Microsoft Windows Server 2003 Unleashed (R2 Edition)

Improvements in the functionality and reliability of Active Directory are of key importance to the development team at Microsoft. It is therefore no small surprise that Windows Server 2003 introduces improvements in Active Directory. From the ability to rename Active Directory domains to improvements in replication compression, the changes made to the structure of Active Directory warrant a closer look.

  • Windows Server 2003 Active Directory Domain Rename Tool A promised feature of Active Directory that has been eagerly awaited is the ability to prune, splice, and rename Active Directory domains. Given the nature of corporate America, with restructuring, acquisitions, and name changes occurring constantly, the ability of Active Directory to be flexible in naming and structure is of utmost importance. The Active Directory rename tool was devised to address this very need.

    Before Active Directory domains can be renamed, several key prerequisites must be in place before the domain structure can be modified. First, and probably the most important, all domain controllers in the entire forest must be upgraded to Windows Server 2003 in advance. In addition, the domains and the forest must be upgraded to Windows Server 2003-functional level. Finally, comprehensive backups of the environment should be performed before undertaking the rename.

    The domain rename process is complex and should never be considered as routine. After the process, each domain controller must be rebooted and each member computer across the entire forest must also be rebooted (twice). For a greater understanding of the domain rename tool and process, see Chapter 5.

  • Improvements in the Configure Your Server Wizard The Configure Your Server (CYS) Wizard, introduced with Windows 2000 Server, has been vastly improved. If you were used to disabling this wizard in Windows 2000, you may think again in Windows Server 2003 because the wizard can be very helpful in configuring your server for the role that it will play, shutting off services that are not necessary and configuring ones that are needed. There are now options to configure a server as a Terminal server, as well as Routing and Remote Access Server (RRAS) configurations.

  • Cross-Forest Transitive Trust Capabilities Windows Server 2003 Active Directory introduced the capability to establish cross-forest transitive trusts between two disparate Active Directory forests. This capability allows two companies to share resources more easily, without actually merging the forests. Note that both forests must be running at Windows Server 2003 functional levels for the transitive portion of this trust to function properly. Forests in mixed mode can use the older, nontransitive explicit trust capability.

  • Active Directory Replication Compression Disable Support By default, all replication traffic between domain controllers in Active Directory is compressed to reduce network traffic. However, this compression can have the undesired effect of slowing down processor performance on the domain controllers. In Windows Server 2003 Active Directory, you have the option of turning off this functionality, disabling compression and saving processor cycles. This would normally be an option only for organizations with very fast connections between all their domain controllers.

  • Schema Attribute Deactivation Developers who write applications for Active Directory can take heart in the fact that Windows Server 2003's Active Directory implementation offers the ability to deactivate schema attributes, allowing custombuilt applications to utilize custom attributes without fear of conflict. In addition, attributes can be deactivated to reduce replication traffic.

  • Incremental Universal Group Membership Replication Windows 2000 previously had a major drawback in the use of universal groups. Membership in those groups was stored in a single, multivalued attribute in Active Directory. Essentially, what this meant was that any changes to membership in a universal group required a complete re-replication of all membership. In other words, if you had a universal group with 5,000 users, adding number 5,001 would require a major replication effort because all 5,001 users would be re-replicated across the forest. Windows Server 2003 simplifies this process and allows for incremental replication of universal group membership. In essence, only the 5,001st member is replicated in Windows Server 2003.

Active Directory in Application Mode (ADAM)

One additional function of Windows Server 2003 is the Active Directory in Application Mode (ADAM) product. AD was given the capability to run separate instances of itself as unique services. Active Directory in Application Mode allows specialized applications to utilize ADAM as their own directory service, negating the need for a new form of directory service for every critical application within an organization.

ADAM uses the same replication engine as Active Directory, follows the same X.500 structure, and is close enough to real AD functionality to allow it to be installed as a testbed for developers who design AD applications. Despite the similarities, however, ADAM runs as a separate service from the operating system, with its own schema and structure.

The real value to an ADAM implementation comes from its capability to utilize the security structure of the production domain(s), while maintaining its own directory structure. In fact, an instance of ADAM can run as a service on a Windows Server 2003 member server or even a Windows XP Professional workstation in a Windows NT domain. The ADAM would then utilize NT domain accounts for its own security.

ADAM functionality was developed in direct response to one of the main limitations in using Microsoft's Active Directory: the fact that the directory was so intrinsically tied to the NOS that applications which did not require the extra NOS-related functionality of AD were restricted in their particular directory needs. ADAM allows each application to have its own separate AD directory forest and allows for personalized modification of the directory, such as schema extensions, tailored replication (or lack of replication) needs, and other key directory needs.

One of the major advantages to ADAM also lies in the fact that multiple instances of ADAM can run on a single machine, each with its own unique name, port number, and separate binaries. In addition, ADAM can run on any version of Windows Server 2003 or even on Windows XP Professional for development purposes. Each instance of ADAM can utilize a separate, tailored schema.

ADAM is virtually indistinguishable from a normal NOS instance of Active Directory and consequently can be administered using the standard tools used for AD, such as ADSIEdit, LDP.exe, and the Microsoft Management Console (MMC) tools. In addition, user accounts can be created, unique replication topologies created, and all normal AD functionality can be performed on a tailored copy of an AD forest.

In short, ADAM provides applications with the advantages of the Active Directory environment, but without the NOS limitations that previously forced the implementation of multiple, cost-ineffective directories. Developers now can exploit the full functionality of Windows Server 2003's Active Directory without limitation, while at the same time assuming the numerous advantages of integration into a common security structure.

Additional Changes in Windows Server 2003

In addition to the changes listed in the preceding sections, Active Directory in Windows Server 2003 supports the following new features:

  • AD-Integrated DNS Zones in Application Partitions DNS zones that are Active Directory integrated are now stored in the application partition. This basically means that fewer objects need to be stored in AD, reducing replication concerns with DNS.

  • AD Lingering Objects Removal Objects listed in Active Directory that no longer exist can now be easily removed in Windows Server 2003.

  • AD Administration Enhancements Administrative tools have been enhanced in Windows Server 2003 to facilitate common tasks such as working with ACLs, finding objects, and selecting multiple OUs for tasks.

Категории