurrent connections between a client computer and a domain controller was supported. In the abovementioned scenario, this is not sufficient and usually results in a time-out error. Microsoft released a hotfix to address this issue. However, Windows Server 2008 R2 SP1 now includes a fix for this as well. After install Windows Server 2008 R2 SP1, the maximum value is 150.

In addition to these two ‘added support’ changes, there’s several hotfixes included in Windows Server 2008 R2 that apply directly and indirectly to Active Directory Domain Services. For more details on these, have a read through SP1 and Directory Services: What’s New on the Ask the Directory Services Team blog.

Here are some additional links you may find useful:

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>