Active Directory in Windows Server 2003 Service Pack 1

Applies To:Windows Server 2003 with SP1
What does Active Directory do?
Active Directory® is a directory servicethat stores information about objects on a network and makes this information
availableto users and network administrators. Active Directory objects typically includeshared resources such as servers,
volumes, printers,and the network user and computer accounts.
Active Directory is composed of thefollowing:
Schema.This is a set of rules that defines theclasses of objects and attributes contained in the directory, theconstraints
and limits on instances of these objects,and theformat of their names.
Global catalog.This data storecontains information aboutevery object in the directory.This allows users and
administrators to find directory information regardless of which domain in the directory actually contains the data.
Query and index. Using this mechanism objects and their properties can be published and found by network users or
applications.
Replication service.This service distributes directory data across a network. All domain controllers in a domain
participatein replication and contain a completecopy of all directory information for their domain. Any changeto
directory data is replicated to all domain controllers in the domain.
Active Directory client software.The Active Directory clientenables many of the Active Directory features available on
Windows 2000 Professional or Windows XP Professional clients for computers running Windows 95,Windows 98,and
Windows NT 4.0.
Who does this feature apply to?
Thechanges in Active Directory for Windows Server 2003 Service Pack 1 (SP1) will be of interest to:
IT professionals who support Active Directory, such as Active Directory administrators, Active Directory schema
administrators, Domain NameSystem (DNS) administrators,and domain controller administrators.
Help desk professionals.
Application developers.
System integrators.
What functionality is changing in Windows Server 2003 Service Pack 1?
Directory service backup reminders
A new event message,event ID 2089, provides the backup status of each directory partition thata domain controller stores,
including application directory partitions and Active Directory Application Mode(ADAM) partitions. If halfway through the
backup latency interval (tombstonelifetime) a partition has not been backed up, this event is logged in the Directory Service
event log and continues daily until the partition is backed up.
Added replication security and fewer replication errors
Replication metadata for domain controllers from which Active Directory has been removed is no longer retained by default,
although a waiting period can beconfigured.This changeimproves replication security and eliminates replication error
messages thatarecaused by failed attempts to replicate with decommissioned domain controllers.For moreinformation
about preserving replication metadata, see”How the Active Directory Replication Model Works” on the Microsoft Web siteat
http://go.microsoft.com/fwlink/?LinkId=46510.
Install from Media improvement for installing DNS servers
Install from Media improvements makeiteasier to createa new domain controller that is a DNS server by providing the new
option to includeapplication directory partitions in the backup media that is used to install the new domain controller.This
option eliminates therequirement for replication of the DomainDNSZones and ForestDNSZones application directory
partitions beforethe DNS server is operational.
Enhancements for replication and DNS testing
The Dcdiag.execommand-linetool, which is availablein Windows SupportTools, provides new reporting on the overall health
of replication with respect to Active Directory security.This test provides a summary of results along with detailed information
for each domain controller that is tested and a diagnosis of any security errors. Dcdiag.exealso has new DNS tests for
connectivity, serviceavailability, forwarders and root hints, delegation, dynamic update, locator record registrations,external
nameresolution,and enterpriseinfrastructure.Thesetests can be performed on one domain controller or on all domain
controllers in a forest.For moreinformation about thechanges to Dcdiag.exe, seethe Dcdiag.exesection of this article.
Support for running domain controllers in virtual machines
On a single physical server that is running Windows Server 2003 and Microsoft Virtual Server 2005,you can install multiple
Windows Server 2003 or Windows 2000 Server domain controllers in separatevirtual machines.This platform is well suited
for testenvironments. By using virtual machines,you can effectively host multiple domains, multiple domain controllers for the
same domain, or even multipleforests on one physical server that is running a single operating system.Windows Server 2003
SP1 also provides protection against directory corruption that can result from improper backup and restoration of domain
controller images.For moreinformation about running domain controllers in virtual machines, see”Running Domain
Controllers in Virtual Server 2005″ on the Microsoft Web siteat http://go.microsoft.com/fwlink/?LinkId=38330.
Operations master health and status reporting
If an operation that requires a domain controller that holds an operations master role(also known as flexiblesingle-master
operations (FSMO)) cannot be performed,events are now logged in the Directory Serviceevent log.Events identify role
holders that do notexist,exist butare notavailable, or areavailable but have not replicated recently with thecontacting
domain controller.For moreinformation about operations masters, see”How Operations Masters Work” on the Microsoft Web
siteat http://go.microsoft.com/fwlink/?LinkId=38333.
Extended storage of deleted objects
The default period thata copy of a deleted object is retained in Active Directory,called thetombstonelifetime, is extended from
60 days to 180 days.Longer tombstonelifetime decreases thechancethata deleted object remains in thelocal directory of a
disconnected domain controller beyond thetime when the object is permanently deleted from online domain controllers.The
tombstonelifetimeis not changed automatically when you upgradeto Windows Server 2003 with SP1, butyou can changethe
tombstonelifetime manually after the upgrade. New forests thatareinstalled with Windows Server 2003 with SP1 havea
default tombstonelifetime of 180 days.For moreinformation about tombstonelifetime, see”How the DataStore Works” on
the Microsoft Web siteat http://go.microsoft.com/fwlink/?LinkId=38339.
Improved domain controller name resolution
In responseto Domain NameSystem (DNS) nameresolution failures that may beencountered during location of replication
partners and global catalog servers, domain controllers running Windows Server 2003 with SP1 request other variations of the
server namethat might beregistered, which results in fewer failures dueto DNS delays and misconfiguration.For more
information about DNS nameresolution, see”How DNS Support for Active Directory Works” on the Microsoft Web siteat
http://go.microsoft.com/fwlink/?LinkId=38335.
Simplified process for server metadata removal
The Ntdsutil.execommand-linetool for managing the Active Directory database has new commands that makeiteasier to
remove domain controller metadata. Preliminary steps, such as connecting to a server, domain,and site,are no longer
required. You simply specify theserver to remove. You can also specify theserver on which to makethe deletion.For more
information about thechanges to Ntdsutil.exe, seethe Ntdsutil.exesection of this article.
Improved security to protect confidential attributes
To prevent Read access to confidential attributes, such as aSocial Security number, whileallowing Read access to other object
attributes,you can designatespecificattributes as confidential by setting a search flag on therespectiveattributeSchema
object. By default, only domain administrators have Read access to confidential attributes, but this access can be delegated.For
moreinformation aboutaccess to attributes, see”How Security Descriptors and Access Control Lists Work” on the Microsoft
Web siteat http://go.microsoft.com/fwlink/?LinkId=45972.
Retention of SID history on tombstones
ThesIDHistory attribute has been added to theset of attributes thatareretained on an object tombstone when the object is
deleted. If a tombstoned object is reactivated (undeleted), thesIDHistory attributeis now restored with the object.For more
information about tombstones, see”How the DataStore Works” on the Microsoft Web siteat http://go.microsoft.com/fwlink/?
LinkId=45973.
Adprep.exe improvements for Windows 2000 Server upgrades
The Adprep.exetool has been improved to reducetheimpact of File Replication service(FRS) synchronization that results from
updating SYSVOL files during upgrade. Adprep.exeis used to upgradethe Windows 2000 Server schema to the Windows
Server 2003 schema and to updatesomeforest-and domain-specific configuration, including SYSVOL, that is required for a
Windows Server 2003 domain controller to be operational.Thetool now allows performing SYSVOL operations in a separate
step when preparing the domain for upgrade. A new switch, /gpprep, has been added to accommodatetheSYSVOL updates,
which can be performed ata convenient timefollowing the upgrade.The adprep /domainprep command, which formerly
performed both directory and SYSVOL updates, now updates only the directory. Adprep.exealso now detects third-party
schemaextensions that block an upgrade, identifies the blocking extensions,and recommends fixes. MicrosoftExchangeServer
schema objects arealso detected so that theExchangeServer schema can be prepared appropriately to accommodate
InetOrgPerson naming.For moreinformation about thechanges to Adprep.exe, seethe Adprep.exesection of this article.
Changes in dragging and dropping objects in Active Directory Users and computers
In Windows Server 2003,Service Pack 1 two changes to the drag and drop behavior in the Active Directory Users and
Computers Microsoft Management Console(MMC) snap-in were madein responseto customer feedback.
First, by default thereis now a confirmation dialog when dragging and dropping objects in Active Directory Users and
Computers Microsoft Management Console(MMC) snap-in. In Windows Server 2003 drag and drop support in Active
Directory Users and Computers was enabled. However, it did not provideany confirmation dialog when moving objects.This
madeiteasier to move objects, butalso madeiteasier to inadvertently movean object to the wrong location and causeclient
workstations to loseaccess to critical resources. By adding a confirmation dialog to the drag and drop behavior, the
administrator has a chanceto correctan unintentional error beforeit impacts the organization.When theconfirmation dialog
is displayed thereis a check box for Don’t show this warning while this snap-in is open.
If the user selects the Don’t show this warning while this snap-in is open checkbox, then theconfirmation dialog will no
longer beshown throughout thecurrent snap-in session.Subsequent drag and drop attempts in that snap-in session will occur
withoutany confirmation.
If the user doesn’t select the Don’t show this warning while this snap-in is open checkbox, then the warning message will
beshown every timethe user tries to drag or drop an object.
Second,an administrator can chooseto disable dragging and dropping completely by setting theflags attribute on the
Display Specifiers container.The display specifiers container is in the directory at:
CN=DisplaySpecifiers,CN=Configuration,DC=.This attributecan beset using ADSIedit.msc, which
is availablein Windows SupportTools.
The overall behavior is:
If theflags attributeis set to any value, then drag and drop is disabled.This is not the default.
If theflags attributeis not set (default case), then the user will beableto use drag and drop to move objects in the Active
Directory Computers and Users MMC snap-in.