Microsoft

Get IT Done: Improvements in the Windows 2003 Active Directory

A list of improvements in Microsoft Windows Server 2003 Active Directory


Whether you're currently using Windows NT Server or Windows 2000 Server, you'll probably appreciate all of the new Active Directory features found in Windows Server 2003. Although the Windows 2000 Active Directory is stable and seems to work well, Microsoft has learned a lot in the last three years about what can be improved, and has implemented those improvements into Windows Server 2003's Active Directory. Generally speaking, if you can find your way around the Windows 2000 Active Directory, you should feel right at home with Windows Server 2003. If you're currently using Windows NT Server though, Active Directory might feel completely foreign to you. Here are some of the enhancements that Microsoft has made to Active Directory.

For Windows NT Server users only
If you're still using Windows NT Server, there are numerous reasons for upgrading to Windows Server 2003. Perhaps the most compelling reason is that, for the most part, Microsoft has stopped supporting Windows NT Server. Entire books have been written about Active Directory, so I can't possibly tell you every benefit in such a limited amount of space. What I can tell you, though, is that once you learn how Active Directory works, it will make your life a lot easier.

Active Directory allows you to easily move users between domains, and, for the most part, it completely removes the need for complex trust relationships. Active Directory also uses a mechanism called Sites to effectively manage network traffic over slow WAN links. You'll find that Active Directory even does away with that pesky 40,000-user-per-domain limit.

Of course all of the enhancements that I just mentioned existed within Windows 2000. In Windows 2003, Microsoft builds on the existing Active Directory structure. To see how, check out the rest of the article.

What's new for Active Directory?
The enhancements to Active Directory (and Active Directory tools) can be grouped into three distinct areas:
  • Deployment and management
  • Security
  • Performance and reliability

Deployment and management
Of all of the new features, my favorites are the new Active Directory management tools. If you open the Active Directory Users And Computers console, it looks basically the same as it did in Windows 2000, except that a new folder named Saved Queries exists. This feature allows you to save your Active Directory queries for use again later.

Another enhancement to the tools that I really like is that you can now select multiple objects. For example, how many times have you needed to update user accounts and had to type the same information (phone number, log-in hours, department, etc.) a million times? Now, if you need to update the user information for all of the users within a department, you can just select those users, right click on them, and edit all of the properties for each user simultaneously. Obviously, there are some very user-specific properties that you won't be able to edit collectively, but most of the more general properties can be edited for multiple users simultaneously.

Renaming domains
Another nice new feature of Windows Server 2003 is the ability to rename domains. The problem with the Windows 2000 Active Directory structure was that it was semi-permanent. If a merger occurred between companies, there was no easy way to rename the domains from one company to something more appropriate for the new organization.

Windows Server 2003 changes this. The Windows Server 2003 installation CD contains a tool called RENDOM.EXE. You can find this tool in the CD's Valueadd\Msft\Mgmt\Domren folder.

There are a couple of restrictions to using this tool. First, you must raise the forest functional level to Windows .NET Server 2003. This means that none of your domains can have Windows 2000 or Windows NT domain controllers. The other restriction is that you can't move a domain into the forest root domain position, although you can move a domain in a way that makes it a root domain for its own domain tree within the forest.

Active Directory migration tool
One of the ways that Microsoft has really improved Active Directory is by making it easier to deploy. Suppose for a moment that you have users within a Windows NT Server domain that you want to migrate into Active Directory. A tool called Active Directory Migration Tool (ADMT) makes this process easier.

ADMT is a MMC snap-in. Basically, this means that you must already have a Windows Server 2003 in place. You can then open MMC and load the snap-in, which is located in the Windows Server 2003 Installation CD's I386\ADMT folder. You may then import the Windows NT users (including passwords) into Active Directory.

Active Directory in Application Mode
Another new feature is Active Directory in Application Mode, or AD/AM. The idea behind AD/AM is that some applications require access to Active Directory. Traditionally, this has meant running such applications on domain controllers, which is not always desirable. However, AD/AM will allow Active Directory-dependant applications to run on member servers. Additionally, you can run multiple instances of AD/AM on a single server to support multiple applications. AD/AM is being released as a separate component and should be available from the Microsoft Web site.

Schema modifications
One of the biggest pains in the Windows 2000 Active Directory was that if you ever found yourself having to modify Active Directory schema, you had to be extremely careful. Schema modifications were permanent, so if you made a mistake, you had to live with the consequences.

In Windows Server 2003, though, you can actually deactivate schema attributes and class definitions. You can also redefine a class or attribute if you made a mistake the first time.

Security
There have been countless security enhancements to Windows Server 2003. Although there are way too many to write about, I will attempt to address the more important ones from an Active Directory standpoint.

Perhaps the biggest enhancement to Active Directory Security is the addition of the Resultant Set Of Policy wizard. As you may know, group policies are hierarchical in nature. Policies may exist at the local, site, domain, and OU levels. All of the policies that apply to a user or computer are combined and filtered in a hierarchical manner to determine the effective policy for the user or computer. As you can imagine, this approach can become very confusing.

Windows Server 2003 solves this problem by allowing you to see the resultant set of policy. If you open Active Directory Users And Computers console and right-click on a user, you will see the user's shortcut menu. If you select the All Tasks and then one of the resultant set of policy commands, you can see the user's current policy. You can also simulate the effects that various changes will have on the user. For example, you could tell what access a user will have if he or she is added to or removed from a group.

Forest trust security
Microsoft has also done a lot of work in the way of security between forests. For example, if there is a trust relationship between two forests, it is now possible for a user's account to exist within one forest, but for the user's computer account to exist within a different forest. This means that if a user is a member of a trusted forest, the user can log in directly to a machine within the trusting forest without actually having to have a user account in it. This reduces the administrative burden considerably because there is no need for a user to have multiple accounts.

Windows Server 2003 also supports cross-forest authorization. What this means is that if a trust relationship exists between two forests, it's possible to grant permissions for a resource to a user that exists in a different forest. For example, you could make a user from a different forest a member of a local group. You could also assign a user from a different forest permissions to access a file.

Internet Authentication Service
Many ISP's use an authentication protocol called RADIUS to authenticate users. Microsoft has created a mechanism within Windows Server 2003 called Internet Authentication Service (IAS). IAS is roughly the equivalent to RADIUS.

This isn't really news, though, because Windows 2000 also supported RADIUS. What is news is that IAS is forest trust aware. This means that if an IAS server exists within a forest, someone who has an account within a trusted forest could log in through the IAS server.

The Credential Manager
While Windows has supported Single Sign On (SSO) for some time now, the capabilities have been extended through the use of the Credential Manager. The idea behind the Credential Manager is that the first time that a user attempts to access an application that requires authentication, the application will prompt the user for his or her credentials. These credentials are then stored within Active Directory. The next time that the user accesses the application, the user will not be prompted for credentials because Windows will provide those credentials on the user's behalf.

Software Restriction Policies
When I used to manage networks for other companies, I was endlessly frustrated with users installing unauthorized software. There were too many times when a user would run out of disk space because he or she had loaded a game, Real Player, or ICQ.

Windows Server 2003 makes it easy to control software through software restriction policies. The idea is that you can create a policy that says that no software is allowed to run on the system. You may then create an exception list containing a list of authorized applications.

You can also make a software restriction policy work in the opposite way. For example, if you are having a problem with users installing ICQ, you can allow all software, but block ICQ.

Performance and dependability
Although I have seldom had serious problems with the Windows 2000 Active Directory, Microsoft has made great strides in making the Windows Server 2003 Active Directory even more reliable. One of the really nice reliability fixes was that they made it possible for users in a remote office to log in even if connectivity to the main office was lost.

In Windows 2000, users could only log in if they had access to a global catalog server. Many administrators would place domain controllers in remote offices, but neglect to make them global catalog servers as well. This means that if connectivity were lost, users would not be able to log in.

Windows Server 2003 caches user credentials. This means that if a remote office loses connectivity to the main office, users in the remote office can still log in. It also means that bandwidth consumption across the WAN link is reduced because global catalog queries are made less frequently.

Group replication
In Windows 2000, if someone made a change to a group membership, the changed group object was replicated to all domain controllers. The problem was that if another administrator made another change to the same group before replication had been completed, the first administrator's change could be overwritten.

Windows Server 2003 corrects this problem by changing the way that groups are replicated. When a change is made to a group, Windows Server 2003 replicates only the change, not the entire group object. This greatly reduces the chances of changes being accidentally overwritten.

Active Directory Partitions
By its very nature, anything that gets written to Active Directory is written to the other domain controllers within the domain. The problem is that sometimes an application may use Active Directory to store application-specific data that isn't needed anywhere else. Replicating such data unnecessarily consumes bandwidth and disk space on the other domain controllers. Such replications may even pose security risks.

Windows Server 2003 solves this problem by allowing you to create application partitions. Any information placed within an application partition is held locally within the domain controller and is not replicated.

Installing a replica from media
Imagine for a moment that someone asks you to set up a remote office in the back woods of South Carolina. The chances of being able to get a broadband connection in such a location are slim. If you have to link to the remote office, bandwidth is going to be scarce and you will want to make the most of it.

Naturally, you will probably want to preserve bandwidth by placing at least one domain controller in the remote office. The problem is, how do you set up the domain controller? The domain controller must get its information from your main office.

In Windows 2000, this would have meant traveling to the remote office, installing Windows 2000 Server, connecting to the main office, and then running DCPROMO. If your Active Directory is very large, it will take days for the information to synchronize. During this time, it is also likely that the dial-up connection will drop a couple of times. If you're lucky, you can just restart DCPROMO from the beginning. However, I've known of several cases in which a dropped connection during a DCPROMO operation meant reinstalling Windows from scratch.

Microsoft has fixed this problem by allowing you to install a domain controller from media. This means that you could export your Active Directory information after leaving your office. When you get to the remote office, you could install Windows and then promote the server to a domain controller, but make it get the domain information from the disk rather than from a dial-up connection. Later, when a dial-up connection is established, you can replicate any changes that have occurred in the last couple of days. This replication cycle will take much less time than trying to replicate the entire directory.

Miscellaneous
Microsoft has also made numerous small improvements in performance and scalability. For example, there is a new health monitoring mechanism that allows Windows to keep better tabs on replication. Global catalog replication has also been improved, and there is even a new Inter Site Transport Generator that is designed to be more scalable than its predecessor.

All that and more
Whether you're moving to Windows Server 2003 from Windows 2000 or all the way back from Windows NT, you're in for a lot of changes. Active Directory presents the most changes for NT administrators, but even Windows 2000 administrators will find things to like about the new version of Active Directory that comes with Windows Server 2003.

Editor's Picks