Technical Overview of Technical Overview of Windows Server 2003 Windows Server 2003

Active DirectoryActive Directory

Che-song LeeChe-song Lee

New Features and New Features and ImprovementsImprovements• Integration and productivityIntegration and productivity• Performance and ScalabilityPerformance and Scalability• Administration and configuration Administration and configuration

managementmanagement• Group Policy featuresGroup Policy features• Security enhancementsSecurity enhancements

Integration and Integration and ProductivityProductivity• Making AD Easier to Use and ManageMaking AD Easier to Use and Manage

– Edit multiple user objectsEdit multiple user objects– Save queries (XML)Save queries (XML)– Quickly select objects using the Quickly select objects using the

improved object picker componentimproved object picker component

Integration and Integration and ProductivityProductivity(Additional)(Additional)• ACL List User Interface ChangesACL List User Interface Changes• Extensibility EnhancementsExtensibility Enhancements• User Objects from other LDAP User Objects from other LDAP

DirectoriesDirectories• Passport Integration (via IIS)Passport Integration (via IIS)• Terminal Server Usage with ADSITerminal Server Usage with ADSI• Replication and Trust Monitoring WMI Replication and Trust Monitoring WMI

ProvidersProviders• MSMQ Distribution ListsMSMQ Distribution Lists

Performance and Performance and Scalability Scalability • Improving Performance for Improving Performance for

Branch OfficesBranch Offices– no longer requiring access to the central no longer requiring access to the central

GCGC– DC does cache the universal group DC does cache the universal group

membership of logging on usersmembership of logging on users– Provides added reliability if a GC is Provides added reliability if a GC is

unavailableunavailable

Performance and Performance and ScalabilityScalability(Additional)(Additional)• Disabling Compression of Inter-Site Disabling Compression of Inter-Site

Replication TrafficReplication Traffic• Clustered Virtual Server SupportClustered Virtual Server Support• Concurrent LDAP BindsConcurrent LDAP Binds• Domain Controller Overload PreventionDomain Controller Overload Prevention• Global Catalog Replication TuningGlobal Catalog Replication Tuning• Group Membership Replication Group Membership Replication

ImprovementsImprovements• LDAP Extended to Support Time to Live LDAP Extended to Support Time to Live

(TTL) for Dynamic Entries (TTL) for Dynamic Entries • Support for 64-bit DeploymentSupport for 64-bit Deployment

Administration and Administration and Configuration ManagementConfiguration Management• New Setup WizardsNew Setup Wizards

– Set up the first server on a network by Set up the first server on a network by automatically configuring DHCP, DNS, automatically configuring DHCP, DNS, and Active Directory using basic default and Active Directory using basic default settingssettings

– Help users configure member servers on Help users configure member servers on a network by pointing to the features a network by pointing to the features they need to set upthey need to set up

Administration and Administration and Configuration Management Configuration Management (Additional)(Additional)• Automatic Creation of DNS ZoneAutomatic Creation of DNS Zone• Improved Inter-Site Replication Topology Improved Inter-Site Replication Topology

GenerationGeneration• DNS Configuration EnhancementsDNS Configuration Enhancements• Install Replica from MediaInstall Replica from Media• Migration Tool Enhancements (ADMT)Migration Tool Enhancements (ADMT)

– Password migrationPassword migration– New scripting interfaceNew scripting interface– Command-line supportCommand-line support– Security translation improvementsSecurity translation improvements

Administration and Administration and Configuration Management Configuration Management (Additional) (Additional) –– Cont’d Cont’d• Application Directory PartitionsApplication Directory Partitions• Integrated DNS Zones Stored in Integrated DNS Zones Stored in

Application PartitionsApplication Partitions• DirSync Control ImprovementsDirSync Control Improvements• Functionality LevelsFunctionality Levels• Deactivation of Schema Attributes and Deactivation of Schema Attributes and

ClassesClasses• Domain RenameDomain Rename• Upgrading Forest and DomainsUpgrading Forest and Domains• Replication and Trust Monitoring Replication and Trust Monitoring

Group Policy Features Group Policy Features (GPMC)(GPMC)• GPMC (Group Policy Management GPMC (Group Policy Management

Console)Console)– GPMC is planned to be available as a GPMC is planned to be available as a

separate componentseparate component

• Single place for managing core Single place for managing core aspects of Group Policyaspects of Group Policy

• ““One-stop shopping location" for One-stop shopping location" for managing Group Policymanaging Group Policy

GPMC featuresGPMC features• A user interface (UI) that makes Group Policy much A user interface (UI) that makes Group Policy much

easier to use.easier to use.• Backup/restore of Group Policy objects (GPOs). Backup/restore of Group Policy objects (GPOs). • Import/export and copy/paste of GPOs and Windows Import/export and copy/paste of GPOs and Windows

Management Instrumentation (WMI) filters. Management Instrumentation (WMI) filters. • Simplified management of Group Policy–related Simplified management of Group Policy–related

security. security. • HTML reporting for GPO settingsHTML reporting for GPO settings• HTML reporting for Group Policy Results and Group HTML reporting for Group Policy Results and Group

Policy Modeling data (formerly known as Resultant Policy Modeling data (formerly known as Resultant Set of Policy). Set of Policy).

• Scripting of GPO operations that are exposed within Scripting of GPO operations that are exposed within this tool—but not scripting of settings with a GPO. this tool—but not scripting of settings with a GPO.

GPMC ApplicabilityGPMC Applicability

• Managing Windows 2000 and Windows Managing Windows 2000 and Windows Server 2003 DomainsServer 2003 Domains

• Administrative Computer must beAdministrative Computer must be– Windows Server 2003. Windows Server 2003. – Windows XP Professional with Service Pack 1 Windows XP Professional with Service Pack 1

(SP1), plus an additional post-SP1 hotfix, and the (SP1), plus an additional post-SP1 hotfix, and the Microsoft .NET Framework.Microsoft .NET Framework.

• see Enterprise Management with the Group see Enterprise Management with the Group Policy Management ConsolePolicy Management Console((http://www.microsoft.com/http://www.microsoft.com/windows.netserver/gpmcwindows.netserver/gpmc))

Additional Group Policy Additional Group Policy Features Features and Improvementsand Improvements• Redirecting Default User and Redirecting Default User and

Computer ContainersComputer Containers• Group Policy ResultsGroup Policy Results• Group Policy ModelingGroup Policy Modeling• New Policy SettingsNew Policy Settings• Web View Administrative TemplatesWeb View Administrative Templates• Manage DNS ClientManage DNS Client• ““My Documents” Folder RedirectionMy Documents” Folder Redirection

Additional Group Policy Additional Group Policy Features Features and Improvements and Improvements –– Cont’d Cont’d• Full Install of User Assigned Applications at Full Install of User Assigned Applications at

Logon TimeLogon Time• NetlogonNetlogon• Network and Dial-up ConnectionsNetwork and Dial-up Connections• Distributed Eventing PoliciesDistributed Eventing Policies• Disable Credential ManagerDisable Credential Manager• Support URL for Software DeploymentSupport URL for Software Deployment• WMI FilteringWMI Filtering• Terminal ServerTerminal Server

Security EnhancementSecurity Enhancement

• Forest TrustForest Trust– A new trust type that allows all domains in one A new trust type that allows all domains in one

forest to (transitively) trust all domains in forest to (transitively) trust all domains in another forestanother forest

• Trust ManagementTrust Management– Introduces Wizard InterfaceIntroduces Wizard Interface

• Trusted NamespacesTrusted Namespaces– Trusted namespaces are used to route Trusted namespaces are used to route

authentication and authorization requests for authentication and authorization requests for security principals whose accounts are security principals whose accounts are maintained in a trusted forestmaintained in a trusted forest

AdditionalAdditionalSecurity Features and Security Features and ImprovementsImprovements• Cross-Forest AuthenticationCross-Forest Authentication• Cross Forest AuthorizationCross Forest Authorization• Cross Certification EnhancementsCross Certification Enhancements• IAS and Cross-Forest AuthenticationIAS and Cross-Forest Authentication• Credential ManagerCredential Manager

SummarySummary

• Active Directory toActive Directory to– Take advantage of existing investments and Take advantage of existing investments and

consolidation management of directories.consolidation management of directories.– Extend administrative control and reduce Extend administrative control and reduce

redundant management tasks. redundant management tasks. – Simplify remote integration and use network Simplify remote integration and use network

resources more efficiently. resources more efficiently. – Provide a robust development and deployment Provide a robust development and deployment

environment for directory-enabled applications.environment for directory-enabled applications.– Reduce TCO and improve the leverage of IT Reduce TCO and improve the leverage of IT

resources.resources.