Active Directory Version 2.0 - Improvements of Windows Server 2003

Within this article you can find an overview of these new features and how to implement them in real-time networks. I cannot be a fully detailed how-to of implementing each of them but you can find the most important steps why it may be a good idea to implement Active Directory Windows Server 2003.

Everybody who has already worked some time with the AD SnapIns of Windows 2000 Server will probably wonder that now things run the way he wanted. You can move users and other objects with "drag & drop" functionality. That means easier move of objects but possibly more risks that objects are moved "unwanted". So be careful with this new feature.

Another enhancement is that now you edit and change can more than one object in bulk. With Windows 2000 Server you only had the chance to do this one by one or by using a script.

Last but not least another change is that you can save your own queries. E.g. you want to use one click to see all your users that are deactivated. With Windows 2000 you would get in real trouble doing this, with Windows Server 2003 this is quite easy. Just configure your own saved query and everything works as you want it. Saved queries are LDAP-based and therefore it is possible to implement predefined queries (like former used in Exchange 2000 when creating address lists) and in addition user defined LDAP-queries are possible, too.

That means we now have an open and configurable GUI within the Active Directory SnapIns.

Figure 1: Saved LDAP-based Queries in Active Directory Users and Computers

With Windows Server 2003 there are about 300 new GPO settings, especially in security, networking and client software (e.g. Windows Media Player 9.0, Software Update Services). In addition there are more tools to easily troubleshoot problems with your GPO setting.

2.2.1 Software Restriction Policies

One powerful setting is "Software Restriction Policies". Until today the only way to make sure that your users are not able to start programs was securing the file using NTFS permissions or to block the file based on its name using policies. Software Restriction policies give a greater flexibility to block certain programs or any files else using path rules, code signature, hashes or internet zone rules.

Figure 2: Software Restriction Policies

The possibility to implement code signed restriction policies is a nice feature, too. With Windows Server 2003 PKI you are able to deploy code certificates and then you can sign your ActiveX Controls or Programs with this certificate using the Microsoft CAPI COM 3.0 or SignCode.exe. These tools can be found in the Windows Server 2003 SDKs.

The third possibility is to implement hashes for executables and all other files. This means it would be impossible that a tricky user sends himself for example "moorhuhn.exe" renamed to "notepad.exe". The hash of this renamed file is another one and therefore it cannot be run. But be careful, using hashes means a lot of administrative overhead.

At last you can use "internet zones" to allow only predefined web pages that have been declared within GPOs for each user group. That means all other web pages are blocked by default.

2.2.2 Group Policy Management Console

With the release date of Windows Server 2003 Microsoft released the first version of the GPMC (Group Policy Management Console), a SnapIn with which you can completely configure and administer your GPOs. You can use it for backup and restore purposes, too. So everywhere you formerly needed third party applications like FAZAM (www.fullarmor.com) you know can use the free downloadable GPMC.

Figure 3: Group Policy Management Console

2.3 DC Rename and Domain Rename

You have updated your NT Domain controllers to Windows 2000 and now your DCs are named PDC and BDC? You want to rename your domain controllers? Then Windows Server 2003 is right for you!

Now you can rename each DC as often as you want it. Just go into the properties of "My Computer" and then rename your DC. Because all service records in DNS have to be updated after the rename procedure, you should verify that your DNS-Zones allow dynamic updates. After renaming a DC you have to reboot him once and the old name is gone.

Another feature is to rename your domains or to restructure them. With Windows Server 2003 in Windows Server 2003 Forest Mode this is not impossible anymore. You should firstly backup all your DCs before starting the rename procedure. A test rename in a lab is preferable before the live rename, too. During the rename procedure no changes to Active Directory are allowed, so best time is the weekend.

The rename procedure is being done with the tool called rendom that you can find on each Windows Server 2003 CD in \valueadd\msft\mgmt\domren directory. The whole renaming project is very complex and will be covered in detail in future articles here. If you need more information please have a look at http://www.microsoft.com/windowsserver2003/docs/Domain-Rename-Procedure.doc

2.4 Cross Forest Trusts

Another quite interesting new feature in Windows Server 2003 Forest Mode is the possibility of bidirectional transitive Kerberos-based trusts between forests. But when do we need it? The answer is: every time two companies merge which both have an Active Directory. Without this feature you have to manually create explicit one-way trusts between each domain a user wants to logon or a resource resides.

With X-Forest Trusts this problem is solved. If you are creating X-Forest Trusts in your organization, just make sure that DNS name resolution between both forests work (e.g. using DNS conditional forwarding) and that your clients understand Kerberos. Then just go through the X-Forest Trust Wizard and everything works well.

Figure 4: The Cross Forest Trust Wizard

When installing a Domain Controller on a remote Active Directory Site and the WAN connectivity between these sites is lower than 128 Kbit you may have trouble creating the first initial replication between the new DC and the already working site in Windows 2000 Server. With Windows Server 2003 this feature is gone away, too. You now can create your DCs form medias and not via online connections.

1. Create a system state backup from one of your DCs (best one is a GC)
2. Restore this system state to an alternative location and create a media of this structure
3. Start dcpromo.exe using the /adv switch in the remote site
4. Point to your restored system state
5. Restart your DC after dcpromo has finished its work
6. Now your DC starts working and should replicate with its remote site

2.6 Caching Universal Group Membership

In Windows 2000 Server a Global Catalog Server must be available for authenticating users during logon. This is because universal groups reside on GCs and have to be checked. That meant you should have to place a GC in each site behind a WAN connection to ensure logon even if the WAN connection is down.

With Windows Server 2003 you have the possibility to cache universal group memberships. Then every user who has already logged on when a GC was available may logon in the future for 8 days even if a GC is unavailable. Caching universal group membership must be
configured using the "Active Directory Sites and Services" SnapIn.

Figure 5: Configuring Universal Group Caching

With Windows 2000 Server Microsoft provided a product with some replication techniques that are not ready for real big networks. These things have now been improved anyway.

2.7.1 Improved KCC and ISTG

If your organization has more that 500 DCs, KCC could not help you anymore in Windows 2000 Server. Your only chance was to disable KCC and create your connection objects manually. In addition if you have more than 500 sites (a real big network) ISTG could not help you, too. With Windows Server 2003 these two problems are gone.

2.7.2 Group Membership

For example, if you are having a group with 300 members and you remove one member, Windows 2000 would tell all other DCs to remove the whole group and send information in addition that there is a new group with 299 members. Windows Server 2003 only replicates the deletion of one member. So a lot of replication traffic is gone away, too.

2.8 Application Directory Partitions

With Windows 2000 Server, your Active Directory Database NTDS.DIT could be divided into three partitions: Schema partition, Configuration partition and Domain partition. So far so good. Windows Server 2003 in Forest Mode 2003 brings a new feature: you can define your own application directory partitions. These partitions could be created and deleted wherever and whenever you want. And you can create your replicas on each DC you want to place it. This means that your replication topology can be optimized.

At present, the only service that works with these new partitions is DNS. DNS provides two predefined application directory partitions called "ForestDNSZones" and "DomainDNSZones". With these two zones you are able to improve your placement of Active Directory integrated DNS zones. If you want, that your DNS zone is being replicated to all DNS servers (that are DCs) in the whole forest, "ForestDNSZones" is being used, if you choose to replicate the DNS zone only to DNS Servers (that are DCs) in your domain, "DomainDNSZones" is used.

If you want to define and configure your own application directory partitions and replication sets, you have to use NTDSUTIL.EXE. For more information refer to: http://support.microsoft.com/default.aspx?scid=kb;en-us;322669 .

2.9 ADMT Version 2.0

Windows Server 2003 is being distributed with Active Directory Migration Tool Version 2.0. This new version provides some enhancements in comparison to Version 1.0. These improvements are:

- Easier configuration
- Migration of passwords is now possible
- is supported in "Windows 2000 pure" domain functionality level
- works more quickly and efficient than the first release

You can even download the new version of ADMT on http://www.microsoft.com/downloads/details.aspx?FamilyID=788975b1-5849-4707-9817-8c9773c25c6c&DisplayLang=en and be sure you can use it on Windows 2000 Server, too.

3. Final Conclusion

As you can see within this article Windows Server 2003 Active Directory provides some quite interesting improvements in comparison to Windows 2000 Server. Of course, these enhancements are much often very interesting for big networks. And if you are already planning your migration to Active Directory Services Version 1.0, just have a close look in your plans and see if it is worth changing your product plans. If so do so and then deploy Windows Server 2003 Active Directory Services in your company. A mixed network works quite good, too - but is not the best way to get rid of your problems with older versions of Windows. Windows Server 2003 provides the next step of Microsoft Corporation to make their directory services better usable and configurable and in addition some things that were missed in Windows 2000 Server are now provided by Active Directory Version 2.0.

If you still have more detailed questions, please don't hesitate to contact me via email.