Technical Overview of Technical Overview of Windows Server 2003 Windows Server 2003
Active DirectoryActive Directory
Che-song LeeChe-song Lee
New Features and New Features and ImprovementsImprovements• Integration and productivityIntegration and productivity• Performance and ScalabilityPerformance and Scalability• Administration and configuration Administration and configuration
managementmanagement• Group Policy featuresGroup Policy features• Security enhancementsSecurity enhancements
Integration and Integration and ProductivityProductivity• Making AD Easier to Use and ManageMaking AD Easier to Use and Manage
– Edit multiple user objectsEdit multiple user objects– Save queries (XML)Save queries (XML)– Quickly select objects using the Quickly select objects using the
improved object picker componentimproved object picker component
Integration and Integration and ProductivityProductivity(Additional)(Additional)• ACL List User Interface ChangesACL List User Interface Changes• Extensibility EnhancementsExtensibility Enhancements• User Objects from other LDAP User Objects from other LDAP
DirectoriesDirectories• Passport Integration (via IIS)Passport Integration (via IIS)• Terminal Server Usage with ADSITerminal Server Usage with ADSI• Replication and Trust Monitoring WMI Replication and Trust Monitoring WMI
ProvidersProviders• MSMQ Distribution ListsMSMQ Distribution Lists
Performance and Performance and Scalability Scalability • Improving Performance for Improving Performance for
Branch OfficesBranch Offices– no longer requiring access to the central no longer requiring access to the central
GCGC– DC does cache the universal group DC does cache the universal group
membership of logging on usersmembership of logging on users– Provides added reliability if a GC is Provides added reliability if a GC is
unavailableunavailable
Performance and Performance and ScalabilityScalability(Additional)(Additional)• Disabling Compression of Inter-Site Disabling Compression of Inter-Site
Replication TrafficReplication Traffic• Clustered Virtual Server SupportClustered Virtual Server Support• Concurrent LDAP BindsConcurrent LDAP Binds• Domain Controller Overload PreventionDomain Controller Overload Prevention• Global Catalog Replication TuningGlobal Catalog Replication Tuning• Group Membership Replication Group Membership Replication
ImprovementsImprovements• LDAP Extended to Support Time to Live LDAP Extended to Support Time to Live
(TTL) for Dynamic Entries (TTL) for Dynamic Entries • Support for 64-bit DeploymentSupport for 64-bit Deployment
Administration and Administration and Configuration ManagementConfiguration Management• New Setup WizardsNew Setup Wizards
– Set up the first server on a network by Set up the first server on a network by automatically configuring DHCP, DNS, automatically configuring DHCP, DNS, and Active Directory using basic default and Active Directory using basic default settingssettings
– Help users configure member servers on Help users configure member servers on a network by pointing to the features a network by pointing to the features they need to set upthey need to set up
Administration and Administration and Configuration Management Configuration Management (Additional)(Additional)• Automatic Creation of DNS ZoneAutomatic Creation of DNS Zone• Improved Inter-Site Replication Topology Improved Inter-Site Replication Topology
GenerationGeneration• DNS Configuration EnhancementsDNS Configuration Enhancements• Install Replica from MediaInstall Replica from Media• Migration Tool Enhancements (ADMT)Migration Tool Enhancements (ADMT)
– Password migrationPassword migration– New scripting interfaceNew scripting interface– Command-line supportCommand-line support– Security translation improvementsSecurity translation improvements
Administration and Administration and Configuration Management Configuration Management (Additional) (Additional) –– Cont’d Cont’d• Application Directory PartitionsApplication Directory Partitions• Integrated DNS Zones Stored in Integrated DNS Zones Stored in
Application PartitionsApplication Partitions• DirSync Control ImprovementsDirSync Control Improvements• Functionality LevelsFunctionality Levels• Deactivation of Schema Attributes and Deactivation of Schema Attributes and
ClassesClasses• Domain RenameDomain Rename• Upgrading Forest and DomainsUpgrading Forest and Domains• Replication and Trust Monitoring Replication and Trust Monitoring
Group Policy Features Group Policy Features (GPMC)(GPMC)• GPMC (Group Policy Management GPMC (Group Policy Management
Console)Console)– GPMC is planned to be available as a GPMC is planned to be available as a
separate componentseparate component
• Single place for managing core Single place for managing core aspects of Group Policyaspects of Group Policy
• ““One-stop shopping location" for One-stop shopping location" for managing Group Policymanaging Group Policy
GPMC featuresGPMC features• A user interface (UI) that makes Group Policy much A user interface (UI) that makes Group Policy much
easier to use.easier to use.• Backup/restore of Group Policy objects (GPOs). Backup/restore of Group Policy objects (GPOs). • Import/export and copy/paste of GPOs and Windows Import/export and copy/paste of GPOs and Windows
Management Instrumentation (WMI) filters. Management Instrumentation (WMI) filters. • Simplified management of Group Policy–related Simplified management of Group Policy–related
security. security. • HTML reporting for GPO settingsHTML reporting for GPO settings• HTML reporting for Group Policy Results and Group HTML reporting for Group Policy Results and Group
Policy Modeling data (formerly known as Resultant Policy Modeling data (formerly known as Resultant Set of Policy). Set of Policy).
• Scripting of GPO operations that are exposed within Scripting of GPO operations that are exposed within this tool—but not scripting of settings with a GPO. this tool—but not scripting of settings with a GPO.
GPMC ApplicabilityGPMC Applicability
• Managing Windows 2000 and Windows Managing Windows 2000 and Windows Server 2003 DomainsServer 2003 Domains
• Administrative Computer must beAdministrative Computer must be– Windows Server 2003. Windows Server 2003. – Windows XP Professional with Service Pack 1 Windows XP Professional with Service Pack 1
(SP1), plus an additional post-SP1 hotfix, and the (SP1), plus an additional post-SP1 hotfix, and the Microsoft .NET Framework.Microsoft .NET Framework.
• see Enterprise Management with the Group see Enterprise Management with the Group Policy Management ConsolePolicy Management Console((http://www.microsoft.com/http://www.microsoft.com/windows.netserver/gpmcwindows.netserver/gpmc))
Additional Group Policy Additional Group Policy Features Features and Improvementsand Improvements• Redirecting Default User and Redirecting Default User and
Computer ContainersComputer Containers• Group Policy ResultsGroup Policy Results• Group Policy ModelingGroup Policy Modeling• New Policy SettingsNew Policy Settings• Web View Administrative TemplatesWeb View Administrative Templates• Manage DNS ClientManage DNS Client• ““My Documents” Folder RedirectionMy Documents” Folder Redirection
Additional Group Policy Additional Group Policy Features Features and Improvements and Improvements –– Cont’d Cont’d• Full Install of User Assigned Applications at Full Install of User Assigned Applications at
Logon TimeLogon Time• NetlogonNetlogon• Network and Dial-up ConnectionsNetwork and Dial-up Connections• Distributed Eventing PoliciesDistributed Eventing Policies• Disable Credential ManagerDisable Credential Manager• Support URL for Software DeploymentSupport URL for Software Deployment• WMI FilteringWMI Filtering• Terminal ServerTerminal Server
Security EnhancementSecurity Enhancement
• Forest TrustForest Trust– A new trust type that allows all domains in one A new trust type that allows all domains in one
forest to (transitively) trust all domains in forest to (transitively) trust all domains in another forestanother forest
• Trust ManagementTrust Management– Introduces Wizard InterfaceIntroduces Wizard Interface
• Trusted NamespacesTrusted Namespaces– Trusted namespaces are used to route Trusted namespaces are used to route
authentication and authorization requests for authentication and authorization requests for security principals whose accounts are security principals whose accounts are maintained in a trusted forestmaintained in a trusted forest
AdditionalAdditionalSecurity Features and Security Features and ImprovementsImprovements• Cross-Forest AuthenticationCross-Forest Authentication• Cross Forest AuthorizationCross Forest Authorization• Cross Certification EnhancementsCross Certification Enhancements• IAS and Cross-Forest AuthenticationIAS and Cross-Forest Authentication• Credential ManagerCredential Manager
SummarySummary
• Active Directory toActive Directory to– Take advantage of existing investments and Take advantage of existing investments and
consolidation management of directories.consolidation management of directories.– Extend administrative control and reduce Extend administrative control and reduce
redundant management tasks. redundant management tasks. – Simplify remote integration and use network Simplify remote integration and use network
resources more efficiently. resources more efficiently. – Provide a robust development and deployment Provide a robust development and deployment
environment for directory-enabled applications.environment for directory-enabled applications.– Reduce TCO and improve the leverage of IT Reduce TCO and improve the leverage of IT
resources.resources.
Top Related