Skip to main content

What’s New in Windows Server 2003 Active Directory

An Introduction to the Active Directory Features

With the release of Microsoft Windows Server 2003 quite a few enhancements and features were introduced that were not previously available in Windows 2000. These enhancements were aimed at improving the scalability, efficiency, speed and performance of Active Directory, and addressed a few deficiencies or shortcomings of the earlier version of Active Directory utilized in Windows 2000 Server.
When a domain controller running Windows Server 2003 is created, a number of Active Directory basic features are immediately installed and available to the Windows Server 2003 domain controller. Certain other Active Directory features are only available when particular conditions exist in the network.
Additional Active Directory features can be enabled but is dependant on the following conditions, or factors:
  • The operating system (OS) running on the domain controllernew in windows server 2003 active directory Whats New in Windows Server 2003 Active Directory
  • The domain functional level. In Windows 2000 Active Directory, the domain mode terminology was utilized.
  • The forest functional level
  • Whether the functional level is raised for the domain only, or for the forest.
The domain functional levels that can be set for Active Directory in Windows Server 2003 are listed below. The Windows 2000 Mixed and Windows Native domain functional levels were available in Windows 2000 to enable backward compatibility to operating systems such as Windows NT 4.0. The latter two functional levels are only available with Windows Server 2003.
  • Windows 2000 Mixed: This is the default functional level implemented when you install a Windows Server 2003 domain controller. The basic Active Directory features are available when this mode is configured.
  • Windows 2000 Native: In Windows 2000 Native functional level, the backup domain controllers of Windows NT is not supported as domain controllers in the domain. Only Windows 2000 domain controllers and Windows Server 2003 domain controllers are supported.
The main differences between Windows 2000 Mixed and Windows 2000 Native when discussing Active Directory features is that features like group nesting, or using Universal Groups and Security ID Histories (SIDHistory) is not available in Windows 2000 Mixed, but is available in Windows 2000 Native.
  • Windows Server 2003 Interim: This functional level is used when Windows NT domains are directly upgraded to Windows Server 2003. Windows Server 2003 Interim is basically identical to Windows 2000 Native. The key point to remember on Windows Server 2003 Interim is that this functional level is used when the forests in your environment do not have Windows 2000 domain controllers.
  • Windows Server 2003: This domain functional level is used when the domain only includes Windows Server 2003 domain controllers.
The features available for the new Windows Server 2003 Interim and Windows Server 2003 domain functional levels are discussed later on in this article.
The forest functional level can also be raised to enable additional Active Directory features. You have to though first raise the functional of domains within a forest before you can raise the forest functional level to Windows Server 2003. The domain functional level in this case has to be Windows 2000 Native or Windows Server 2003 before you raise the forest functional level. Domain controllers in the domains of the forest automatically have their functional level set to Windows Server 2003 when you raise the forest functional level to Windows Server 2003. Additional Active Directory features are immediately available for each domain in the forest.
The forest functional levels that can be set for Active Directory in Windows Server 2003 listed below.
  • Windows 2000: In this forest functional level, Windows NT, Windows 2000 and Windows Server 2003 domain controllers can exist in domains.
  • Windows Server 2003 Interim: Windows NT backup domain controllers and Windows Server 2003 domain controllers can exist in domains.
  • Windows Server 2003: The domain controllers are all running Windows Server 2003.

New Active Directory Basic Features

Active Directory basic features are enabled by default when you install a Windows Server 2003 domain controller. The enhancements and features available are summarized below:
  • You can promote domain controllers to Windows Server 2003 domains more efficiently and faster because you can use a tape backup of the Active Directory database which is essentially a restored backup of another domain controller, to update the Active Directory database for a newly promoted domain controller. This decreases the time needed to install an additional domain controller in an existing domain.
  • Because problems do at times presents themselves when Windows NT 4 primary domain controllers are upgraded to Windows Server 2003 domain controllers, you can configure the domain controllers to treat your Windows clients as Windows NT domain controllers.
  • Active Directory can now store over one billion objects, thereby improving scalability.
  • In Active Directory used in Windows 2000, changes made to the identical Group hosted on multiple domain controllers in the same replication interval used to overwrite each other. This has since been corrected as group members are replicated as separate entities.
  • The actual method used to calculate the replication topology between sites is streamlinedto solve a prior problem whereby the replication topology calculations could not be completed in the specified time.
  • Domain logon has been improved, and users can continue to log on at times when the Global Catalog server cannot be accessed because Universal group membership can now be stored on servers that are not Global Catalog servers.
  • Windows Server 2003 introduces a new naming context, or directory partition, namely the Application directory partition. Application specific data is stored in this directory partition. You can now configure replication for application specific data between domain controllers. The Application directory partition is primarily used to store DNSrecord objects for Active Directory Integrated zones.
  • The inetOrgPerson object class is a new security principal added to the base schema. You use this security principal in the same manner that you would use other security principals such as User and Group.
  • With Windows Server 2003, support is included for:
    • RFC 2589 – LDAPv3: Extensions for Dynamic Directory Services Two private addresses are utilized for communication among the nodes: You can now store information that is time sensitive in Active Directory.
    • RFC 2829 – Authentication Methods for LDAP: It is now simpler to integrate Active Directory into environments that are not running Windows.
    • RFC 2830 – LDAPv3: Extension for Transport Layer Security: Secure connections are now used when Lightweight Directory Access Protocol (LDAP) queries are transmitted over the network to domain controllers. Active Directory encrypts all LDAP traffic by default.
  • Enhancements to LDAP queries include a new query types called an Attribute Scoped Query (ASQ); and a new LDAP management mechanism called Virtual List Views. You can use the ASQ to determine those groups to which a particular user is a member of. Virtual List Views enable you to view a large set of data in an order.
  • Active Directory quotas can be used to control and manage the number of objects that a user, group, and computer can be the owner of in a particular Active Directory directory partition.
  • Because you now simultaneously select multiple directory objects, you cansimultaneously change the attributes on multiple objects.
  • You can also use the new drag-and-drop move feature to move directory objects from one container to another container. You can use the same feature to add objects to group membership lists.
  • With Windows Server 2003, you can save, export and refresh Active Directory queries. Through the use of saved queries, you can find specific objects, and modify the properties of these objects simultaneously.
  • You can use the following Windows Server 2003 Active Directory command-line tools to administer Active Directory:
    • Dsadd, Dsget, Dsmod, Dsmove, Dsquery, Dsrm, Csvde, Ntdsutil, Ldifde
  • new version of the Active Directory Migration Tool (ADMT) includes the following:
    • Password migration support
    • Access to user profiles remain unchanged
  • With the introduction of Windows Server 2003 Active Directory came the introduction of more than 200 new Group Policy settings. The new Group Policy settings have to though be applied to Windows Server 2003 clients for it to be enabled.
  • Active Directory in Windows Server 2003 has an integrated Resultant Set of Policies(RSoP) calculator that can be used to determine the policies which have been applied to a particular user or computer. You can use the feature through the Resultant Set Of Policy (RSoP) Wizard or from the command-line.
  • Windows Server 2003 Help and the Group Policy console (Extended tab) now include descriptive information on all the administrative templates.
  • The following new command-line tools can be used to manage Group Policy:
    • Gpupdate: The Gpupdate update tool replaces the Secedit switches used in Windows 2000. You can use Gpupdate to immediately refresh group policy.
    • Gpresult: The Gpresult tool is used to create and view the results of a RSoP query using command line.
  • When deploying software with Group Policy, you can force assigned applications to be installed at deployment, and you can now choose to enable or disable the following advanced options:
    • The publication of OLE class information on a software package
    • The availability of 32-bit programs to 64-bit computers

Active Directory Features enabled by Domain/Forest Functional Levels

The features and enhancements listed below are only available when the domain or forest functional levels have been raised to Windows Server 2003. This means that each domain controller should be running Windows Server 2003. The features and enhancements enabled by this functional level can be used to change the configuration of the domain and forest.
  • Domain controller renaming tool: You can use the domain controller renaming tool to rename domain controllers – you do not need to first demote them. All Active Directory and DNS entries are automatically updated as well.
  • Domain rename utility (Rendom.exe): You can use the Rendom.exe utility to change the name of domains. Through the utility, you can change the NetBIOS or DNS name of a domain. This includes any child, parent, domain tree root, or forest root domain.
  • You can now restructure your forest by moving existing domains to different locations in the domain hierarchy.
  • With the functional level raised to Windows Server 2003, you can create forest trust to form a two-way transitive trust relationship between two forests. This trust relationship enables users in one forest to access resources available in the forest.
  • For the Active Directory schema, enhancements include the capability of now assigning an auxiliary schema class to a specific object(s). The support feature is called dynamically linked auxiliary classes.
  • When Active Directory schema objects are no longer needed, you can disable classes and attributes, rename classes and attributes and redefine them. You can also re-activate these classes and attributes when you need them at a later date. You cannot however delete schema objects.
  • You can also restrict users in a particular domain or forest from accessing network resources in a different domain/forest. By controlling resource access between domains and forests, you can allow users specific access to network resources.
  • Global catalog replication has also been improved. When there is an extension of the partial attribute set, only the attributes which have been added, are replicated. This in turn decreases the amount of traffic generated by global catalog replication.

Popular posts from this blog


The BCD registry file controls which operating system installation starts and how long the boot manager waits before starting Windows. Basically, it’s like the Boot.ini file in earlier versions of Windows. If you need to edit it, the easiest way is to use the Startup And Recovery tool from within Vista. Just follow these steps: 1. Click Start. Right-click Computer, and then click Properties. 2. Click Advanced System Settings. 3. On the Advanced tab, under Startup and Recovery, click Settings. 4. Click the Default Operating System list, and edit other startup settings. Then, click OK. Same as Windows XP, right? But you’re probably not here because you couldn’t find that dialog box. You’re probably here because Windows Vista won’t start. In that case, you shouldn’t even worry about editing the BCD. Just run Startup Repair, and let the tool do what it’s supposed to. If you’re an advanced user, like an IT guy, you might want to edit the BCD file yourself. You can do this

DNS Scavenging.

                        DNS Scavenging is a great answer to a problem that has been nagging everyone since RFC 2136 came out way back in 1997.  Despite many clever methods of ensuring that clients and DHCP servers that perform dynamic updates clean up after themselves sometimes DNS can get messy.  Remember that old test server that you built two years ago that caught fire before it could be used?  Probably not.  DNS still remembers it though.  There are two big issues with DNS scavenging that seem to come up a lot: "I'm hitting this 'scavenge now' button like a snare drum and nothing is happening.  Why?" or "I woke up this morning, my DNS zones are nearly empty and Active Directory is sitting in a corner rocking back and forth crying.  What happened?" This post should help us figure out when the first issue will happen and completely avoid the second.  We'll go through how scavenging is setup then I'll give you my best practices.  Scavenging s

AD LDS – Syncronizing AD LDS with Active Directory

First, we will install the AD LDS Instance: 1. Create and AD LDS instance by clicking Start -> Administrative Tools -> Active Directory Lightweight Directory Services Setup Wizard. The Setup Wizard appears. 2. Click Next . The Setup Options dialog box appears. For the sake of this guide, a unique instance will be the primary focus. I will have a separate post regarding AD LDS replication at some point in the near future. 3. Select A unique instance . 4. Click Next and the Instance Name dialog box appears. The instance name will help you identify and differentiate it from other instances that you may have installed on the same end point. The instance name will be listed in the data directory for the instance as well as in the Add or Remove Programs snap-in. 5. Enter a unique instance name, for example IDG. 6. Click Next to display the Ports configuration dialog box. 7. Leave ports at their default values unless you have conflicts with the default values. 8. Click N