Active Directory in Windows Server 2003 Service Pack 1

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Active Directory in Windows Server 2003 Service Pack 1

Viewing 0 reply threads
  • Author
    • #2184

      Applies To:Windows Server 2003 with SP1
      What does Active Directory do?
      Active Directory® is a directory servicethat stores information about objects on a network and makes this information
      availableto users and network administrators. Active Directory objects typically includeshared resources such as servers,
      volumes, printers,and the network user and computer accounts.
      Active Directory is composed of thefollowing:
      Schema.This is a set of rules that defines theclasses of objects and attributes contained in the directory, theconstraints
      and limits on instances of these objects,and theformat of their names.
      Global catalog.This data storecontains information aboutevery object in the directory.This allows users and
      administrators to find directory information regardless of which domain in the directory actually contains the data.
      Query and index. Using this mechanism objects and their properties can be published and found by network users or
      Replication service.This service distributes directory data across a network. All domain controllers in a domain
      participatein replication and contain a completecopy of all directory information for their domain. Any changeto
      directory data is replicated to all domain controllers in the domain.
      Active Directory client software.The Active Directory clientenables many of the Active Directory features available on
      Windows 2000 Professional or Windows XP Professional clients for computers running Windows 95,Windows 98,and
      Windows NT 4.0.
      Who does this feature apply to?
      Thechanges in Active Directory for Windows Server 2003 Service Pack 1 (SP1) will be of interest to:
      IT professionals who support Active Directory, such as Active Directory administrators, Active Directory schema
      administrators, Domain NameSystem (DNS) administrators,and domain controller administrators.
      Help desk professionals.
      Application developers.
      System integrators.
      What functionality is changing in Windows Server 2003 Service Pack 1?
      Directory service backup reminders
      A new event message,event ID 2089, provides the backup status of each directory partition thata domain controller stores,
      including application directory partitions and Active Directory Application Mode(ADAM) partitions. If halfway through the
      backup latency interval (tombstonelifetime) a partition has not been backed up, this event is logged in the Directory Service
      event log and continues daily until the partition is backed up.
      Added replication security and fewer replication errors
      Replication metadata for domain controllers from which Active Directory has been removed is no longer retained by default,
      although a waiting period can beconfigured.This changeimproves replication security and eliminates replication error
      messages thatarecaused by failed attempts to replicate with decommissioned domain controllers.For moreinformation
      about preserving replication metadata, see”How the Active Directory Replication Model Works” on the Microsoft Web siteat
      Install from Media improvement for installing DNS servers
      Install from Media improvements makeiteasier to createa new domain controller that is a DNS server by providing the new
      option to includeapplication directory partitions in the backup media that is used to install the new domain controller.This
      option eliminates therequirement for replication of the DomainDNSZones and ForestDNSZones application directory
      partitions beforethe DNS server is operational.
      Enhancements for replication and DNS testing
      The Dcdiag.execommand-linetool, which is availablein Windows SupportTools, provides new reporting on the overall health
      of replication with respect to Active Directory security.This test provides a summary of results along with detailed information
      for each domain controller that is tested and a diagnosis of any security errors. Dcdiag.exealso has new DNS tests for
      connectivity, serviceavailability, forwarders and root hints, delegation, dynamic update, locator record registrations,external
      nameresolution,and enterpriseinfrastructure.Thesetests can be performed on one domain controller or on all domain
      controllers in a forest.For moreinformation about thechanges to Dcdiag.exe, seethe Dcdiag.exesection of this article.
      Support for running domain controllers in virtual machines
      On a single physical server that is running Windows Server 2003 and Microsoft Virtual Server 2005,you can install multiple
      Windows Server 2003 or Windows 2000 Server domain controllers in separatevirtual machines.This platform is well suited
      for testenvironments. By using virtual machines,you can effectively host multiple domains, multiple domain controllers for the
      same domain, or even multipleforests on one physical server that is running a single operating system.Windows Server 2003
      SP1 also provides protection against directory corruption that can result from improper backup and restoration of domain
      controller images.For moreinformation about running domain controllers in virtual machines, see”Running Domain
      Controllers in Virtual Server 2005″ on the Microsoft Web siteat
      Operations master health and status reporting
      If an operation that requires a domain controller that holds an operations master role(also known as flexiblesingle-master
      operations (FSMO)) cannot be performed,events are now logged in the Directory Serviceevent log.Events identify role
      holders that do notexist,exist butare notavailable, or areavailable but have not replicated recently with thecontacting
      domain controller.For moreinformation about operations masters, see”How Operations Masters Work” on the Microsoft Web
      Extended storage of deleted objects
      The default period thata copy of a deleted object is retained in Active Directory,called thetombstonelifetime, is extended from
      60 days to 180 days.Longer tombstonelifetime decreases thechancethata deleted object remains in thelocal directory of a
      disconnected domain controller beyond thetime when the object is permanently deleted from online domain controllers.The
      tombstonelifetimeis not changed automatically when you upgradeto Windows Server 2003 with SP1, butyou can changethe
      tombstonelifetime manually after the upgrade. New forests thatareinstalled with Windows Server 2003 with SP1 havea
      default tombstonelifetime of 180 days.For moreinformation about tombstonelifetime, see”How the DataStore Works” on
      the Microsoft Web siteat
      Improved domain controller name resolution
      In responseto Domain NameSystem (DNS) nameresolution failures that may beencountered during location of replication
      partners and global catalog servers, domain controllers running Windows Server 2003 with SP1 request other variations of the
      server namethat might beregistered, which results in fewer failures dueto DNS delays and misconfiguration.For more
      information about DNS nameresolution, see”How DNS Support for Active Directory Works” on the Microsoft Web siteat
      Simplified process for server metadata removal
      The Ntdsutil.execommand-linetool for managing the Active Directory database has new commands that makeiteasier to
      remove domain controller metadata. Preliminary steps, such as connecting to a server, domain,and site,are no longer
      required. You simply specify theserver to remove. You can also specify theserver on which to makethe deletion.For more
      information about thechanges to Ntdsutil.exe, seethe Ntdsutil.exesection of this article.
      Improved security to protect confidential attributes
      To prevent Read access to confidential attributes, such as aSocial Security number, whileallowing Read access to other object
      attributes,you can designatespecificattributes as confidential by setting a search flag on therespectiveattributeSchema
      object. By default, only domain administrators have Read access to confidential attributes, but this access can be delegated.For
      moreinformation aboutaccess to attributes, see”How Security Descriptors and Access Control Lists Work” on the Microsoft
      Web siteat
      Retention of SID history on tombstones
      ThesIDHistory attribute has been added to theset of attributes thatareretained on an object tombstone when the object is
      deleted. If a tombstoned object is reactivated (undeleted), thesIDHistory attributeis now restored with the object.For more
      information about tombstones, see”How the DataStore Works” on the Microsoft Web siteat
      Adprep.exe improvements for Windows 2000 Server upgrades
      The Adprep.exetool has been improved to reducetheimpact of File Replication service(FRS) synchronization that results from
      updating SYSVOL files during upgrade. Adprep.exeis used to upgradethe Windows 2000 Server schema to the Windows
      Server 2003 schema and to updatesomeforest-and domain-specific configuration, including SYSVOL, that is required for a
      Windows Server 2003 domain controller to be operational.Thetool now allows performing SYSVOL operations in a separate
      step when preparing the domain for upgrade. A new switch, /gpprep, has been added to accommodatetheSYSVOL updates,
      which can be performed ata convenient timefollowing the upgrade.The adprep /domainprep command, which formerly
      performed both directory and SYSVOL updates, now updates only the directory. Adprep.exealso now detects third-party
      schemaextensions that block an upgrade, identifies the blocking extensions,and recommends fixes. MicrosoftExchangeServer
      schema objects arealso detected so that theExchangeServer schema can be prepared appropriately to accommodate
      InetOrgPerson naming.For moreinformation about thechanges to Adprep.exe, seethe Adprep.exesection of this article.
      Changes in dragging and dropping objects in Active Directory Users and computers
      In Windows Server 2003,Service Pack 1 two changes to the drag and drop behavior in the Active Directory Users and
      Computers Microsoft Management Console(MMC) snap-in were madein responseto customer feedback.
      First, by default thereis now a confirmation dialog when dragging and dropping objects in Active Directory Users and
      Computers Microsoft Management Console(MMC) snap-in. In Windows Server 2003 drag and drop support in Active
      Directory Users and Computers was enabled. However, it did not provideany confirmation dialog when moving objects.This
      madeiteasier to move objects, butalso madeiteasier to inadvertently movean object to the wrong location and causeclient
      workstations to loseaccess to critical resources. By adding a confirmation dialog to the drag and drop behavior, the
      administrator has a chanceto correctan unintentional error beforeit impacts the organization.When theconfirmation dialog
      is displayed thereis a check box for Don’t show this warning while this snap-in is open.
      If the user selects the Don’t show this warning while this snap-in is open checkbox, then theconfirmation dialog will no
      longer beshown throughout thecurrent snap-in session.Subsequent drag and drop attempts in that snap-in session will occur
      withoutany confirmation.
      If the user doesn’t select the Don’t show this warning while this snap-in is open checkbox, then the warning message will
      beshown every timethe user tries to drag or drop an object.
      Second,an administrator can chooseto disable dragging and dropping completely by setting theflags attribute on the
      Display Specifiers container.The display specifiers container is in the directory at:
      CN=DisplaySpecifiers,CN=Configuration,DC=.This attributecan beset using ADSIedit.msc, which
      is availablein Windows SupportTools.
      The overall behavior is:
      If theflags attributeis set to any value, then drag and drop is disabled.This is not the default.
      If theflags attributeis not set (default case), then the user will beableto use drag and drop to move objects in the Active
      Directory Computers and Users MMC snap-in.

Viewing 0 reply threads
  • You must be logged in to reply to this topic.