Appendix A: Differences Between Microsoft Windows Server ...

Appendix A: Differences Between Microsoft Windows Server 2003 and Microsoft Windows 2000

Appendix A: Differences Between Microsoft Windows Server 2003 and Microsoft Windows 2000 1

Module 1: Introduction to Active Directory Infrastructure The architecture of the Active Directory® directory service in Microsoft®

Windows® Server 2003 is similar to Active Directory in Windows 2000, but there are some new features and enhancements. These include: application directory partitions, deactivation of attributes and classes in the Schema, and the fact that a global catalog server is not required for logon.

In addition to the familiar administration tools, Active Directory in Windows Server 2003 includes some new command-line tools, which give administrators more granular control in managing Active Directory.

The Active Directory Architecture Application Directory Partitions Application directory partitions enable you to host dynamic data in Active Directory without significantly affecting network performance. By using Active Directory partitions, you can control the scope of replication and the placement of replicas.

You can create a new type of application partition (also called a non domain naming context or NDNC). It contains a hierarchy of any type of objects, except security principals, such as user, group, and computer accounts. You can configure the naming context to be replicated to any set of domain controllers in the forest, but not necessarily to all forests in the same domain.

Application directory partitions provide many uses, including:

! You can control the replication scope of Domain Name System (DNS) zone data that is stored in Active Directory so that only specific domain controllers in the forest participate in DNS zone replication.

! Dynamic data from network services�such as the Routing and Remote Access service, Remote Authentication Dial-In User Service (RADIUS), Dynamic Host Configuration Protocol (DHCP) and Common Open Policy Service (COPS) can reside in a directory so that applications can access them uniformly by using one access methodology.

! You can use this feature to write applications data to dedicated application directory partitions rather than to a domain partition.

Deactivation of Attributes and Classes In Windows 2000, any addition to the Active Directory Schema was irreversible, which caused two problems for customers. First, after you added an attribute or class to the Active Directory Schema, you could not remove the attribute or class or replace its definition while keeping its identity intact if an error was made when you set an immutable property of the schema object�for example, the syntax of an attribute or the RDN attribute for a class. Second, after a schema object was added, it could not be deleted even if it was no longer used, which resulted in bloating the Schema over time.

2 Error! No text of specified style in document.

In Windows Server 2003, you can deactivate attributes and class definitions in the Active Directory Schema, which means that you can redefine attributes and classes if an error was made when they were created.

You can also supercede the definition of an attribute or class after you add it to the Schema. Superceding a definition may be necessary, for example, if an error was made when you set an immutable property. And because deactivation is a reversible operation, so you can undo an accidental deactivation.

When you deactivate attributes and classes, consider the following things:

! If you add a new schema attribute or class to an object incorrectly, you can use this feature to deactivate the attribute or class for that object, and then re-enter the correct definition for the attribute or class.

! You can deactivate the Schema to overcome Active Directory schema conflicts during an upgrade from Windows 2000 to Windows Server 2003. You would move the conflicting schema object to a new location so that the system upgrade can proceed.

! You can change the definition of an attribute while preserving the identity of the attribute.

! You can include attributes and classes as Active Directory Schema extensions during the development of a new application.

! When you plan to upgrade an internally developed business application that uses attributes from Active Directory schema extensions, the upgrade requires changes to the former attributes. You can make the necessary changes easily by deactivating attributes and classes.

! You can deactivate the unused schema objects of applications that you replace, so that the unused schema objects do not conflict with any new extensions that may be installed.

! You can deactivate attributes and classes that are added to the base schema without raising the forest functional level.

Some limitations include:

! You can redefine attributes and classes only in forests in which the functional level is set to Windows Server 2003.

! You cannot deactivate default schema attributes or classes in the base schema. You can deactivate only attributes or classes that you add as extensions to the base schema.

Error! No text of specified style in document. 3

! Deactivate a class or attribute

1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Schema Console.

2. Perform one of the following tasks:

• To deactivate a class, in the console tree, click Classes, and then in the details pane, right-click the class that you want to deactivate, and then click Properties.

• To deactivate an attribute, in the console tree, click Attributes, and then in the details pane, right-click the attribute that you want to deactivate, and then click Properties.

3. On the General tab, clear either the Class is active or Attribute is active check box, as appropriate.

The status of an attribute or class appears in the Status column in the details pane. After you deactivate a class or attribute, it is considered defunct, or obsolete. You can view defunct classes or attributes in the Active Directory Schema MMC snap-in by clicking Classes or Attributes in the console tree, and then on the View menu, clicking Defunct Objects.

Active Directory Administrative Tools Enabling a single-sign on in Windows Server 2003 is very similar to the process in Windows 2000. However, one key difference is that in Windows Server 2003, you can configure domain controllers in sites that do not contain a global catalog server to cache universal group membership lists when you process user logons.

Universal group membership caching enables a domain controller to process logons without contacting a global catalog server and to process logon attempts when a global catalog server is unavailable. When users log on, the domain controller that has the universal group membership caching feature enabled caches the group memberships. The replication schedule determines the frequency at which the cache is refreshed.

Because Windows 2000 did not contain the universal group membership caching feature, many organizations deployed global catalog servers at remote locations to avoid logon attempt failures if the network link that connected the remote site to the rest of the organization was disconnected.

New Command-Line Tools to Manage Active Directory Windows Server 2003 provides additional command-line tools for administering Active Directory.

! Dsadd. Creates an object instance of a specified type in Active Directory. ! Dsmod. Modifies selected attributes of an existing object in Active

Directory. ! Dsmove. Moves an object from its current location to a new parent location,

within the same naming context, or renames an object in Active Directory. ! Dsquery. Finds an object in Active Directory that matches a specified search

criteria.

Note


! Dsrm. Removes an object or the complete subtree under an object in Active Directory.

! Dsget. Obtains or views selected properties of an existing object in Active Directory when the location of the object is known.

For a complete listing of syntax of these commands, at a command prompt, type command /? (where command is the name of a command from the preceding list). For example, type dsadd /?

Note


Module 2: Implementing an Active Directory Forest and Domain Structure

Windows Server 2003 provides extra functionality and features to Active Directory, including:

! Application partitions ! Installing replica domain controllers from media ! Renaming domain controllers ! Forest and domain functional levels ! Forest trusts

Creating a Forest and Domain Structure The Active Directory Installation Process The tasks that you perform when you install Active Directory in Windows Server 2003 are similar to those that you perform in Windows 2000, with the addition of the a few things.

Active Directory creates:

! Forest and domain DNS zone application partitions on the first domain controller in the forest.

! The domain DNS zone application partition on the first domain controller in each domain.

! The DNS zone (_msdcs.ForestName), which is located in the forestDNSzones partition.

Creating a Forest DNS Zone This feature enables automatic creation of the DNS Zone (_msdcs.ForestName zone) and configuration of DNS servers running Windows Server 2003 through the enterprise to host this zone. Automatic creation of this zone reduces the time it would take to manually configure every DNS server in the satellite sites to host this zone. This feature creates the forestDNSzone when you install Active Directory on the first domain controller in a forest.

Creating a Forest and Domain Structure In Windows Server 2003, you create domain controllers by using dcpromo, just like you do in Windows 2000. However, Windows Server 2003 implements a higher level of security than does Windows 2000. This security difference can create compatibility issues between Windows Server 2003 and earlier versions of Windows operating systems. However, you can install the Active Directory client on earlier versions of Windows so that Active Directory can authenticate them.


Adding a Replica Domain Controller Windows Server 2003 includes the Active Directory Installation Wizard, which you can use to create a domain controller or a replica domain controller. The wizard provides faster creation of replica domain controllers for an existing domain.

Instead of replicating a complete copy of the Active Directory database over the network, you can use a backup of an existing domain controller or global catalog server to provide the initial content for the database. As a result, the domain controller only replicates changes that occurred since the backup. You can use media to transport the backup files to the candidate domain controller, such as compact disc or DVD. You can also copy a file over the network.

When installing a replica domain controller from media, consider the following:

! You may want to place a replica domain controller in a remote site that has low bandwidth. This feature enables you to use a tape backup, which you then transport to the remote site to create the replica domain controller.

! You can use this feature to minimize the time it normally takes to replicate a very large Active Directory database.

! Install a replica domain controller from media

1. Run dcpromo with the /adv option. 2. On the Domain Controller Type page, select Additional domain

controller for an existing domain, and then click Next. 3. On the Copying Domain Information page, choose Over the network

from a domain controller or From these restored backup files, and then specify the location of the restored backup files.

4. Complete the wizard as you normally would to install the domain controller.

Renaming a Domain Controller In Windows 2000, it was necessary to demote the domain controller to a member server in a workgroup before you renamed the computer. However, in Windows Server 2003 you can rename a domain controller without first demoting it.

You must set the domain functional level to Windows Server 2003 to rename a domain controller.

! Rename a domain controller

1. In Control Panel, run System. 2. In the System Properties dialog box, on the Computer Name tab, click

Change. 3. In the Computer Name Changes dialog box, under Computer name, type

the name of the computer, and then click OK twice.


4. In the System Properties dialog box, click OK. 5. When prompted to restart your computer, click Yes.

Renaming a domain controller may cause it to become temporarily unavailable to users and computers. Also, certain services, such as the certification authority (CA), rely on a fixed computer name. Verify that no services of this type are running on the domain controller before you rename it.

Removing a Domain Controller from Active Directory Removing a domain controller from a Windows Server 2003 domain is the same as in Windows 2000. However, Windows Server 2003 provides a new dcpromo switch called /forceremoval to forcefully remove a domain controller when errors occur.

You can use the /forceremoval switch to forcefully demote a domain controller when a replication error occurs that would prohibit you from demoting it otherwise. All applications and data are unaffected. This action will not update forest metadata that would otherwise be updated during a normal demotion of a domain controller.

To perform a forced removal of a domain controller, run dcpromo.exe /forceremoval.

Examining and Configuring Active Directory Integrated DNS Active Directory Integrated DNS Zones Windows Server 2003 provides a substantial enhancement to Active Directory-Integrated Zones�the storage of Active Directory integrated DNS zones in application partitions.

Application partitions that store DNS data reduce the number of objects that are stored in the global catalog. When DNS zone data is stored in an application partition, the data is replicated to only the subset of domain controllers that have been designated as DNS servers for a particular zone. Active Directory can then replicate the DNS zone data to domain controllers that have been configured as DNS servers.

To store zone data or to create a new zone in an application partition, use the Microsoft Management Console (MMC) DNS snap-in, the command-line tool Dnscmd, or Windows Management Instrumentation (WMI).

SRV Resource Records The format of service (SRV) resource records and their fields are the same in Windows Server 2003 as in Windows 2000. For example, the Net Logon service registers SRV resource records the same way�by using dynamic updates. However, Windows Server 2003 registers additional SRV resource records in the DomainDNSZones and ForestDNSZones application partitions.

Note


Raising Domain and Forest Functional Levels Domain and forest functionality in Windows 2000 and Windows Server 2003 is similar but there are some important differences. The following section compares domain and forest functionality in Windows Server 2003 and Windows 2000.

Domain Functionality In Windows Server 2003, after you raise the domain functional level, you cannot introduce domain controllers running earlier operating systems in the domain. For example, if you raise the domain functional level on a domain to Windows Server 2003, you cannot add domain controllers running Windows 2000 Server to that domain.

The following table lists the domain functional levels and the corresponding domain controllers that they support.

Domain functional level Domain controllers supported Windows 2000 mixed (default) Windows NT® 4.0

Windows 2000

Windows Server 2003 family

Windows 2000 native Windows 2000


Windows Server 2003 interim Windows NT 4.0


Windows Server 2003 Windows Server 2003 family

Forest Functionality After you raise the forest functional level, you cannot introduce domain controllers that run earlier operating systems in the forest. For example, if you raise the forest functional level to Windows Server 2003, you cannot add domain controllers running Windows 2000 Server to the forest.

The following table lists the forest functional levels and the corresponding domain controllers that they support.

Forest functional level Domain controllers supported Windows 2000 (default) Windows NT 4.0


Windows Server 2003 interim Windows NT 4.0


Windows Server 2003 Windows Server 2003 family


The following table compares the forest-wide features that are enabled for the Windows 2000 and Windows Server 2003 forest functional levels.

Forest feature Windows 2000 Windows Server 2003 Global catalog replication improvements

Enabled if both replication partners are running Windows Server 2003, otherwise, disabled

Enabled

Defunct schema objects Disabled Enabled

Forest trusts Disabled Enabled

Linked value replication Disabled Enabled

Domain rename Disabled Enabled

Improved Active Directory replication algorithms

Disabled Enabled

Dynamic auxiliary classes Disabled Enabled

InetOrgPerson objectClass change

Disabled Enabled

Creating Trust Relationships Types of Trusts In addition to supporting the same types of trusts in Windows 2000, Windows Server 2003 introduces a new type of trust, called a forest trust, to manage the security relationship between two forests. A forest trust enables all domains in one forest to transitively trust all domains in another forest, through a single trust link between the two forest root domains. Forest trusts can be one-way or two-way.

A forest trust vastly simplifies cross-forest security administration, and enables the trusting forest to enforce constraints on what security principal names it trusts other forests to authenticate.

A forest trust is not transitive at the forest level across three or more forests. If forest A trusts forest B, and forest B trusts forest C, this does not create any trust relationship between forest A and forest C.


Module 3: Implementing an Organizational Unit Structure Implementing an organizational unit structure in Windows Server 2003 is almost identical to how you do it in Windows 2000. Windows Server 2003 provides the same tools for managing organizational units as does Windows 2000, but it offers several additional command-line tools.

Using Directory Service Command-line Tools You can use the suite of command-line tools in Windows Server 2003 (described previously) to manage the various objects in Active Directory and to run queries against the directory database.

Target Object Types ! All of the command-line tools can operate on a variety of object types in the

directory. Each command that accepts object-specific arguments allows you to enter a target object type as an argument, along with the identity of the target object upon which the command will operate. The target object type is specified as a string literal representing the object class from a predefined set of string literals. For example, in the command dsmod computer, computer is the string literal specifying the object type.

! The identity of the target object is specified following the object type and in the format of a distinguished name (the value of an object�s distinguished name attribute). For example, the distinguished name of a user object may be CN=Jeff Smith,OU=Sales,DC=microsoft,DC=com.

In the following command, computer specifies the object type being modified and CN=Jeff Smith,OU=Sales,DC=microsoft,DC=com identifies the target object to be modified:

dsmod computer CN=Jeff Smith,OU=Sales,DC=microsoft,DC=com -disabled yes

Running Commands on the Network Each command has parameters that you use to specify the server, domain, user name, and password to use when running the command. For example, here is the syntax for the command dsadd computer:

dsadd computer ObjectDN

[-samid SAMName]

[-desc Description]

[-loc Location]

[-memberof Group ...]

[(-s Server | -d Domain)]

[-u UserName]

[-p (Password | *)]

[-q]


If these parameters are not entered, the command uses the local server, domain, user name, and password.

Command Syntax Active Directory uses the following conventions to document the syntax of the directory service command-line tools: ! The option for a target object�s distinguished name attribute appears as

ObjectDN or ObjectDN when you specify multiple objects. ! A command does not perform any operation without an object type, such as

computer, or without any of the object type's required parameters, such as a target object's distinguished name, ObjectDN.

! For certain commands, if the user does not specify a target object at the command prompt, Active Directory obtains the target object from standard input, which enables you to pipe output from one command and into another.

! Target object syntaxes that use the ellipsis character (�) indicate that you can specify a list of distinguished names. For example, the following parameter accepts multiple distinguished names: -memberof Group ...

! If the distinguished names contain spaces, enclose them in quotation marks (" ").

! Commas that are not used as separators in distinguished names must be escaped with the backslash character (\)�for example, "CN=Company\, Inc.,CN=Users,DC=microsoft,DC=com". Backslashes used in distinguished names must be escaped with a backslash�for example, "CN=Sales\\ Latin America,OU=Distribution Lists,DC=microsoft,DC=com".

Command Input ! All parameters are case-insensitive. ! You can specify command-line parameters by using either a hyphen (-) or

forward slash (/) character. ! Separate a command-line parameter and any corresponding values for the

parameter by at least one space. ! When reading from standard input, Active Directory treats space and new

line characters as argument separators. ! You can specify an empty string or null string value by using quotation

marks, with no characters enclosed between the quotes. An empty string value is not the same as a missing value. A parameter value of "" (NULL string) will be treated as a request to delete the attribute values from the target object.

! You can request help on any command by using /? (for example, dsadd computer /?).


Command Output Active Directory displays data, status messages, error messages, and warnings that result from running commands by using the following conventions:

! It writes successful command completion status messages to standard output.

! It writes any data that a command displays to standard output. ! It writes any warning or error message to standard error. ! Exit codes (error levels) use 0 to indicate success. If an operation is not

successful, the exit code will be a value in HRESULT format. For example, the value for the HRESULT E_FAIL is 0x80004005.

! If the quiet mode is specified for a command (by using the -q parameter), Active Directory suppresses all data to standard output. However, any messages to standard error are not suppressed as a result of quiet mode.

Managing Organizational Units by Using the LDIFDE Utility The following extra parameters have been added to the LDIFDE utility in Windows Server 2003:

! General parameters: -w timeout Terminate execution if the server takes longer than the

specified number of seconds to respond to an operation (default = no timeout specified)

-h Enable SASL layer encryption

! Import parameters: -e The import does not use lazy commit

-q threads The import uses the specified number of threads (default is 1)

Delegating Administrative Control for Organizational Units The Delegation of Control Wizard is the same as in Windows 2000, with the exception that you can now select users and groups by using the object picker. You can also choose from the following new common delegated tasks:

! Generate Resultant Set of Policy(Logging) ! Generate Resultant Set of Policy(Planning) ! Create, delete, and manage inetOrgPerson accounts ! Reset inetOrgPerson passwords and force password change at next logon ! Read all inetOrgPerson information


Module 4: Implementing User, Group, and Computer Accounts

Windows Server 2003 provides the same types of accounts as Windows 2000, with the addition of the InetOrgPerson object. Groups perform the same in Windows Server 2003 interim domains as they do in Windows 2000 mixed-mode domains, and the same in Windows Server 2003 functional domains as in Windows 2000 native domains.

Windows Server 2003 provides a new feature for routing name suffixes called UPN suffix routing across forest trusts.

A new version of the Active Directory Migration Tool is included in Windows Server 2003. This tool has many benefits. For example, you can migrate passwords with inter-forest user migrations.

Security auditing is turned on in Active Directory by default.

Implementing Accounts and Groups In addition to providing the same types of accounts as Windows 2000, Windows Server 2003 also provides support for the InetOrgPerson object class and its associated attributes, which are defined in RFC 2798. This object class is used in several non-Microsoft lightweight directory access protocols (LDAP) and X.500 directory services to represent users within an organization.

Support for InetOrgPerson makes migrations from other LDAP directories to Active Directory more efficient. The InetOrgPerson object is derived from the user class and, like the user class, you can use it as a security principal.

When the domain functional level has been set to Windows Server 2003, you can set the userPassword attribute on InetOrgPerson and user objects as the password, similar to what you can do with the unicodePwd attribute.

Types of Groups Windows Server 2003 supports the same types of groups as does Windows 2000. The domain functional level determines the types of groups that you can create.

The following table lists the four possible domain functional levels and the security group scopes that they support.

Domain functional levels

Domain controllers supported

Security Group scopes supported

Windows 2000 mixed (default)

Windows NT Server 4.0, Windows 2000, Windows Server 2003

Global, domain local

Windows 2000 native Windows 2000, Windows Server 2003

Global, universal, domain local

Windows Server 2003 Interim

Windows NT Server 4.0, Windows Server 2003

Global, domain local

Windows Server 2003 Windows Server 2003 Global, universal, domain local


Global Groups In a Windows Server 2003 functional domain, global groups have the same membership rules as in a Windows 2000 native mode domain. However, in a Windows Server 2003 interim domain, global groups have the same membership rules as in a Windows 2000 mixed-mode domain.

Universal Groups In a Windows Server 2003 functional domain, the same membership rules apply to universal groups as in a Windows 2000 native-mode domain. In a Windows Server 2003 interim domain, however, you cannot create universal groups.

Moving Objects in Active Directory The process of moving objects is the same as in Windows 2000; however, Windows Server 2003 provides some new features and enhancements to the Active Directory Migration Tool that assist in moving objects.

Planning an Active Directory Audit Strategy Default Audit and System Access Control List (SACL) Policy In Windows Server 2003, when a new domain is installed, security auditing is turned on by default if the domain has suitable audit policy settings. Suitable audit policy settings are configured to provide nonrepudiation and accountability for sensitive directory operations without filling the security audit log with an overload of events. Therefore, it is not necessary to configure security auditing explicitly, after a domain is installed.


Module 5: Implementing Group Policy Windows Server 2003 includes the Active Directory Users and Computers snap-in for implementing Group Policy. The Active Directory Users and Computers snap-in includes the Resultant Set of Policy Wizard.

Windows Server 2003 includes the ability to filter the effect of Group Policy object (GPOs) by using WMI filters.

You can also implement Group Policy by using the Group Policy Management Console (GPMC) snap-in. Group Policy Management provides additional management features to help you determine policies that are applied including:

! Group Policy copying, backup, restore, and importing ! Group Policy Reporting ! Group Policy Modeling ! Group Policy Results

Creating and Configuring GPOs Administrative Templates Web View You can create GPOs in Windows Server 2003 by using Active Directory Users and Computers or the Group Policy Object Editor snap-in. This snap-in is almost identical to the Windows 2000 Group Policy snap-in, with a few differences, such as the Administrative Templates Web view.

The Administrative Templates Web view in Group Policy Object Editor enhances the Administrative Templates (.adm files), so that you can view detailed information about the available policy settings. When a policy setting is selected, information about the settings behavior and where the setting may be used appears in a Web view in Administrative Templates. This information is also available on the Explain tab on the Property page of each setting.

! Use the Web view in Administrative Templates

1. Open Group Policy Object Editor by using Active Directory Users and Computers or the Group Policy Object Editor snap-in.

2. In the console tree, under Administrative Templates, click the folder that contains the policy settings that you want to set.

3. At the bottom of the details pane, on the Extended tab, in the Setting column, click the name or icon for a setting and read the description. The Extended tab displays the text that explains the policy setting and also indicates which versions of Windows are supported as clients for the setting. If you prefer to view the policy setting without the explanatory text, use the Standard tab.


WMI Filters You use WMI filters to specify a WMI-based query to filter the effect of a Group Policy object. WMI filters are written in WMI Query language (WQL). You use the WMI Filter tab on the Properties page of a GPO to specify a WMI filter for a given object.

WMI Software Development Kit Common Information Model (CIM) Studio includes numerous classes that are organized by properties, such as name or description and property name. CIM 2.0 has 600 classes. You can use CIM studio to find a class to optimize and experiment with queries before you create a new filter.

For more information about developing WMI Filters, see the Windows Management Instrumentation SDK.

Group Policy Management Console Group Policy Management Console provides unified management of Group Policy for the enterprise. It consists of a set of scriptable objects that you use to manage Group Policy, as well as a MMC snap-in that enables you to manage Group Policy across an enterprise by using a single UI. Group Policy Management supports both Windows Server 2003 and Windows 2000 Active Directory-based domains. Group Policy Management runs on 32-bit computers running the Windows Server 2003 family or Windows XP Professional with Service Pack 1.

Group Policy Management Console combines the functionality of multiple components in a single UI. The UI is structured to match the way that you use and manage Group Policy. It incorporates Group Policy functionality from:

! Active Directory Users and Computers. ! Active Directory Sites and Services. ! Resultant Set of Policy (RSoP).

Because of this consolidated management, Group Policy functionality is no longer required in these other components

Group Policy Management also provides the following extended capabilities, which were previously unavailable:

! Backup and restore of GPOs. ! Copy and import of GPOs and WMI filters. ! Reporting GPO and RSoP data. ! Search for GPOs. ! Scripting support for Group Policy operations.

After you install Group Policy Management, you still use each of the Active Directory snap-ins for their intended directory management purposes�such as creating user, computer, and group objects�but all of the Group Policy-related tasks are now performed by using Group Policy Management Console. When Group Policy Management Console is installed, Group Policy functionality is no longer available through the Active Directory snap-ins.

Note


Group Policy Management does not replace Group Policy Object Editor. You still edit GPOs by using Group Policy Object Editor. Group Policy Management Console integrates editing functionality by providing direct access to Group Policy Object Editor.

Loopback Processing Mode Loopback processing operates in the same way as in Windows 2000, but it occurs in additional circumstances in Windows Server 2003.

By default, user-based Group Policy and roaming user profiles are no longer processed when a user is in a different Active Directory forest than the computer that is being used to log on to the network. This solution has the effect of enforcing the following:

! User-based Group Policy cannot cross a forest boundary; roaming user profiles are disabled in a cross-forest scenario.

! Upon logon Group Policy processing will operate in �loopback� mode so the administrator in the local forest can manage the foreign user's Group Policy settings by using the GPOs that are already applied to the computer.

Windows Server 2003 also added:

! A new Group Policy setting that allows Group Policy and roaming user profiles to be applied during loopback processing mode.

! A new Event Log message to inform the administrator that loopback processing occurred in Group Policy.

Configuring Group Policy Refresh Rates and Group Policy Settings Windows Server 2003 provides a new location for scripts settings in GPOs. They are now configured in:

Computer Configuration\Administrative Templates\System\Logon.

Configuring Refresh Rates Configuring refresh rates for Group Policy components is the same as in Windows 2000. However, Windows Server 2003 provides more client side extensions that you can configure for slow link detection, such as disk quota policy processing.

Refreshing Group Policy Settings Using gpupdate The new gpudate command replaces the now obsolete /refresh policy option for the secedit command. It refreshes local Group Policy settings and Group Policy settings that are stored in Active Directory, including security settings.


Module 6: Deploying and Managing Software by Using Group Policy

Deploying and Managing Software by Using Group Policy is the same as in Windows 2000. Windows Server 2003 provides some additional functionality for 64-bit compatibility and also some additional tools for troubleshooting software deployments.

! Use the Resultant Set of Policy Wizard to troubleshoot software deployment.

! Use Group Policy Management Console to troubleshoot Group Policy Reporting, Group Policy Modeling, and Group Policy Results.

Managing Software Deployment Changing the Options for Software Installation Changing the options for software installation is the same as in Windows 2000. Windows Server 2003 provides an additional option for 32-bit and 64-bit application compatibility. It provides support for 64-bit software deployment with Group Policy. New options in the Application Deployment Editor (ADE) helps determine if 32-bit applications should be deployed to 64-bit clients. The ADE also allows you to manage existing Windows 2000 deployments with the same level of functionality that Windows XP and Windows Server 2003 have.

You configure this setting in Group Policy Editor, User or Computer Configuration, Software Setting, New Package, Deployment, Advanced.

Troubleshooting Software Deployment Resolving Group Policy Software Installation Problems Windows 2000 and Windows Server 2003 both use msizap.exe to resolve installation problems. Windows Server 2003 adds another parameter to Msizap called W, which extends the command to all user profiles. By default, Msizap deletes and changes user-specific data only for the current user.


Module 7: Implementing Sites to Manage Active Directory Replication

Windows Server 2003 provides a number of new features that improve the performance and versatility of the Active Directory. Although many of these features require that the forest functionality be Windows Server 2003, some of them, such as Active Directory Partitions, only require that there is one domain controller running Windows Server 2003.

Active Directory replication has been considerably improved for large forests and branch office environments where there are a large number of sites.

Active Directory Replication Replication of Linked Multivalued Attributes In Windows 2000, the membership of a group is stored and replicated as a single unit. As a result, a change to a group with large membership caused the entire membership to be replicated, consuming a less-than-optimal amount of network bandwidth and processor load. In addition, if the membership of a group was updated simultaneously on two or more domain controllers, some of the membership updates could potentially be lost during replication conflict resolution.

Group Membership Replication Improvements When a forest has advanced to Active Directory forest functionality level of Windows Server 2003 or Windows Server 2003 interim, group membership is changed to store and replicate values for individual members instead of treating the entire membership as a single unit. This results in lower network bandwidth and processor use during replication and virtually eliminates the possibility of lost updates during simultaneous updates.

If all of the domain controllers in your environment are running Windows NT 4.0, and you plan to upgrade them to Windows 2003 Server without upgrading to or installing a new Windows 2000-based domain controller, maintain the Windows Server 2003 interim functional level for your domain and forest until you upgrade all of the domain controllers to Windows Server 2003.

The Windows Server 2003 interim forest functional level is ideal if you have groups consisting of over 5000 members in your existing Windows NT 4.0 environment. Because Windows 2000 Active Directory group replication limits the size of groups in a Windows 2000 forest, upgrading to Windows 2000 requires you to divide groups that include over 5000 members into smaller groups. When you are operating at the Windows Server 2003 interim functional level, you can take advantage of group membership replication improvements, which support large groups of over 5000 members.

Windows Server 2003 maintains the same schema, configuration, and domain directory partitions as Windows 2000, with the addition of application partitions.


Application Directory Partitions If at least one domain controller in your forest is running Windows Server 2003, you can take advantage of application directory partitions, which provide storage for nondomain, application-specific data that can be replicated to any arbitrary set of domain controllers.

In Windows Server 2003, application directory partitions can be used to store Domain Name System (DNS) data. If the person who initializes the Active Directory installation is a member of the Enterprise Admin group, DNS-specific application directory partitions are created automatically on all existing DNS servers during the Active Directory installation. If application directory partition creation fails during the installation, the DNS service attempts to create the partitions again when the computer is restarted after Active Directory is installed. You must be a member of the Enterprise Admin group to create DNS-specific application directory partitions.

During the Active Directory installation, two DNS-specific application directory partitions are created: a forest-wide application directory partition called ForestDnsZones, and a domain-wide partition called DomainDnsZones for each domain in the forest. After upgrading all domain controllers in a domain to Windows Server 2003, you can specify the replication scope for each existing Active Directory integrated zone by moving the zone into the newly created application directory partition.

Moving Active Directory integrated DNS zones into application directory partitions has the following benefits:

! They can be used forest-wide, because the forest-wide application directory partition can replicate outside the domain. You do not have to use conventional DNS zone transfer to replicate the zone file information to DNS servers outside the domain.

! Domain-wide replication can be targeted to minimize replication traffic. Administrators can specify which of the domain controllers that are running the DNS service receive the DNS zone data.

! Forest-wide replication can be targeted to minimize replication traffic, because DNS information is no longer replicated to the global catalog.

Creating and Configuring Sites Replication within Sites vs. Replication Between Sites Replication within and between sites behaves the same as in Windows 2000. Windows Server 2003 now provides the ability to disable compression between sites. You can turn off compression of the replication traffic between domain controllers that reside in different sites. The result is that it reduces the CPU utilization on the domain controllers, which increases the availability of the domain controllers. To configure this setting use ADSI Editor.

For example, say that you have multiple sites that are connected with high-speed network connection. After reviewing costs, you determine that you would rather reduce the CPU utilization at a cost of not compressing the replication traffic between domain controllers that belong to different sites.


Managing Site Topology The Intersite Topology Generator Windows Server 2003 provides some enhancements to the performance of Intersite Topology Generator (ISTG). In a forest set to the Windows Server 2003 functional level, the new Windows Server 2003 spanning tree algorithm goes into effect for larger gains in both efficiency and scalability.

For example, by using the original spanning tree algorithm from Windows 2000, one domain can contain up to 300 sites. With the new Windows Server 2003 algorithm, one domain can contain up to at least 3,000 sites. In the new algorithm, the intersite topology generator in each site uses a randomized selection process to determine the bridgehead servers for the site. This selection process more evenly distributes the bridgehead replication workload among domain controllers in a site, resulting in much better efficiency (particularly in hub sites with a number of domain controllers).

By default, the randomized selection process takes place only when new connection objects are added to the site. However, you can run adlb.exe, a new Windows Resource Kit tool, to rebalance the load each time changes occur in the topology or in the number of domain controllers in the site. In addition, adlb.exe can stagger schedules so that the outbound replication load for each server is spread out evenly across time.

Troubleshooting Replication Failures The Repadmin Utility The Windows Server 2003 repadmin utility contains more functionality than the Windows 2000 repadmin utility. There are also some deprecated commands. To view the available options, type repadmin /?

Planning a Site Determining the Need for Site Link Bridges When the forest functional level is lower than Windows Server 2003 forest level, follow the same rules for determining whether to disable site-link bridging as in Windows 2000.

Windows Server 2003 forest level uses a more efficient algorithm that allows many more site paths to be calculated in a shorter time. The Windows Server 2003 forest functional level algorithm scales based on the product of the number of domains and the number of sites in the forest (D*S) while the previous algorithm approximately was based on the product of the number of domain and the square of the sites in the forest (D*S^2). A guideline to what is considered a large number of sites is greater than 200.

There is no hard limit to the number of sites and you may want to monitor the CPU utilization of the intersite topology generator as the number of domains and sites increases.


Module 8: Implementing the Placement of Domain Controllers

Placement of domain controllers in Windows Server 2003 is similar to that of Windows 2000. But in Windows Server 2003, placing global catalog servers has been made easier by the following changes:

! Additions to the partial attribute set no longer initiate a full synchronization cycle of the partial attribute set to all global catalog servers.

! The new feature, universal group membership caching, allows smaller remote sites to operate more efficiently without a global catalog in the site.

Implementing the Global Catalog in Active Directory Synchronization Improvements for Additions to the Partial Attribute Set You can use the synchronization improvements to scale your enterprise more effectively. When the partial attribute set is extended, such as for a line-of-business application deployment or any administrative action, this new feature minimizes the impact to the administrator�s network infrastructure, especially important for administrators with large directories and those with global networks that include slower speed links.

Universal Group Membership Caching In Windows 2000, when processing a logon for a user in a native mode domain, a domain controller had to contact a global catalog server in order to expand a user�s Universal Group membership. This requirement compelled some organizations to deploy global catalog servers into remote offices in order to avoid logon failures if the network link that connected the remote site to the rest of the organization was disconnected.

Global Catalog not Required for Logon Due to available network bandwidth and server hardware limitations, it may not be practical to have a global catalog in smaller branch office locations. For these sites, you can deploy domain controllers running Windows Server 2003, which can store universal group membership information locally.

Information is stored locally after you enable this option and a user attempts to log on for the first time. The domain controller obtains the universal group membership for that user from a global catalog, and then it is cached on the domain controller for that site indefinitely. It is periodically refreshed. The next time that the user attempts to log on, the authenticating domain controller running Windows Server 2003 obtains the universal group membership information from its local cache without the need to contact a global catalog.


By default, the universal group membership information contained in the cache of each domain controller is refreshed every 8 hours. To refresh the cache, domain controllers running Windows Server 2003 send a universal group membership confirmation request to a designated global catalog. Up to 500 universal group memberships can be updated at one time. You can enable Universal group membership caching by using Active Directory Sites and Services. Universal group membership caching is site specific and requires that all domain controllers running Windows Server 2003 be located in that site to participate.

The following list summarizes potential benefits for caching universal group memberships in branch office locations:

! Faster logon times because authenticating domain controllers no longer must access a global catalog to obtain universal group membership information.

! No need to upgrade hardware of existing domain controllers to manage the extra system requirements that are necessary to host a global catalog server.

! Minimized network bandwidth usage since a domain controller will not have to handle replication for all of the objects located in the forest.

Planning the Placement of Domain Controllers Guidelines for Placing Global Catalog Servers The guidelines for the placement of global catalog servers are the same as in Windows 2000. However, the new feature, universal group membership caching, may preclude the need to place global catalog servers in remote branch offices, in contrast to Windows 2000.


Module 9: Managing Operations Masters Managing Operations Masters in Windows Server 2003 is the same as Windows 2000. However, in a Windows Server 2003 functional forest, the domain naming master no longer must be enabled as a global catalog server.

Planning the Placement of Operations Masters The placement of operations masters in a Windows Server 2003 forest follows the same rules and guidelines as in Windows 2000, with one exception to the domain naming master: A domain naming master in a forest that is set to the Windows Server 2003 functional level is not required to be enabled as a global catalog server.


Module 10: Maintaining Active Directory Most of the tasks that you perform to maintain Active Directory in Windows Server 2003 are the same as in Windows 2000. Windows Server 2003 provides some enhancements to maintain Active Directory, including:

! The option to run an online defragmentation of the database of a server on demand.

! Synchronize restore mode password. ! WMI providers for replication and trust monitoring.

Restoring Active Directory Synchronizing Restore Mode Password When performing a normal or authoritative restore in both Windows 2000 and Windows Server 2003, you must know the Active Directory restore mode password. The following new Windows Server 2003 feature may be useful in some environments.

The typical configuration for a first server path of the Configure Your Server Wizard in Windows Server 2003 formerly requested entry of a Directory Services Restore Mode password for use by the Active Directory Installation Wizard (DCPromo.exe). The synchronize restore mode password feature removes this entry and automatically synchronizes this password with the Administrator password. The passwords will continue to be synchronized if the Administrator password is changed.

For example, the IT administrator in a small company enters the directory services restore mode password and then does not need to use this password again until six months later. Because this feature synchronized the directory services restore mode password with the regularly used administrator password, the IT administrator can easily remember the password.

You can open the Configure Your Server Wizard from either the Add or Remove Roles link on the Manage Your Server page or in Administrative Tools on the Start menu. Select Typical configuration for a first server.

Planning for Monitoring Active Directory Windows Server 2003 provides additional performance counters to monitor Active Directory, along with more events to monitor.

WMI Providers for Replication and Trust Monitoring This feature provides WMI classes, which you can use to monitor whether domain controllers are successfully replicating Active Directory information among themselves. Because many Windows 2000 components rely on inter-domain trust, this feature also provides a method to check that trusts are functioning correctly.

You can also use this feature to write scripts or applications that monitor the health of Active Directory replication and inter-domain trust.

THIS PAGE INTENTIONALLY LEFT BLANK

Appendix A: Differences Between Microsoft Windows Server ...

Documents