Active Directory in Windows Server 2003 Service Pack 1

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Active Directory in Windows Server 2003 Service Pack 1

This topic contains 0 replies, has 1 voice, and was last updated by  Webmaster 2 years ago.

  • Author
  • #2184


    Applies To:Windows Server 2003 with SP1
    What does Active Directory do?
    Active Directory® is a directory servicethat stores information about objects on a network and makes this information
    availableto users and network administrators. Active Directory objects typically includeshared resources such as servers,
    volumes, printers,and the network user and computer accounts.
    Active Directory is composed of thefollowing:
    Schema.This is a set of rules that defines theclasses of objects and attributes contained in the directory, theconstraints
    and limits on instances of these objects,and theformat of their names.
    Global catalog.This data storecontains information aboutevery object in the directory.This allows users and
    administrators to find directory information regardless of which domain in the directory actually contains the data.
    Query and index. Using this mechanism objects and their properties can be published and found by network users or
    Replication service.This service distributes directory data across a network. All domain controllers in a domain
    participatein replication and contain a completecopy of all directory information for their domain. Any changeto
    directory data is replicated to all domain controllers in the domain.
    Active Directory client software.The Active Directory clientenables many of the Active Directory features available on
    Windows 2000 Professional or Windows XP Professional clients for computers running Windows 95,Windows 98,and
    Windows NT 4.0.
    Who does this feature apply to?
    Thechanges in Active Directory for Windows Server 2003 Service Pack 1 (SP1) will be of interest to:
    IT professionals who support Active Directory, such as Active Directory administrators, Active Directory schema
    administrators, Domain NameSystem (DNS) administrators,and domain controller administrators.
    Help desk professionals.
    Application developers.
    System integrators.
    What functionality is changing in Windows Server 2003 Service Pack 1?
    Directory service backup reminders
    A new event message,event ID 2089, provides the backup status of each directory partition thata domain controller stores,
    including application directory partitions and Active Directory Application Mode(ADAM) partitions. If halfway through the
    backup latency interval (tombstonelifetime) a partition has not been backed up, this event is logged in the Directory Service
    event log and continues daily until the partition is backed up.
    Added replication security and fewer replication errors
    Replication metadata for domain controllers from which Active Directory has been removed is no longer retained by default,
    although a waiting period can beconfigured.This changeimproves replication security and eliminates replication error
    messages thatarecaused by failed attempts to replicate with decommissioned domain controllers.For moreinformation
    about preserving replication metadata, see”How the Active Directory Replication Model Works” on the Microsoft Web siteat
    Install from Media improvement for installing DNS servers
    Install from Media improvements makeiteasier to createa new domain controller that is a DNS server by providing the new
    option to includeapplication directory partitions in the backup media that is used to install the new domain controller.This
    option eliminates therequirement for replication of the DomainDNSZones and ForestDNSZones application directory
    partitions beforethe DNS server is operational.
    Enhancements for replication and DNS testing
    The Dcdiag.execommand-linetool, which is availablein Windows SupportTools, provides new reporting on the overall health
    of replication with respect to Active Directory security.This test provides a summary of results along with detailed information
    for each domain controller that is tested and a diagnosis of any security errors. Dcdiag.exealso has new DNS tests for
    connectivity, serviceavailability, forwarders and root hints, delegation, dynamic update, locator record registrations,external
    nameresolution,and enterpriseinfrastructure.Thesetests can be performed on one domain controller or on all domain
    controllers in a forest.For moreinformation about thechanges to Dcdiag.exe, seethe Dcdiag.exesection of this article.
    Support for running domain controllers in virtual machines
    On a single physical server that is running Windows Server 2003 and Microsoft Virtual Server 2005,you can install multiple
    Windows Server 2003 or Windows 2000 Server domain controllers in separatevirtual machines.This platform is well suited
    for testenvironments. By using virtual machines,you can effectively host multiple domains, multiple domain controllers for the
    same domain, or even multipleforests on one physical server that is running a single operating system.Windows Server 2003
    SP1 also provides protection against directory corruption that can result from improper backup and restoration of domain
    controller images.For moreinformation about running domain controllers in virtual machines, see”Running Domain
    Controllers in Virtual Server 2005″ on the Microsoft Web siteat
    Operations master health and status reporting
    If an operation that requires a domain controller that holds an operations master role(also known as flexiblesingle-master
    operations (FSMO)) cannot be performed,events are now logged in the Directory Serviceevent log.Events identify role
    holders that do notexist,exist butare notavailable, or areavailable but have not replicated recently with thecontacting
    domain controller.For moreinformation about operations masters, see”How Operations Masters Work” on the Microsoft Web
    Extended storage of deleted objects
    The default period thata copy of a deleted object is retained in Active Directory,called thetombstonelifetime, is extended from
    60 days to 180 days.Longer tombstonelifetime decreases thechancethata deleted object remains in thelocal directory of a
    disconnected domain controller beyond thetime when the object is permanently deleted from online domain controllers.The
    tombstonelifetimeis not changed automatically when you upgradeto Windows Server 2003 with SP1, butyou can changethe
    tombstonelifetime manually after the upgrade. New forests thatareinstalled with Windows Server 2003 with SP1 havea
    default tombstonelifetime of 180 days.For moreinformation about tombstonelifetime, see”How the DataStore Works” on
    the Microsoft Web siteat
    Improved domain controller name resolution
    In responseto Domain NameSystem (DNS) nameresolution failures that may beencountered during location of replication
    partners and global catalog servers, domain controllers running Windows Server 2003 with SP1 request other variations of the
    server namethat might beregistered, which results in fewer failures dueto DNS delays and misconfiguration.For more
    information about DNS nameresolution, see”How DNS Support for Active Directory Works” on the Microsoft Web siteat
    Simplified process for server metadata removal
    The Ntdsutil.execommand-linetool for managing the Active Directory database has new commands that makeiteasier to
    remove domain controller metadata. Preliminary steps, such as connecting to a server, domain,and site,are no longer
    required. You simply specify theserver to remove. You can also specify theserver on which to makethe deletion.For more
    information about thechanges to Ntdsutil.exe, seethe Ntdsutil.exesection of this article.
    Improved security to protect confidential attributes
    To prevent Read access to confidential attributes, such as aSocial Security number, whileallowing Read access to other object
    attributes,you can designatespecificattributes as confidential by setting a search flag on therespectiveattributeSchema
    object. By default, only domain administrators have Read access to confidential attributes, but this access can be delegated.For
    moreinformation aboutaccess to attributes, see”How Security Descriptors and Access Control Lists Work” on the Microsoft
    Web siteat
    Retention of SID history on tombstones
    ThesIDHistory attribute has been added to theset of attributes thatareretained on an object tombstone when the object is
    deleted. If a tombstoned object is reactivated (undeleted), thesIDHistory attributeis now restored with the object.For more
    information about tombstones, see”How the DataStore Works” on the Microsoft Web siteat
    Adprep.exe improvements for Windows 2000 Server upgrades
    The Adprep.exetool has been improved to reducetheimpact of File Replication service(FRS) synchronization that results from
    updating SYSVOL files during upgrade. Adprep.exeis used to upgradethe Windows 2000 Server schema to the Windows
    Server 2003 schema and to updatesomeforest-and domain-specific configuration, including SYSVOL, that is required for a
    Windows Server 2003 domain controller to be operational.Thetool now allows performing SYSVOL operations in a separate
    step when preparing the domain for upgrade. A new switch, /gpprep, has been added to accommodatetheSYSVOL updates,
    which can be performed ata convenient timefollowing the upgrade.The adprep /domainprep command, which formerly
    performed both directory and SYSVOL updates, now updates only the directory. Adprep.exealso now detects third-party
    schemaextensions that block an upgrade, identifies the blocking extensions,and recommends fixes. MicrosoftExchangeServer
    schema objects arealso detected so that theExchangeServer schema can be prepared appropriately to accommodate
    InetOrgPerson naming.For moreinformation about thechanges to Adprep.exe, seethe Adprep.exesection of this article.
    Changes in dragging and dropping objects in Active Directory Users and computers
    In Windows Server 2003,Service Pack 1 two changes to the drag and drop behavior in the Active Directory Users and
    Computers Microsoft Management Console(MMC) snap-in were madein responseto customer feedback.
    First, by default thereis now a confirmation dialog when dragging and dropping objects in Active Directory Users and
    Computers Microsoft Management Console(MMC) snap-in. In Windows Server 2003 drag and drop support in Active
    Directory Users and Computers was enabled. However, it did not provideany confirmation dialog when moving objects.This
    madeiteasier to move objects, butalso madeiteasier to inadvertently movean object to the wrong location and causeclient
    workstations to loseaccess to critical resources. By adding a confirmation dialog to the drag and drop behavior, the
    administrator has a chanceto correctan unintentional error beforeit impacts the organization.When theconfirmation dialog
    is displayed thereis a check box for Don’t show this warning while this snap-in is open.
    If the user selects the Don’t show this warning while this snap-in is open checkbox, then theconfirmation dialog will no
    longer beshown throughout thecurrent snap-in session.Subsequent drag and drop attempts in that snap-in session will occur
    withoutany confirmation.
    If the user doesn’t select the Don’t show this warning while this snap-in is open checkbox, then the warning message will
    beshown every timethe user tries to drag or drop an object.
    Second,an administrator can chooseto disable dragging and dropping completely by setting theflags attribute on the
    Display Specifiers container.The display specifiers container is in the directory at:
    CN=DisplaySpecifiers,CN=Configuration,DC=.This attributecan beset using ADSIedit.msc, which
    is availablein Windows SupportTools.
    The overall behavior is:
    If theflags attributeis set to any value, then drag and drop is disabled.This is not the default.
    If theflags attributeis not set (default case), then the user will beableto use drag and drop to move objects in the Active
    Directory Computers and Users MMC snap-in.

You must be logged in to reply to this topic.