New features for Active Directory
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
New Active Directory features in Windows Server 2003 with Service Pack 1 (SP1)
The following list summarizes the Active Directory features that are new since the original release of Windows Server 2003.
Directory service backup reminders. A new event message, event ID 2089, provides the backup status of each directory partition that a domain controller stores, including application directory partitions and Active Directory Application Mode (ADAM) partitions. If halfway through the tombstone lifetime a partition has not been backed up, this event is logged in the Directory Service event log and continues daily until the partition is backed up.
Added replication security and fewer replication errors. Replication metadata for domain controllers from which Active Directory has been removed is no longer retained by default, although a waiting period can be configured. This change improves replication security and eliminates replication error messages that are caused by failed attempts to replicate with decommissioned domain controllers. For more information about preserving replication metadata, see How the Active Directory Replication Model Works.
Install from Media improvement for installing DNS servers. Install from Media improvements make it easier to create a new domain controller that is a Domain Name System (DNS) server by providing a new option to include application directory partitions in the backup media that is used to install the new domain controller. This option eliminates the requirement for replication of the DomainDNSZones and ForestDNSZones application directory partitions before the DNS server is operational.
Enhancements for replication and DNS testing. The Dcdiag.exe command-line tool, which is available in Windows Support Tools, provides new reporting on the overall health of replication with respect to Active Directory security. This test provides a summary of results, along with detailed information for each domain controller that is tested and a diagnosis of any security errors. Dcdiag.exe also has new DNS tests for connectivity, service availability, forwarders and root hints, delegation, dynamic update, locator record registrations, external name resolution, and enterprise infrastructure. These tests can be performed on one domain controller or on all domain controllers in a forest. For more information about using Dcdiag.exe, see Windows Support Tools Help.
Support for running domain controllers in virtual machines. On a single physical server that is running Windows Server 2003 and Microsoft Virtual Server 2005, you can install multiple Windows Server 2003 or Windows 2000 Server domain controllers in separate virtual machines. This platform is well suited for test environments. By using virtual machines, you can effectively host multiple domains, multiple domain controllers for the same domain, or even multiple forests on one physical server that is running a single operating system. Windows Server 2003 SP1 also provides protection against directory corruption that can result from improper backup and restore of domain controller images. For more information about running domain controllers in virtual machines, see Running Domain Controllers in Virtual Server 2005.
Operations master health and status reporting. If an operation that requires a domain controller that holds an operations master role (also known as flexible single-master operations (FSMO)) cannot be performed, events are now logged in the Directory Service event log. Events identify role holders that do not exist, exist but are not available, or are available but have not replicated recently with the contacting domain controller. For more information about operations masters, see How Operations Masters Work.
Extended storage of deleted objects. The default period that a copy of a deleted object is retained in Active Directory, called the tombstone lifetime, is extended from 60 days to 180 days. Longer tombstone lifetime decreases the chance that a deleted object remains in the local directory of a disconnected domain controller beyond the time when the object is permanently deleted from online domain controllers. The tombstone lifetime is not changed automatically when you upgrade to Windows Server 2003 with SP1, but you can change the tombstone lifetime manually after the upgrade. New forests that are installed with Windows Server 2003 with SP1 have a default tombstone lifetime of 180 days. For more information about tombstone lifetime, see How the Data Store Works.
Improved domain controller name resolution. In response to DNS name resolution failures that may be encountered during location of replication partners and global catalog servers, domain controllers running Windows Server 2003 with SP1 request other variations of the server name that might be registered, which results in fewer failures due to DNS delays and misconfiguration. For more information about DNS name resolution, see How DNS Support for Active Directory Works.
Improved server metadata removal. The Ntdsutil.exe command-line tool for managing the Active Directory database has new functionality that makes it easier to remove domain controller metadata. Preliminary steps, such as connecting to a server, domain, and site, are no longer required. You simply specify the server to remove. You can also specify the server on which to perform the deletion. Metadata removal is now more comprehensive: in addition to Active Directory replication metadata, the tool now removes File replication service (FRS) metadata and operations master metadata. If an operations master role is assigned to the server that is being removed, the tool attempts to transfer the role to an appropriate domain controller. For more information, see Delete extinct server metadata.
Improved security to protect confidential attributes. To prevent Read access to confidential attributes, such as a Social Security number, while allowing Read access to other object attributes, you can designate specific attributes as confidential by setting a search flag on the respective attributeSchema object. By default, only domain administrators have Read access to confidential attributes, but this access can be delegated. For more information about access to attributes, see How Security Descriptors and Access Control Lists Work.
Retention of SID history on tombstones. The sIDHistory attribute has been added to the set of attributes that are retained on an object tombstone when the object is deleted. If a tombstoned object is reactivated (undeleted), the sIDHistory attribute is now restored with the object. For more information about tombstones, see How the Data Store Works.
Adprep.exe improvements for Windows 2000 Server upgrades. The Adprep tool has been improved to reduce the impact of FRS synchronization that results from updating SYSVOL files during upgrade. Adprep is used to upgrade the Windows 2000 Server schema to the Windows Server 2003 schema and to update some forest- and domain-specific configuration, including SYSVOL, that is required for a Windows Server 2003 domain controller to be operational. The tool now allows performing SYSVOL operations in a separate step when the domain is prepared for upgrade. A new switch, /gpprep, has been added to accommodate the SYSVOL updates, which can be performed at a convenient time following the upgrade. The adprep /domainprep command, which formerly performed both directory and SYSVOL updates, now updates only the directory. Adprep also now detects third-party schema extensions that block an upgrade, identifies the blocking extensions, and recommends fixes. Microsoft Exchange schema objects are also detected so that the Exchange schema can be prepared appropriately to accommodate inetOrgPerson naming. For more information about Adprep.exe, see Adprep.
Improved authoritative restore. The authoritative restore option in Ntdsutil now locates backlinks for all objects that are authoritatively restored, including links that were created before implementation of the Windows Server 2003 or Windows Server 2003 interim forest functional level, in which linked-value replication (LVR) functionality was introduced. For example, suppose that a user object is restored and the user belongs to group G1, which was created before the forest functional level was raised, and the user also belongs to group G2, which was created after the forest functional level was raised. During authoritative restore of the user object, the member attribute of G2 is updated, but not the member attribute of G1. Ntdsutil now creates a text file that identifies the authoritatively restored objects and uses this file to create an LDAP Data Interchange Format (LDIF) file that can be used to restore all backlinks for pre-LVR groups in this domain. In the example, when this LDIF file is run after authoritative restore, the restored user is added to group G1. A new option in authoritative restore also allows you to generate an LDIF file that you can use to restore links in other domains in which a restored object has backlinks.
New Active Directory features in Windows Server 2003
With the new Active Directory features available in Microsoft® Windows Server® 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition, more efficient administration of Active Directory is available to you.
The following list summarizes the Active Directory features that are available by default on any domain controller running Windows Server 2003.
Multiple selection of user objects. Modify common attributes of multiple user objects at one time.
Drag-and-drop functionality. Move Active Directory objects from container to container by dragging one or more objects to a desired location in the domain hierarchy. You can also add objects to group membership lists by dragging one or more objects (including other group objects) to the target group.
Efficient search capabilities. Search functionality is object-oriented and provides an efficient search that minimizes network traffic associated with browsing objects. For more information, see Finding directory information.
Saved queries. Save commonly used search parameters for reuse in Active Directory Users and Computers. For more information, see Using saved queries.
Active Directory command-line tools. Run new directory service commands for administration scenarios. For more information, see Managing Active Directory from the command line.
InetOrgPerson class. The inetOrgPerson class has been added to the base schema as a security principal and can be used in the same manner as the user class. The userPassword attribute can also be used to set the account password. For more information, see User and computer accounts.
Application directory partitions. Configure the replication scope for application-specific data among domain controllers. For example, you can control the replication scope of Domain Name System (DNS) zone data stored in Active Directory so that only specific domain controllers in the forest participate in DNS zone replication. For more information, see Application directory partitions.
Ability to add additional domain controllers using backup media. Reduce the time it takes to add an additional domain controller in an existing domain by using backup media. For more information, see Using the Active Directory Installation Wizard.
Universal group membership caching. Prevent the need to locate a global catalog across a wide area network (WAN) when logging on by storing universal group membership information on an authenticating domain controller. For more information, see Global catalogs and sites.
Secure LDAP traffic. Active Directory administrative tools sign and encrypt all Lightweight Directory Access Protocol (LDAP) traffic by default. Signing LDAP traffic guarantees that the packaged data comes from a known source and that it has not been tampered with. For more information, see Connecting to domain controllers running Windows 2000.
Active Directory quotas. Quotas can be specified in Active Directory to control the number of objects a user, group, or computer can own in a given directory partition. Domain Administrators and Enterprise Administrators are exempt from quotas.
New domain- and forest-wide Active Directory features
New domain- or forest-wide Active Directory features can be enabled only when all domain controllers in a domain or forest are running Windows Server 2003 and the domain functionality or forest functionality has been set to Windows Server 2003. For more information about domain and forest functionality settings, see Domain and forest functionality.
The following list summarizes the domain- and forest-wide Active Directory features that can be enabled when either a domain or forest functional level has been raised to Windows Server 2003.
Domain controller rename tool. Rename domain controllers without first demoting them. For more information, see Renaming domain controllers.
Domain rename. Rename any Windows Server 2003 domain. You can change the NetBIOS name or DNS name of any child, parent, tree, or forest root domain. For more information, see Renaming domains.
Different location option for user and computer accounts. You can now redirect the default location for user accounts and computer accounts that are created by the following application programming interfaces (APIs): NetUserAdd, NetGroupAdd, and NetJoinDomain. You can redirect the location of the accounts from the Users and Computers containers to organizational units (OUs) where Group Policy settings can be applied. For more information, see Redirect the Users and Computers Containers.
Forest trusts. Create a forest trust to extend two-way transitivity beyond the scope of a single forest to a second forest. For more information, see Forest trusts.
Forest restructuring. Move existing domains to other locations in the domain hierarchy. For more information, see Renaming domains.
Defunct schema objects. Deactivate unnecessary classes or attributes from the schema. For more information, see Deactivating a class or attribute.
Dynamic auxiliary classes. Provides support for dynamically linking auxiliary classes to individual objects, and not just to entire classes of objects. In addition, auxiliary classes that have been attached to an object instance can subsequently be removed from the instance.
Global catalog replication improvements. Preserves the synchronization state of the global catalog when an administrative action results in an extension of the partial attribute set. This minimizes the replication traffic as a result of a partial attribute set extension by only transmitting attributes that were added. For more information, see Global catalog replication.
Replication enhancements. Linked-value replication allows individual group members to be replicated across the network instead of treating the entire group membership as a single unit of replication. For more information about linked-value replication, see How replication works. In addition, new spanning tree algorithms make replication more efficient, as well as more scalable across a larger number of domains and sites in both Windows 2000 and Windows Server 2003 forests. For more information, see Replication overview.
User access control to resources between domains or forests. Block users in a domain or forest from accessing resources in another domain or forest, and then allow selective access by setting the Allow to authenticate access control entry (ACE) on a local resource for the user or group object. For more information, see Accessing resources across domains or Accessing resources across forests.