2.2 New Features and Enhancements | Windows Server 2003 in a Nutshell

Anyway, now that I've vented my frustration a bit, I have to confess that I feel the new features and enhancements in WS2003 far outweigh the silly or unnecessary changes described earlier. Not only is WS2003 a more scalable platform than W2K, it's also more manageable and secure. Because this book focuses on the core tasks of everyday administration, this section highlights key new features W2K administrators should be aware of as you prepare to transition to WS2003, more or less in the order you might discover them as you start playing around with the new platform.

2.2.1 Activation

If you've tried installing WS2003, you've already been prompted to activate your product, unless you're an enterprise client with some sort of volume licensing agreement with Microsoft. Activation is an antipiracy measure implemented by Microsoft on Windows XP and later; see Installation in Chapter 4 for more information. Whether Activation is a plus or a minus is debatable, but it's a fact of life from now on.

2.2.2 Stay Current

When you first log on to WS2003 as Administrator, you'll be confronted with a notification bubble (or whatever they call it) that says "Stay current with Automatic Updates." This Automatic Updates feature was first included in Service Pack 3 for W2K, so you may already be familiar with it. If not, see Automatic Updates in Chapter 4 for more information about using this feature to automatically download and install the latest security patches from Microsoft as they are released.

2.2.3 Manage Your Server

When you first log on to WS2003 as Administrator, you'll also be confronted with the new Manage Your Server tool, which replaces (and incorporates) the old Configure Your Server Wizard in W2K. Manage Your Server lets you add roles to your server to turn it into a file server, print server, application (web) server, DHCP server, domain controller, and so on. Manage Your Server isn't the only way to add such roles however; for example, if you simply share a folder, your server automatically assumes the file server role.

My opinion is that Manage Your Server is great for initial server configuration tasks such as installing Active Directory on a smaller network, but beyond that the tool isn't really much use, mainly because of its layout. It's got way too much whitespace, which means you have to scroll to use it if you have more than a couple of roles configured on your server.

2.2.4 Administration Tools Pack

If you're really serious about managing your WS2003 servers, install the Windows Server 2003 Administration Tools Pack using the Windows Installer file Adminpak.msi located in the \i386 folder on your WS2003 product CD. The Admin Tools pack installs a full slate of tools for managing any WS2003 machine including domain controllers, and by installing this pack on a Windows XP Professional machine, you can then use this machine as your main administrator workstation for managing WS2003 servers anywhere on your network. It's a big improvement on walking over to a domain controller in order to run Active Directory Users and Computers from the local console every time you have to reset some user 's password. Note that you must have Windows XP Service Pack 1 or later installed before installing these tools on your XP machine and in order to use an XP machine to remotely administer Internet Information Services 6 (IIS 6), you need Windows XP Service Pack 2 or later.

2.2.5 Convenience Consoles

Tucked away on the Admin Tools Pack are three new MMC consoles that combine the functionality of a number of administrative tools to make life more convenient for administrators. These convenience consoles are:

Active Directory Management: Combines the functionality of Active Directory Users and Computers, Active Directory Domains and Trusts, Active Directory Sites and Services, and DNS
IP Address Management: Combines the functionality of DHCP, DNS, and WINS
Public Key Management: Combines the functionality of Certification Authority, Certificate Templates, Certificates ”Current User, and Certificates (Local Computer)

For more information on convenience consoles and other tools, see Administrative Tools in Chapter 4. In addition to the three convenience consoles described above, there is also a new File Server Management console that appears under Administrative Tools when you add the file server role to your WS2003 machine. File Server Management combines the functionality of Shared Folders, Disk Defragmenter, and Disk Management and is convenient for managing file servers, but for some reason it's not included in the list of convenience consoles in Help and Support.

2.2.6 Help and Support

Speaking of Help and Support, the old Help feature of W2K has been totally revamped as Help and Support in WS2003. In general, it's a huge improvement, but there are some frustrations, too. First, the pluses:

The contents are well organized and enable you to quickly find general information about major topics like tools, tasks, users and groups, disks and data, and so on.
If your server is connected to the Internet, Help and Support displays a list of Top Issues automatically downloaded from support.microsoft.com and allows you to search online for help regarding error messages, software compatibility information, and other information useful to administrators.
Help and Support includes several additional tools that can be accessed by clicking on the Tools link and then selecting Help and Support Center Tools. These tools can display system, hardware, and software information; offer or obtain remote assistance; perform network diagnostics and more, displaying the results in a readable form.

What's the downside of Help and Support? The Search feature is slow, finicky , and sometimes hard to use. For example, say you want to learn how to create a scope on a DHCP server. If you simply type "scope" into the Search box, the result is zero Suggested Topics, 204 Help Topics, and (if you are connected to the Internet) up to 999 Microsoft Knowledge Base topics (or fewer if you've configured Help and Support to return fewer results). Browsing through the 204 Help Topics, the fifth topic, "Configuring Scopes: DHCP," has a useful discussion of what scopes are but doesn't actually explain the steps for creating one, nor does it contain a link to another topic containing such information. Scroll further down to topic 26, "Create a new scope: DHCP," and you find the information you are looking for. What makes it harder is that the 204 Help Topics displayed here are listed in seemingly random fashion and can't be sorted alphabetically .

Now compare this to using the old Help system in W2K. Start Help, switch to the Index tab, type "scope," and under "scopes" you see an alphabetical list of topics that includes "creating, how to create a scope," which is the desired information, quick and painless. To be honest, you can still use this Index method in WS2003 Help and Support by clicking the Index button on the toolbar, something I do often.

2.2.7 Remote Desktop

In W2K, another way to administer W2K servers was to use Terminal Services in Remote Administration Mode. In WS2003 this feature is now called Remote Desktop, is installed by default (yay!), and can be enabled with a few mouse clicks:

Start

Control Panel

System

Remote

Remote Desktop

elect checkbox

If you have IIS installed on a WS2003 server (it isn't installed by default anymore), you can also use Remote Desktop Web Connection to remotely administer your server from a Windows computer with IE 5 or later using a downloadable ActiveX control. This is cool too. For more information on Remote Desktop and Remote Desktop Web Connection, see Remote Desktop in Chapter 4.

2.2.8 Enhancements to Tools

Speaking of administration, Table 2-5 briefly summarizes the enhanced functionality in the new platform for some commonly used administrative tools and other utilities.

Table 2-5. Enhancements to common tools in WS2003

Tool or utility	Enhancements
Active Directory Domainsand Trusts	Lets you create external trusts more easily using the New Trust Wizard
Active Directory Sites and Services	Lets you drag and drop domain controllers between sites Displays replication intervals and site link costs in the Details pane Lets you simulate the effect of Group Policy for a domain or OU using the Resultant Set of Policy (RSoP) Wizard
Active Directory Users and Computers	Lets you drag and drop users between OUs. Lets you modify the properties of multiple selected objects simultaneously Lets you save Active Directory queries as XML files for later use Lets you simulate the effect of Group Policy for a site using the Resultant Set of Policy (RSoP) Wizard
Backup	Now starts in wizard mode by default On the Welcome tab, the Emergency Repair Disk option has been replaced by Automated System Recovery Wizard
netstat command	Includes a new option to display the process that owns a TCP or UDP port
Services	Has a new Extended view that describes the selected service and lets you stop or restart it
Task Manager	Includes a Networking tab to display network interface activity in real time Includes a Users tab to display, send a message to, log off, or disconnect connected users

2.2.9 Enhancements to Active Directory

While this book is not a detailed guide for implementing Active Directory in an enterprise, day-to-day Active Directory administration is an essential part of managing the WS2003 platform, and you can use this book to quickly look up how to perform common tasks in the following topics in Chapter 4: Active Directory , Domain , Domain Controller , Forest , OU , Site , and Trusts . Briefly, here are some of the enhancements to Active Directory in WS2003:

Domains can now be renamed using free tools you can download from www.microsoft.com/windowsserver2003/downloads/. Note however, that while you can even rename the forest root domain, you can't change which domain is forest root.
Forest/domain functional levels now replace the earlier W2K model of native/mixed modes and provide interoperability between NT, W2K, and WS2003 domain controllers. See Domain in Chapter 4 for more information.
The Application Partition allows greater control over how directory information is replicated (DNS information is stored here now).
Object quotas can be defined for restricting the maximum number of directory objects a user can create.
Schema classes and attributes that are no longer needed can now be redefined.
Compression of replication traffic can be disabled between selected sites.
Global catalog servers are no longer required in each site to support logons , because WS2003 domain controllers now cache universal group membership information on a regular basis.
Replication of updates to group membership is streamlined by replicating changes to only group membership, not the entire membership of a group.
The Inter-Site Topology Generator (ISTG) has an improved algorithm that scales to forests containing much larger numbers of sites than W2K could support.
Domain controllers can be deployed more quickly in remote sites using the new Install Replica From Media feature.
Dcpromo does a better job of demoting domain controllers than it did in W2K.
Active Directory client software is no longer provided for Windows 95 or for Windows NT 4.0 SP3 or earlier.
Cross-forest authentication enables users in one forest to access resources in another forest.

Note that some of these tasks aren't described further in this book because they require advanced understanding of Active Directory, how to edit the schema, and so on ”see O'Reilly's Active Directory for more information.

2.2.10 Enhancements to Command-Line Administration

Compared to the earlier W2K platform, there are huge improvements in managing WS2003 machines from the command line. To start with, there are numerous new commands for managing:

Disks and disk quotas using the diskpart and defrag commands
The boot loader menu using the bootcfg command
Running processes using the tasklist and taskkill commands
Active Directory using the dsadd , dsget , dsmod , dsmove , dsquery , and dsrm commands
Scheduled tasks using the schtasks command (replaces the at command)
Device drivers using the driverquery command
Group Policy using the gpupdate and gpresult commands

Also, scripts such as prncnfg and prnmngr manage printers and print servers from the command line. These scripts (and similar ones for managing IIS) use the Windows Management Instrumentation (WMI) provider, which exposes almost every aspect of the platform for scripted administration. The power of WMI can really be harnessed only if you take the time and effort to learn VBScript or JScript in some depth, which is beyond the scope of this book. O'Reilly's DNS on Windows 2003 by Robbie Allen, Matt Larson, and Cricket Liu, includes a chapter on using scripting to manage DNS programmatically.

2.2.11 Other Major Enhancements

Here are some additional enhancements that improve the manageability, scalability, and security of WS2003 over W2K:

Automated System Recovery provides a last-resort method for recovering a failed system if other approaches such as Last Known Good Configuration, Safe Mode, or the Recovery Console don't work. See Backup in Chapter 4 for more information.
The new volume shadow copy feature provides point-in-time copies of shared folders so you can restore earlier versions of files; see Files and Folders in Chapter 4 for more information. Of course, this feature doesn't replace regular backups .
The Internet Information Services (IIS) component is totally revamped but is now not installed by default for greater security (you can even block its installation using Group Policy). To do justice to the capabilities of the new IIS 6 platform really requires an entire book, and I've written one called IIS 6 Administration (McGraw-Hill).
The new Group Policy Management Console (GPMC) is an integrated tool for managing Group Policy on WS2003. Unfortunately, this tool was created too late in the development cycle and is not included on your WS2003 product CD, but you can find out how GPMC 1.0 works and download it from www.microsoft.com/windowsserver2003/downloads/ along with other cool add-ons like the Domain Rename Tools and IIS 6 Migration Tool.
The Distributed File System (DFS) now supports multiple DFS roots on a single server, but only on the Enterprise Edition of WS2003. This is good news for enterprise deployments that use DFS.
The ACL editor (Security tab on a file's or folder's properties sheet) now includes a feature for displaying the effective permissions resulting from group membership; see Permissions in Chapter 4 for more information.
The default permissions on the root directory of an NTFS volume used to be "Everyone has Full Control," but these defaults have been tightened considerably in WS2003 to make the platform more secure out of the box.
The new Resultant Set of Policies (RSoP) snap-in can be used to analyze how GPOs combine to produce effective settings on the local machine.

2.2.12 Minor Enhancements

Here are some further enhancements in WS2003 that are perhaps less significant in terms of day-to-day administration but may be extremely useful in certain situations:

Screensavers are now password-protected by default ”a simple but effective security enhancement.
An optional POP-3 mail server component to complement the existing SMTP component of IIS. I call this a minor enhancement because most admins will use Exchange Server anyway for such purposes.
A new Protected Power Mode is available for hard drives to increase I/O performance, though at the expense of increased risk of data loss. This is accessed by:

Computer Management Device Manager Disk Drives right-click on drive Properties Policies Enable advanced performance
The source IP address and port number are now included in all logon audit events.
Performance now supports log files greater than 1 GB in size.
The DHCP database can now be backed up while the DHCP service is running.
DNS client settings can now be configured using Group Policy.
A user's My Documents folder can now be redirected to his home directory using Group Policy.
If your hardware supports it, you can add or remove RAM while the system is running.
If your hardware supports it, you can use Emergency Management Services (EMS) to remotely manage certain aspects of WS2003 even when your server has crashed and is no longer available on the network.
Application Compatibility mode ensures legacy Windows 9x/NT applications can run properly under WS2003. To use this feature, do the following:

Windows Explorer right-click on program icon Properties Compatibility
The Shutdown Event Tracker records reasons for shutting down servers and displays when a user logs on after a server has unexpectedly rebooted. You can also force a shutdown or restart of a local or remote computer from the command line (see shutdown in Chapter 5).
For improved security, the Telnet service is now disabled instead of being set to manual startup as it was in W2K.
If an application hangs , you can now move or minimize its window and work on something else while you wait to see if it responds.
Device drivers can now be rolled back to previously installed versions if new versions cause problems (see Devices in Chapter 4 for more information).
Internet Connection Firewall (ICF) provides limited firewall functionality for TCP/IP connections. For your network card you can configure this by:

Control Panel Network Connections Local Area Connection Properties Advanced

You can also use ICF for securing VPN and dial-up connections; see Connections in Chapter 4 for more information.
When you install WS2003, you are prompted (but not forced) to specify a strong password for the default Administrator account.