A great new feature in 2008 is the ability to replicate SYSVOL using DFS Replication. DFS replication is much more powerful and (IMO) easier to troubleshoot than FRS. It was a great improvement in 2003 r2, and it is great that we can now use it on SYSVOL!
Ned Pyle at Technet has a great article about verifying on his blog
A limitation of Active Directory that I have always found to be extremely aggravating is the Password and Account lockout policy.
You could only set one for the domain..any other policy defined at the OU level would be applied to local accounts only.
How many times did I wish I could set a different password policy for service accounts ! I had to decide between relying on people to use good service account passwords or forcing end-users to use insane passwords. So we had to trust the people creating the service accounts..
Different departments requiring different policies for auditing purposes were also a reason to setup a separate domain. That means at least two new servers, more management time..ew!
In 2008, if you are running AD in Windows 2008 Native mode, you can now create PSOs (Password Settings Objects) and therefore apply different password policies to different security groups!
This is absolutely awesome and is a very good argument to migrate to 2008.
See this Technet article about Password Settings Objects/Fine-grained password policies , and use this great tool (PSOMgr from Joeware) to play with the settings, instead of using Adsiedit.
I wonder when Microsoft will have a nice interface to create these..
Oh yeah, and my other favorite reason is Read-Only DCs..let’s say they both rank as #1 reasons 
1 Virtual machine running 2003 sp1 as a DC+File server
1 Virtual Machine running 2003 sp1 as a member server
1 Other Windows 2003 sp1 machine that will act as a second DFS host later on
DFS Root and target folder located on the DC. It shares a folder that contains about 5600 sub folders, but no files for our test.
Removing an ACE from the ACL at the top takes about 3seconds. Forcing it to re-apply on all subfolders took about 30seconds.
Adding an ACE and saving the ACL took approximately 210 seconds.
Removing the same ACE and saving took exact 202 seconds (I had the patience to really watch it until it was done this time!)
Adding an ACE and saving the ACL took approximately 225 seconds.
Removing the same ACE and saving took 208 seconds
Adding an ACE and saving the ACL took exactly 498 seconds!
Removing the same ACE and saving took 492 seconds !
Adding an ACE and saving the ACL took approximately 119 seconds
Removing the same ACE and saving took approximately 90 seconds
Obviously, setting ACLs locally on the file server is about 67 times faster in my case. Not really a surprise.
On a brand new, best-of-worlds system, setting ACLs through a DFS path is not much longer than with the direct SMB Path of the target. The differences in my test are too small to say there is even a difference, as this is not a 100% controlled environment.
However, setting the same ACLs on a share that is not part of DFS is close to twice as fast.
Notes
If you’re using Windows 2003 with no SP or Windows XP sp1, download this .
My test was done on 2003 sp1 servers, since this is what I had installed right now for compatibility with a client’s system. However, DFS was much improved in 2003 R2, especially regarding DFS replication VS FRS. I would expect performance to be better on an R2 system, and I will run the test when I get the chance to ! Maybe the difference will be smaller..who knows!
