While the release of Windows
Server 2003 is viewed as evolutionary, there are quite a few new
features that make the upgrade attractive.
We suggest you carefully review each of these features and rate them
according to the following categories:
Rating each feature will help you determine how much you could
benefit from the upgrade. The following is the list of new features,
in no particular order:
- Application partitions
-
You can create partitions that can replicate to any domain controller
in the forest.
- Concurrent LDAP binds
-
Concurrent LDAP binds do not generate a Kerberos ticket and security
token and are therefore much faster than a simple LDAP bind.
- Cross-forest trust
-
This is a transitive trust that allows all the domains in two
different forests to trust each other via a single trust defined
between two forest root domains.
- Domain controller rename
-
The rename procedure for domain controllers requires a single reboot.
- Domain rename
-
Domains can now be renamed, but not without significant impact to the
user base (e.g. all member computers must be rebooted twice). For
more information, check out the following whitepaper: http://www.microsoft.com/windowsserver2003/downloads/domainrename.mspx.
- Dynamic auxiliary classes
-
There is now support for the standards-based implementation of
dynamic auxiliary classes. Under Windows 2000, auxiliary classes are
considered "static" because they
are statically defined in the schema. With dynamic auxiliary classes,
you can link one when creating an object without it being defined in
the schema as an auxiliary class for the object's
objectClass.
- Dynamic objects
-
Traditionally, objects are stored in Active Directory until they are
explicitly deleted. With dynamic objects, you can create objects that
have a time to live (TTL) value that dictates when they will be
automatically deleted unless refreshed.
- Install from media
-
A much-needed feature allows replica domain controllers to be
promoted into a forest using a backup from another domain controller.
This can greatly decrease the amount of time it takes to promote
domain controllers in large domains.
- MMC and CLI enhancements
-
The Active Directory Users and Computers (ADUC) tool has been
enhanced to allow multiselect of objects; other tools such as
repadmin and netdom have
new options.
- New DS CLI tools
-
A new set of CLI tools provides greater flexibility with managing
Active Directory from a commandline. These tools include
dsadd, dsmod,
dsrm, dsget and
dsquery.
- New GPO settings
-
Over 100 new GPO settings have been added, providing greater
flexibility in managing Active Directory clients.
- GPO RSoP
-
Resultant Set of Policy (RSoP) has been built into ADUC and can be
fully utilized with the Group Policy Management Console (GPMC). RSoP
allows administrators to determine what settings of GPOs will be
applied to end users and computers.
- TLS support
-
With Windows 2000, only SSL was supported to encrypt traffic over the
wire. TLS, the latest standards-based approach for encrypting LDAP
traffic, is now also supported.
- Quotas
-
In Windows 2000, if users had access to create objects, they could
create as many as they wanted, and there was no way to limit it.
Quotas allow you to define how many objects a user or group of users
can create. Quotas can also dictate how many objects of a certain
objectClass can be created.
- Query based groups
-
Used for role-based authorization, the new Authorization Manager
allows you to create flexible groups based on information stored with
users (e.g., department).
- Redirect users and computers
-
You can redirect the default location to store new users and
computers with the redirusr and
redircmp commands, respectively.
- Schema redefine
-
You can defunct and then redefine attributes and classes in the
schema.
- Universal Group Caching
-
You can eliminate the requirement to have a global catalog server
present during login by enabling Universal Group Caching. This is
enabled at the site level and applies to any clients that log on to
domain controllers in the site.
- Last logon timestamp attribute
-
A classic problem in a NOS environment is trying to determine the
last time a user or computer logged in. The new lastLogonTimestamp
attribute is replicated, which means you can use a single query to
find all users or computers that have not logged in within a certain
period of time.
- WMI filtering of GPOs
-
In addition to the OU, site, domain, and security group criteria that
can be used to filter GPOs, you can now use WMI information on a
client's machine to determine if a GPO should be
applied.
- WMI providers for trust and replication monitoring
-
These new WMI providers provide the ability to query and monitor the
health of trusts and replication programmatically.
If you find that you would immediately use more than four or five
features or eventually use four or five of them, the benefit may be
great enough to warrant a near-term move to Windows Server 2003. If
you don't find that you'll take
advantage of many of these new features, take a look at the next
section to see if you would benefit from any of the functionality
differences with Windows 2000.