- Evolution of Directory Services
- Active Directory Development
- Active Directory Structure
- Active Directory Components
- Domain Trusts
- Organizational Units
- Groups in an Active Directory Environment
- Active Directory Replication
- DNS in Active Directory
- Active Directory Security
- Active Directory Changes in Windows .NET Server 2003
- Summary
- Best Practices
Active Directory Changes in Windows .NET Server 2003
Improvements in the functionality and reliability of Active Directory are of key importance to the development team at Microsoft and to the entire Microsoft .NET Services initiative as a whole. It is therefore no small surprise that Windows .NET Server 2003 introduces improvements in Active Directory. From the ability to rename Active Directory domains to improvements in replication compression, the changes made to the structure of Active Directory warrant a closer look.
Windows .NET Active Directory Domain Rename Tool
A promised feature of Active Directory that has been eagerly awaited is the ability to prune, splice, and rename Active Directory domains. Given the nature of corporate America, with restructuring, acquisitions, and name changes occurring constantly, the ability of Active Directory to be flexible in naming and structure is of utmost importance. The Active Directory rename tool was devised to address this very need.
Before you start renaming your Windows 2000 Active Directory tree into your dream domain, several key prerequisites must be in place before the domain structure can be modified. First, and probably the most important, all domain controllers in the entire forest must be upgraded to Windows .NET Server 2003 in advance. In addition, the forest must be upgraded to Windows .NET functionality. Finally, you should perform comprehensive backups of your environment before undertaking the rename.
The domain rename process is complex and should never be considered as routine. After the process, each domain controller must be rebooted and each member computer across the entire forest must also be rebooted (twice). For a greater understanding of the domain rename tool and process, see Chapter 17.
Improvements in the Configure Your Server Wizard
The Configure Your Server (CYS) Wizard, introduced with Windows 2000 Server, has been vastly improved. If you were used to disabling this wizard in Windows 2000, you may think again in Windows .NET because the wizard can be very helpful in configuring your server for the role that it will play, shutting off services that are not necessary and configuring ones that are needed. There are now options to configure a server as a Terminal server, as well as Routing and Remote Access server (RRAS) configurations.
Cross-Forest Trusts
Windows .NET Server 2003 Active Directory introduces the capability to establish cross-forest trusts between two disparate Active Directory forests. This capability allows two companies to share resources more easily, without actually merging the forests. Note that these types of trusts are not transitive, and must be set up manually in each direction.
Active Directory Replication Compression Disable Support
By default, all replication traffic between domain controllers in Active Directory is compressed to reduce network traffic. However, this compression can have the undesired effect of slowing down processor performance on the domain controllers. In Windows .NET Server 2003 Active Directory, you have the option of turning off this functionality, disabling compression and saving processor cycles. This would normally be an option only for organizations with very fast connections between all their domain controllers.
Schema Attribute Deactivation
Developers who write applications for Active Directory can take heart in the fact that Windows .NET Server 2003's Active Directory implementation offers the ability to deactivate schema attributes, allowing custom-built applications to utilize custom attributes without fear of conflict. In addition, attributes can be deactivated to reduce replication traffic.
Incremental Universal Group Membership Replication
Windows 2000 previously had a major drawback in the use of universal groups. Membership in those groups was stored in a single, multivalued attribute in Active Directory. Essentially, what this meant was that any changes to membership in a universal group required a complete re-replication of all membership. In other words, if you had a universal group with 5,000 users, adding number 5,001 would require a major replication effort because all 5,001 users would be re-replicated across the forest. Windows .NET Server 2003 simplifies this process and allows for incremental replication of universal group membership. In essence, only the 5,001st member is replicated in Windows .NET Server 2003.
Active Directory in Application Mode
One additional function of Windows .NET Server 2003 is the Active Directory in Application Mode (AD/AM) product. AD was given the capability to run separate instances of itself as unique services. Active Directory in Application Mode allows specialized applications to utilize AD/AM as their own directory service, negating the need for a new form of directory service for every critical application within an organization.
AD/AM uses the same replication engine as Active Directory, follows the same X.500 structure, and is close enough to real AD functionality to allow it to be installed as a testbed for developers who design AD applications. Despite the similarities, however, AD/AM runs as a separate service from the operating system, with its own schema and structure, untying it from the limitations that a production NOS would hold it to.
The real value to an AD/AM implementation comes from its capability to utilize the security structure of the production domain(s), while maintaining its own directory structure. In fact, an instance of AD/AM can run on as a service on a Windows .NET Server 2003 member server in a Windows NT domain. The AD/AM would then utilize NT domain accounts for its own security.
AD/AM functionality was developed in direct response to one of the main limitations in using Microsoft's Active Directory: the fact that the directory was so intrinsically tied to the NOS that applications which did not require the extra NOS-related functionality of AD were restricted in their particular directory needs. AD/AM allows each application to have its own separate AD directory forest and allows for personalized modification of the directory, such as schema extensions, tailored replication (or lack of replication) needs, and other key directory needs.
One of the major advantages to AD/AM also lies in the fact that multiple instances of AD/AM can run on a single machine, each with its own unique name, port number, and separate binaries. In addition, AD/AM can run on any version of Windows .NET Server 2003 or even on Windows XP Professional for development purposes. Each instance of AD/AM can utilize a separate, tailored schema.
AD/AM is virtually indistinguishable from a normal NOS instance of Active Directory and consequently can be administered using the standard tools used for AD, such as ADSIEdit, LDP.exe, and the Microsoft Management Console (MMC) tools. In addition, user accounts can be created, unique replication topologies created, and all normal AD functionality can be performed on a tailored copy of an AD forest.
In short, AD/AM provides applications with the advantages of the Active Directory environment, but without the NOS limitations that previously forced the implementation of multiple, cost-ineffective directories. Developers now can exploit the full functionality of Windows .NET Server 2003's Active Directory without limitation, while at the same time assuming the numerous advantages of integration into a common security structure.
Additional Changes
In addition to the changes listed in the preceding sections, Active Directory in Windows .NET Server 2003 supports the following new features:
AD-Integrated DNS Zones in Application PartitionsDNS zones that are Active Directory integrated are now stored in the application partition. This basically means that fewer objects need to be stored in AD, reducing replication concerns with DNS.
AD Lingering Objects RemovalObjects listed in Active Directory that no longer exist can now be easily removed in Windows .NET Server 2003.
AD Administration EnhancementsAdministrative tools have been enhanced in Windows .NET Server 2003 to facilitate common tasks such as working with ACLs, finding objects, and selecting multiple OUs for tasks.