Advanced Active Directory Features in Windows Server 2003
Server 2003 enhanced the management of AD. Microsoft made AD very easy to deploy. Migration tools improved to make better way for seamless migrations. In this server we can rename domains, NetBIOS & DNS name. It supported forest-level trusts. By setting the trusts at the forest roots, we enable cross-forest authentication & authorization. Cross-forest authentication provides a single sign-on experience by allowing users in one forest to access machines in another forest via NTLM or Kerberos. Cross-forest authorization allows assigning permissions for users in one forest to resources in another forest. Each task could be assign to the user ID or through groups. With Server 2003, we can create a new DC and pull the AD information from our backup media. Now the new-created domain controller only replicates the changes that have occurred since the backup was made. This reacts in less traffic than replicating the entire database. Active Directory Users and Computers (ADUC) tool include a new query feature that allows writing filters for the type of objects on our requirements. These queries can be saved and used multiple times. ADUC also supports the following:
Renaming a Domain
“Renaming a Domain” tool allows us to rename domains, if all DCs in the forest are running Server 2003. This allows us to create/restructure domains. But, it doesn’t allow changing which is the forest root, we can’t add/remove domains from the forest; can only rename them and can’t reuse names.
This tool, we can get (rendom.exe) under the server CD or we can download from http://www.microsoft.com/windowsserver2003/downloads/domainrename.mspx
Group Policy (GP) management has also been enhanced in Windows Server 2003. The Microsoft GPMC makes it easy to troubleshoot and manage GP. It supports drag-and-drop capabilities, backing up and restoring our Group Policy objects (GPOs) and copying and importing GPOs. We can also determine what a user’s effective settings would be if he or she logged on to a certain machine. We could do this in Win 2000 was to actually log the user on to the machine and run ‘gpresult’.
The schema allows us to make changes if we incorrectly enter something into the schema. The way objects are added and fold-back around the directory has been improved. The Inter-Site Topology Generator (ISTG) has also been improved to support a larger number of sites. Only members are replicated to our DC and global catalog (GC) servers. Each DC caches credentials provided by GC servers to allow users to continue to logon if the GC server goes down. GC Server is longer a single point of failure. AD supports the application partition. We can add data to this partition and choose which DC will replicate it. This is useful if we’ve information we want to replicate to all DCs in a certain area, but we don’t want to make the information available to all DCs in the domain.
Written by: Fahad Bin Ali KhilGi