Through the course of answering questions for SearchWinIT.com's Ask the Expert center, we've noticed one question that frequently crops up from readers. It is about the changes in Active Directory that came about when Windows Server 2003 was released. In this article, we will examine the changes that occurred when the initial release of Windows Server 2003 hit the streets. In a later article, we'll look at additional changes that came about with the release of Windows Server 2003, Service Pack 1.
Same structure; new capabilities
Unlike the transformation in the directory service architecture that took place between Windows NT and Windows 2000, the changes you see between Windows 2000 and Windows Server 2003 are much more incremental in nature. Windows Server 2003 is grounded in the same Active Directory structure in Windows 2000 where each domain controller holds a read-write copy of the AD database, relying on multi-master replication to keep everything up-to-date.
In the Windows Server 2003 Active Directory Users & Computers MMC snap-in, you can now move an object from one location in the directory tree to another by using the familiar drag-and-drop method, rather than being forced to right-click the object and select "Move", as was the case in Windows 2000. You can also now select multiple objects simultaneously for editing or deletion, and save commonly-used queries within the ADUC console window. Although really, if you're going to be working with more than one object at a time, I would recommend that you get out of the MMC console anyway and use command-line tools or scripts to take away some of your administrative burdens.
New command-line tools
Windows Server 2003 includes a number of built-in command-line tools that were not available in Windows 2000, including:
dsadd -- allows you to create objects from the command line dsmove -- moves an object from one OU or container to another within the same domain dsrm -- will delete an object from Active Directory dsquery -- will return an object or list of objects that matches criteria that you specify dsget -- will return one or more attributes of a particular Active Directory object
Added feature promotes new domain controllers into a domain
Another new feature is the "Install from Media" option for promoting new domain controllers into a domain. In Windows 2000, if you needed to install a domain controller at a remote location, you had one of two options:
- Travel to the remote site to running dcpromo and allow the entire AD database to replicate across a slow (and often expensive) WAN link, or
- Configure the database at your corporate headquarters, and then ship the DC to the remote site; this is often an expensive process and one that runs the risk of damaging expensive computer hardware in transit.
Enter the "Install From Media" feature. In Windows Server 2003 you can initially populate the Active Directory database using a System State backup from an existing DC, saving you both WAN traffic and shipping costs. For those of us who run extremely decentralized environments, this is one of those "Where has this been all my life?" kinds of features.
Enhanced replication capabilities
Another significant change, particularly for larger environments, is a replication enhancement called linked-value replication for objects such as Active Directory group objects. In Windows 2000, a group's membership list was replicated as one single block of information. This led to a number of potential problems, such as the following:
- Inconsistent replication. Consider this: you have a group called DOMAIN\Finance. From Domain Controller A, you add the jsmith user to the Finance group. What happens if, at precisely the same nanosecond, your junior admin removed the bthomas user from the Finance group while connected to Domain Controller B? Without linked-value replication, this would create a replication conflict, which would either lead to jsmith being added to the group and bthomas not being removed, or vice versa.
- Replication delays. In Windows 2000, Microsoft published a size limitation where you could not place more than 5,000 members in a single group object; more than this created significant replication delays since the membership list was replicated as a single block.
Linked-value replication solves these problems by replicating these multi-valued attributes separately. In our first example above, the addition of jsmith and the removal of bthomas would be replicated as two separate transactions, allowing both updates to be applied without causing a replication conflict. In our second example, only the individual changes to the group membership will be replicated, greatly streamlining the replication process and removing the 5000-member limitation on Active Directory groups.
In a future installment, we'll talk about more Active Directory changes that came about with Windows Server 2003, focusing specifically on changes that happened when Windows Server 2003 Service Pack 1 was released.
Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft MVP) is a senior IT specialist with the University of Pennsylvania, where she provides network planning, implementation and troubleshooting services for business units and schools within the university. Hunter is a two-time recipient of the prestigious Microsoft "Most Valuable Professional" award in the area of Windows Server-Networking. She is the author of the Active Directory Field Guide (APress Publishing). You can contact her at [email protected].