Administration and Configuration Management

Windows Server 2003 enhances the administrator's ability to efficiently configure and manage Active Directory, even in very large enterprises with multiple forests, domains, and sites.

New Setup Wizards

The new Configure Your Server Wizard eases the process of setting up Active Directory and provides predefined settings for specific server roles, a benefit that helps administrators standardize the way servers are initially deployed. Administrators are assisted during server setup to make the process easier by helping users finish installing optional components that they choose during the Windows setup. They can use the Configure Your Server Wizard to perform the following:

• Set up the first server on a network by automatically configuring DHCP, DNS, and Active Directory using basic default settings.

• Help users configure member servers on a network by pointing to the features they need to set up a file server, a print server, a Web and media server, an application server, Remote Access Service (RAS) and routing, or an IP address management server.

An administrator can use this feature for disaster recovery, replicating a server configuration to multiple computers, finishing setup, configuring server roles, or setting up the configuration of the first or primary server on a network.

More Administrative Improvements

Additional administrative improvements to Active Directory include the following:

• Automatic creation of DNS zones.

  Domain Name System (DNS) zones and servers can be automatically created and configured when running one of the Windows Server 2003 family operating systems. They are created through the enterprise to host the new zone. They can significantly reduce the time needed to manually configure every DNS server.

• Improved intersite replication topology generation.

  The Inter-Site Topology Generator (ISTG) has been updated to use improved algorithms and will scale to support forests with a greater number of sites than in Windows 2000. Because all domain controllers in the forest running the ISTG role must agree on the intersite replication topology, the new algorithms are not activated until the forest has advanced to Windows Server 2003 Forest Native Mode. The new ISTG algorithms provide improved replication performance across forests.

• DNS configuration enhancements.

  This feature simplifies debugging and reporting of an incorrect DNS configuration and helps to properly configure the DNS infrastructure required for Active Directory deployment.

  An example of the benefits of this feature is that if a domain controller is promoted in an existing forest, the Active Directory Installation Wizard contacts an existing domain controller to update the directory and replicate the required portions of the directory from the domain controller. If the wizard fails to locate a domain controller because of an incorrect configuration of DNS or if the domain controller is not available, it performs debugging and reports the cause of the failure and indicates how to fix the problem.

  To be located on a network, every domain controller must register domain controller locator DNS records. The Active Directory Installation Wizard verifies that the DNS infrastructure is properly configured to allow the new domain controller to perform a dynamic update of its domain controller locator DNS records. If this check discovers the incorrectly configured DNS infrastructure, it is reported with an explanation of how to fix the problem.

• Install replica from media.

  Instead of replicating a complete copy of the Active Directory database over the network, this feature allows an administrator to source initial replication from files created when backing up an existing domain controller or global catalog server. The backup files, generated by any Active Directory “aware backup utility, can be transported to the candidate domain controller using media such as tape, CD, DVD, or file copy over a network.

• Migration Tool Enhancements.

  The Active Directory Migration Tool (ADMT) is enhanced in Windows Server 2003 to provide the following features:

  • Password migration.

    ADMT version 2 will allow migrating passwords from Windows NT 4 to Windows 2000 or Windows Server 2003 domains as well as migrating passwords from Windows 2000 to Windows Server 2003 domains.

  • New scripting interface.

    For the most commonly used migration tasks , such as migration of users, groups, and computers, a new scripting interface is provided. ADMT can now be driven from any language ”such as Microsoft Visual Basic Scripting Edition (VBScript), Microsoft Visual Basic, and Microsoft Visual C++ ”and it supports COM interfaces.

  • Command-line support.

    The scripting interface has also been extended to provide command-line support. All scriptable tasks can be executed directly from a command line or through batch files.

  • Security translation improvements.

    The security translation, such as redoing resources within ACLs, is extended in a way that the source domain can be decommissioned when security translation runs. ADMT will now also allow specifying a mapping file that can be used as input for security translations. ADMT version 2 makes it easier to migrate to Active Directory and provides more options to automate migration.

• Application directory partitions.

  Active Directory services allows the creation of a new type of naming context, or partition, referred to as application partition . This naming context can contain a hierarchy of any type of object except security principals (users, groups, and computers) and can be configured to replicate to any set of domain controllers in the forest, not necessarily all in the same domain.

  This feature provides the capability of hosting dynamic data in Active Directory without significantly affecting network performance by providing the ability to control the scope of replication and placement of replicas.

• Integrated DNS zones stored in application partitions.

  DNS zones in Active Directory can be stored and replicated in the application partition. Using application partitions to store the DNS data results in a reduced number of objects stored in the global catalog. In addition, when DNS zone data is stored in an application partition, it is replicated to only that subset of domain controllers in the domain that is specified in the application partition. By default, DNS-specific application partitions contain only those domain controllers that run the DNS server. In addition, storing the DNS zone in an application partition enables replication of the DNS zone to the DNS servers running on the domain controllers in different domains of an Active Directory forest. By integrating DNS zones in an application partition, it is possible to limit the replication of this information and decrease overall replication bandwidth requirements.

• DirSync control improvements.

  This feature improves Active Directory support for LDAP control, called DirSync control, to retrieve changed information from the directory. The DirSync control can access checks similar to those performed on normal LDAP searches.

• Functionality levels.

  Similar to native mode in Windows 2000, this feature provides a versioning mechanism that can be used by Active Directory core components to determine which features are available on each domain controller in a domain and in a forest. It is also used to prevent pre “Windows Server 2003 domain controllers from joining a forest that has the Windows Server 2003 “only Active Directory feature activated.

• Deactivation of schema attributes and classes.

  Active Directory has been enhanced to allow the deactivation of attributes and class definitions in the Active Directory schema. Attributes and classes can be redefined if an error was made in the original definition.

  Deactivation provides the ability to supersede the definition of an attribute or a class after it has been added to the schema if an error was made in setting an immutable property. It is a reversible operation, allowing administrators to undo an accidental deactivation without side effects. Administrators now have greater flexibility with respect to their Active Directory schema management.

• Domain rename.

  This feature supports changing the DNS and NetBIOS names of existing domains in a forest while ensuring that the resulting forest is still well formed . The identity of a renamed domain represented by its domain globally unique identifier (GUID) and its domain security identifier (SID) will not change. In addition, a computer's domain membership does not change as a result of the holding domain being renamed .

  This feature does not include changing which domain is the forest root domain. Although a forest root domain can be renamed, a different domain cannot be designated to become the new forest root.

  Domain rename will cause a service interruption, requiring every domain controller to be rebooted. Domain rename will also require every member computer of the renamed domain to be rebooted twice. Although this feature provides a supported means to rename a domain, it is not viewed as nor is it intended to be a routine IT operation.

• Upgrading forest and domains.

  Active Directory has added improvements in security and application support. Before the first domain controller running the Windows Server 2003 operating system can be upgraded in an existing forest or domain, the forest and domains have to be prepared for these new features. Adprep is a new tool to aid forest and domain upgrades. The Adprep tool is not needed when upgrading from Windows NT 4 or when Active Directory is clean-installed on servers running Windows Server 2003.

• Replication and trust monitoring.

  This allows administrators to monitor whether domain controllers are successfully replicating Active Directory information among themselves . Because many Windows .NET components, such as Active Directory replication, rely on interdomain trust, this feature also provides a method to verify that trusts are functioning correctly.