1.3 Windows 2000 Versus Windows Server 2003
While the first version of Active
Directory available with Windows 2000 was very stable and
feature-rich, it still had room for improvement, primarily around
usability and performance. With Windows Server 2003, Microsoft has
addressed many of these issues. To utilize these features you have to
upgrade your domain controllers to Windows Server 2003 and raise the
domain and forest functional levels as necessary.
The difference between Windows 2000 Active Directory and Windows
Server 2003 Active Directory is more evolutionary than revolutionary.
The decision to upgrade to Windows Server 2003 is a subjective one,
based on your needs. For example, if you have a lot of domain
controllers and Active Directory sites, you may want to take
advantage of the improvements with replication as soon as possible.
Or perhaps you've been dying to rename a domain, a
capability available in Windows Server 2003 Active Directory. On the
whole, Microsoft added or updated more than 100 features within
Active Directory, and we will now discuss some of the more
significant ones.
 |
For more information on migrating to Windows Server 2003 from Windows
2000 check out Chapter 14.
|
|
Some of the new features are available as soon as you promote the
first Windows Server 2003 domain controller into an existing Windows
2000 Active Directory domain. In Table 1-2, the
features available when you do so are listed along with descriptions.
Note that these features will apply only to the Windows Server 2003
domain controllers in the domain.
Table 1-2. Windows 2000 domain functional level feature list
|
Application Partitions
|
You can create your own partitions to store data separately from the
default partitions, and you can configure which DCs in the forest
replicate it.
|
|
GC not required for logon (i.e., universal group caching)
|
Under Windows 2000, a DC had to contact a GC to determine universal
group membership and subsequently to allow users to logon. This
feature allows DCs to cache universal group membership so that it is
not necessary to contact a GC for logins.
|
|
MMC enhancements and new command-line tools
|
The new Active Directory Users and Computers allows you to save
queries, drag and drop, and edit multiple users at once, and it is
much more efficient about scrolling through a large number of
objects. In addition, several new command-line tools
(dsadd, dsmod,
dsrm, dsquery,
dsget, and dsmove) come
installed with the server, allowing for greater flexibility in
managing Active Directory.
|
|
Install from media
|
Administrators can create new DCs for an existing domain by
installing from a backup of an existing DC that resides on media such
as a CD or DVD.
|
|
WMI Filtering for GPOs
|
You can apply a WMI filter, which is a query that can utilize any WMI
information on a client, to a GPO, and that query will be run against
each targeted client. If the query succeeds, the GPO will continue to
process; otherwise it will stop processing.
|
In Table 1-3, the features available in domains
running the Windows Server 2003 functional level are listed. A domain
can be changed to the Windows Server 2003 functional level when all
domain controllers in the domain are running Windows Server 2003.
Table 1-3. Windows Server 2003 domain functional level feature list
|
Domain controller rename
|
With Windows 2000, you had to demote, rename, and repromote a DC if
you wanted to rename it. With Windows Server 2003 domains, you can
rename DCs, and it only requires a single reboot.
|
|
Domain rename
|
A
domain can be renamed, which was not previously possible under
Windows 2000. The impact to the environment is pretty significant
(i.e., all member computers must be rebooted), so it should be done
conservatively.
|
|
Logon timestamp replicated
|
Under Windows 2000, the lastLogon attribute contained a
user's last logon timestamp, but that attribute was
not replicated among the DCs, thereby forcing you to query every DC
to get the effective last logon. With Windows Server 2003, the
lastLogonTimeStamp attribute will contain a user's
last logon and will be replicated.
|
|
Quotas
|
Users that have write access to AD can cause a Denial of Service
(DOS) attack by creating objects until a DC's disk
fills up. You can prevent this type of attack using quotas. With a
quota you can restrict the number of objects a security principal can
create in a partition, container, or OU. Windows Server 2003 DCs can
enforce quotas even when not at the Windows Server 2003 domain
functional level, but for it to be enforced everywhere, all DCs must
be running Windows Server 2003.
|
In Table 1-4, the features available to forests
running the Windows Server 2003 functional level are listed. A forest
can be raised to the Windows Server 2003 functional level when all
domains contained within the forest are at the Windows Server 2003
domain functional level.
Table 1-4. Windows Server 2003 forest functional level feature list
|
GC
replication tuning
|
After an attribute has been added to the GC, a sync of the contents
of the GC for every GC server will no longer be performed as it was
with Windows 2000.
|
|
Reactivation of defunct schema objects
|
This feature allows deactivated schema classes or attributes to be
redefined.
|
|
Forest trust
|
A forest trust is a transitive trust between two forest root domains
that allows all domains within the two forests to trust each other.
To accomplish the same thing with Windows 2000, you would have to
implement trusts for each domain between the two forests.
|
|
Per-value replication
|
This feature allows certain attributes to replicate on a per-value
basis instead of a per-attribute basis (i.e., all values). This is
vital for group objects because under Windows 2000, a change in the
member attribute caused the entire set of values for that attribute
to be replicated (unnecessarily).
|
|
Improved
replication
|
The Intersite Topology Generator (ISTG) and Knowledge Consistency
Checker (KCC) have been greatly improved and will create more
efficient replication topologies.
|
|
Dynamic auxiliary classes
|
This feature allows for dynamically assigned per-object auxiliary
classes. Under Windows 2000, an object could only utilize auxiliary
classes that were statically defined in the schema for its object
class.
|
|
Dynamic
Objects
|
Dynamic objects have a defined time to live (TTL) after which they
will be removed from Active Directory unless the TTL is updated. This
can help facilitate data management for short-lived objects.
|
|
InetOrgPerson class for users
|
The InetOrgPerson object class is a standard (RFC 2798) commonly used
by directory vendors to represent users. With Windows Server 2003,
you can use either the Microsoft defined user object class or the
inetOrgPerson object class for user accounts.
|
In addition to the new features available in Windows Server 2003,
Microsoft is developing a lightweight version of Active Directory
called Active Directory Application Mode
(AD/AM). AD/AM is intended to address certain deployment scenarios
related to directory-enabled applications. It runs as a non-operating
system service and can be implemented independently or in conjunction
with your Active Directory environment. Since it runs as a
non-operating system service, you can install multiple instances of
AD/AM on a single server, with each instance independently
configurable. AD/AM will be similar to a generic LDAP directory, such
as OpenLDAP or SunONE Directory Server, with many NOS-specific
features and requirements removed. If you are curious about how AD/AM
fits into Microsoft's master plan, check out Chapter
17. For more information on AD/AM, check
out the following web site:
- http://www.microsoft.com/windowsserver2003/techinfo/overview/adam.mspx
|
