Trending Topics

Implement and configure AWS Backup for VMware Cloud on AWS VM workloads

In our previous post we saw the design of the AWS Backup on VMC. In this post we’re going through the implementation steps As per the design and best practice, we are going to use the ENI for the Backup traffic CREATE A VPC ENDPOINT  TO CREATE AN INTERFACE ENDPOINT FOR AN AWS SERVICE 1. Open the Amazon VPC console at    2. In the navigation pane, choose Endpoints 3. Choose Create endpoint 4. Name the endpoint   5. For Service category, choose AWS services 6. For Service name, search “ Backup ” and select “ backup-gateway ” service from the dropdown 7. For VPC, select the VPC which we used for SDDC deployment and extension 8. To create an interface endpoint for Amazon S3, you must “uncheck” Additional settings, Enable DNS name. This is because Amazon S3 does not support private DNS for interface VPC endpoints 9. For  Subnets , select one subnet per Availability Zone which we used for SDDC VMC selection  10. For Security group , sel

What’s New in Windows Server 2003 Active Directory

An Introduction to the Active Directory Features

With the release of Microsoft Windows Server 2003 quite a few enhancements and features were introduced that were not previously available in Windows 2000. These enhancements were aimed at improving the scalability, efficiency, speed and performance of Active Directory, and addressed a few deficiencies or shortcomings of the earlier version of Active Directory utilized in Windows 2000 Server.
When a domain controller running Windows Server 2003 is created, a number of Active Directory basic features are immediately installed and available to the Windows Server 2003 domain controller. Certain other Active Directory features are only available when particular conditions exist in the network.
Additional Active Directory features can be enabled but is dependant on the following conditions, or factors:
  • The operating system (OS) running on the domain controllernew in windows server 2003 active directory Whats New in Windows Server 2003 Active Directory
  • The domain functional level. In Windows 2000 Active Directory, the domain mode terminology was utilized.
  • The forest functional level
  • Whether the functional level is raised for the domain only, or for the forest.
The domain functional levels that can be set for Active Directory in Windows Server 2003 are listed below. The Windows 2000 Mixed and Windows Native domain functional levels were available in Windows 2000 to enable backward compatibility to operating systems such as Windows NT 4.0. The latter two functional levels are only available with Windows Server 2003.
  • Windows 2000 Mixed: This is the default functional level implemented when you install a Windows Server 2003 domain controller. The basic Active Directory features are available when this mode is configured.
  • Windows 2000 Native: In Windows 2000 Native functional level, the backup domain controllers of Windows NT is not supported as domain controllers in the domain. Only Windows 2000 domain controllers and Windows Server 2003 domain controllers are supported.
The main differences between Windows 2000 Mixed and Windows 2000 Native when discussing Active Directory features is that features like group nesting, or using Universal Groups and Security ID Histories (SIDHistory) is not available in Windows 2000 Mixed, but is available in Windows 2000 Native.
  • Windows Server 2003 Interim: This functional level is used when Windows NT domains are directly upgraded to Windows Server 2003. Windows Server 2003 Interim is basically identical to Windows 2000 Native. The key point to remember on Windows Server 2003 Interim is that this functional level is used when the forests in your environment do not have Windows 2000 domain controllers.
  • Windows Server 2003: This domain functional level is used when the domain only includes Windows Server 2003 domain controllers.
The features available for the new Windows Server 2003 Interim and Windows Server 2003 domain functional levels are discussed later on in this article.
The forest functional level can also be raised to enable additional Active Directory features. You have to though first raise the functional of domains within a forest before you can raise the forest functional level to Windows Server 2003. The domain functional level in this case has to be Windows 2000 Native or Windows Server 2003 before you raise the forest functional level. Domain controllers in the domains of the forest automatically have their functional level set to Windows Server 2003 when you raise the forest functional level to Windows Server 2003. Additional Active Directory features are immediately available for each domain in the forest.
The forest functional levels that can be set for Active Directory in Windows Server 2003 listed below.
  • Windows 2000: In this forest functional level, Windows NT, Windows 2000 and Windows Server 2003 domain controllers can exist in domains.
  • Windows Server 2003 Interim: Windows NT backup domain controllers and Windows Server 2003 domain controllers can exist in domains.
  • Windows Server 2003: The domain controllers are all running Windows Server 2003.

New Active Directory Basic Features

Active Directory basic features are enabled by default when you install a Windows Server 2003 domain controller. The enhancements and features available are summarized below:
  • You can promote domain controllers to Windows Server 2003 domains more efficiently and faster because you can use a tape backup of the Active Directory database which is essentially a restored backup of another domain controller, to update the Active Directory database for a newly promoted domain controller. This decreases the time needed to install an additional domain controller in an existing domain.
  • Because problems do at times presents themselves when Windows NT 4 primary domain controllers are upgraded to Windows Server 2003 domain controllers, you can configure the domain controllers to treat your Windows clients as Windows NT domain controllers.
  • Active Directory can now store over one billion objects, thereby improving scalability.
  • In Active Directory used in Windows 2000, changes made to the identical Group hosted on multiple domain controllers in the same replication interval used to overwrite each other. This has since been corrected as group members are replicated as separate entities.
  • The actual method used to calculate the replication topology between sites is streamlinedto solve a prior problem whereby the replication topology calculations could not be completed in the specified time.
  • Domain logon has been improved, and users can continue to log on at times when the Global Catalog server cannot be accessed because Universal group membership can now be stored on servers that are not Global Catalog servers.
  • Windows Server 2003 introduces a new naming context, or directory partition, namely the Application directory partition. Application specific data is stored in this directory partition. You can now configure replication for application specific data between domain controllers. The Application directory partition is primarily used to store DNSrecord objects for Active Directory Integrated zones.
  • The inetOrgPerson object class is a new security principal added to the base schema. You use this security principal in the same manner that you would use other security principals such as User and Group.
  • With Windows Server 2003, support is included for:
    • RFC 2589 – LDAPv3: Extensions for Dynamic Directory Services Two private addresses are utilized for communication among the nodes: You can now store information that is time sensitive in Active Directory.
    • RFC 2829 – Authentication Methods for LDAP: It is now simpler to integrate Active Directory into environments that are not running Windows.
    • RFC 2830 – LDAPv3: Extension for Transport Layer Security: Secure connections are now used when Lightweight Directory Access Protocol (LDAP) queries are transmitted over the network to domain controllers. Active Directory encrypts all LDAP traffic by default.
  • Enhancements to LDAP queries include a new query types called an Attribute Scoped Query (ASQ); and a new LDAP management mechanism called Virtual List Views. You can use the ASQ to determine those groups to which a particular user is a member of. Virtual List Views enable you to view a large set of data in an order.
  • Active Directory quotas can be used to control and manage the number of objects that a user, group, and computer can be the owner of in a particular Active Directory directory partition.
  • Because you now simultaneously select multiple directory objects, you cansimultaneously change the attributes on multiple objects.
  • You can also use the new drag-and-drop move feature to move directory objects from one container to another container. You can use the same feature to add objects to group membership lists.
  • With Windows Server 2003, you can save, export and refresh Active Directory queries. Through the use of saved queries, you can find specific objects, and modify the properties of these objects simultaneously.
  • You can use the following Windows Server 2003 Active Directory command-line tools to administer Active Directory:
    • Dsadd, Dsget, Dsmod, Dsmove, Dsquery, Dsrm, Csvde, Ntdsutil, Ldifde
  • new version of the Active Directory Migration Tool (ADMT) includes the following:
    • Password migration support
    • Access to user profiles remain unchanged
  • With the introduction of Windows Server 2003 Active Directory came the introduction of more than 200 new Group Policy settings. The new Group Policy settings have to though be applied to Windows Server 2003 clients for it to be enabled.
  • Active Directory in Windows Server 2003 has an integrated Resultant Set of Policies(RSoP) calculator that can be used to determine the policies which have been applied to a particular user or computer. You can use the feature through the Resultant Set Of Policy (RSoP) Wizard or from the command-line.
  • Windows Server 2003 Help and the Group Policy console (Extended tab) now include descriptive information on all the administrative templates.
  • The following new command-line tools can be used to manage Group Policy:
    • Gpupdate: The Gpupdate update tool replaces the Secedit switches used in Windows 2000. You can use Gpupdate to immediately refresh group policy.
    • Gpresult: The Gpresult tool is used to create and view the results of a RSoP query using command line.
  • When deploying software with Group Policy, you can force assigned applications to be installed at deployment, and you can now choose to enable or disable the following advanced options:
    • The publication of OLE class information on a software package
    • The availability of 32-bit programs to 64-bit computers

Active Directory Features enabled by Domain/Forest Functional Levels

The features and enhancements listed below are only available when the domain or forest functional levels have been raised to Windows Server 2003. This means that each domain controller should be running Windows Server 2003. The features and enhancements enabled by this functional level can be used to change the configuration of the domain and forest.
  • Domain controller renaming tool: You can use the domain controller renaming tool to rename domain controllers – you do not need to first demote them. All Active Directory and DNS entries are automatically updated as well.
  • Domain rename utility (Rendom.exe): You can use the Rendom.exe utility to change the name of domains. Through the utility, you can change the NetBIOS or DNS name of a domain. This includes any child, parent, domain tree root, or forest root domain.
  • You can now restructure your forest by moving existing domains to different locations in the domain hierarchy.
  • With the functional level raised to Windows Server 2003, you can create forest trust to form a two-way transitive trust relationship between two forests. This trust relationship enables users in one forest to access resources available in the forest.
  • For the Active Directory schema, enhancements include the capability of now assigning an auxiliary schema class to a specific object(s). The support feature is called dynamically linked auxiliary classes.
  • When Active Directory schema objects are no longer needed, you can disable classes and attributes, rename classes and attributes and redefine them. You can also re-activate these classes and attributes when you need them at a later date. You cannot however delete schema objects.
  • You can also restrict users in a particular domain or forest from accessing network resources in a different domain/forest. By controlling resource access between domains and forests, you can allow users specific access to network resources.
  • Global catalog replication has also been improved. When there is an extension of the partial attribute set, only the attributes which have been added, are replicated. This in turn decreases the amount of traffic generated by global catalog replication.

Popular posts from this blog


DNS Scavenging.

AD LDS – Syncronizing AD LDS with Active Directory