High Quality
Open the downloaded document, and select print from the file menu (PDF reader required).
Changes in Functionality from Windows Server 2008 to Windows Server 2008 R2 (Beta)Updated: January 9, 2009The Windows Server® 2008 R2 operating system includes changes toWindows Server® 2008 features and technologies that help improve the security of computers running Windows Server 2008 R2, increase productivity, and reduceadministrative overhead. The following topics describe some of these features andtechnologies.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
What's New in Windows Search, Browse, and OrganizationWhat's New in Active Directory Certificate ServicesUpdated: December 31, 2008
What are the major changes?
Active Directory® Certificate Services (AD CS) in Windows Server® 2008 R2introduces features and services that allow more flexible public key infrastructure (PKI)deployments, reduce administration costs, and provide better support for Network AccessProtection (NAP) deployments.The AD CS features and services in the following table are new in WindowsServer 2008 R2.
FeatureBenefit
Certificate Enrollment Web Service andCertificate Enrollment Policy Web ServiceEnables certificate enrollment over HTTP.Support for certificate enrollment acrossforestsEnables certification authority (CA)consolidation in multiple-forest deployments.Improved support for high-volume CAsReduced CA database sizes for some NAPdeployments and other high-volume CAs.
Certificate Enrollment Web Service and CertificateEnrollment Policy Web Service
The certificate enrollment Web services are new AD CS role services that enable policy- based certificate enrollment over HTTP by using existing methods such asautoenrollment. The Web services act as a proxy between a client computer and a CA,which makes direct communication between the client computer and CA unnecessary,and allows certificate enrollment over the Internet and across forests.
Who will be interested in this feature?
Organizations with new and existing PKIs can benefit from the expanded accessibility of certificate enrollment provided by the certificate enrollment Web services in thesedeployment scenarios:
•
In multiple-forest deployments, client computers can enroll for certificates fromCAs in a different forest.
•
In extranet deployments, mobile workers and business partners can enroll over theInternet.
Are there any special considerations?
The Certificate Enrollment Web Service submits requests on behalf of client computersand must be trusted for delegation. Extranet deployments of this Web service increase thethreat of network attack, and some organizations might choose not to trust the service for delegation. In these cases, the Certificate Enrollment Web Service and issuing CA can beconfigured to accept only renewal requests signed with existing certificates, which doesnot require delegation.The certificate enrollment Web services also have the following requirements:
•
Active Directory forest with Windows Server 2008 R2 schema.
•
Enterprise CA running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003.
•
Certificate enrollment across forests requires an enterprise CA running theEnterprise or Datacenter edition of Windows Server.
•
Client computers running Windows® 7.
Which editions include this feature?
The certificate enrollment Web services are available in all editions of WindowsServer 2008 R2.
Support for certificate enrollment across forests
Before the introduction of enrollment across forests, CAs could issue certificates only tomembers of the same forest, and each forest had its own PKI. With added support for LDAP referrals, Windows Server 2008 R2 CAs can issue certificates across forests thathave two-way trust relationships.
Who will be interested in this feature?
Organizations with multiple Active Directory forests and per-forest PKI deployments can benefit from CA consolidation by enabling certificate enrollment across forests.
Are there any special considerations?
•
Active Directory forests require Windows Server 2003 forest functional level andtwo-way transitive trust.
•
Client computers running Windows XP, Windows Server 2003, andWindows Vista® do not require updates to support certificate enrollment acrossforests.
Which editions include this feature?
Add a Comment