Problem solve Get help with specific problems with your technologies, process and projects.

Changes coming to Active Directory

An in-depth summary of Active Directory 2.0 updates and changes from the Windows .NET Server Reviewer's Guide.

Certification expert Ed Tittel addresses a leftover question from the recent SearchWin2000 online event, "What .NET means for your Microsoft certification."

Q: How compatible is AD version 2.0 with AD version 1.0?

A: Microsoft has designed AD 2.0 to be as backward compatible with AD 1.0 as possible. That said, there will be lots of capabilities in AD 2.0 that AD 1.0 can neither use nor in which in can participate. For more information on this topic, please visit the Win2000 Active Directory homepage.

So far I haven't been able to find a good comprehensive overview of AD 2.0, but I'll keep looking and talking to beta tester friends and colleagues until I come up with something interesting.

Here's a summary of Active Directory Updates and Changes from the Windows .NET Server Reviewer's Guide:

Active Directory Administration: Object Picker UI Improvements

The Active Directory Object Picker is a user-interface component that other administrative tools can launch to allow administrators to select one or more users, computers, groups or contacts from the Active Directory service. In Beta 3, the Object Picker has been redesigned and enhanced as follows:

  • Administrator workflow optimization, which enables directory objects to be found quickly

  • Better and more-efficient support for finding objects in a large directory

  • Reduced Directory Service network impact

  • Ability to scope a search down to a specific Organizational Unit (OU) within the directory

  • More flexible querying capabilities for finding objects in the directory based upon their attributes
  • IT administrators can use this feature to add members to groups, re-target snap-ins to work with remote computers, add security principals to Access Control Lists (ACLs), and work with snap-ins that require the selection of objects from the directory service.

    Active Directory: Concurrent LDAP Binds

    This feature provides the ability to perform multiple Lightweight Directory Access Protocol (LDAP) binds on one connection for the purpose of authenticating users. Application developers can use this feature to bind multiple LDAP directories, which allows users to be more readily authenticated while also improving performance.

    Active Directory: Disabling Compression of Replication Traffic Between Different Sites

    Beta 3 adds the ability to turn off compression of the replication traffic between Domain Controllers residing in different sites. The net result is a reduction in CPU utilization on the Domain Controllers; therefore, Domain Controller availability increases. After reviewing Domain Controller demand, IT administrators with multiple sites connected over high-speed network connections can elect to reduce CPU utilization at a cost of not compressing the replication traffic between Domain Controllers that belong to different sites.

    Active Directory: Domain Rename

    This feature supports changing the Domain Name System (DNS) and/or NetBIOS names of existing domains in a forest such that the resulting forest is still "well-formed." The identity of a renamed domain represented by its domain Globally Unique ID (GUID) and its domain Security ID (SID) will not change. In addition, a computer?s domain membership does not change as a result of the holding domain being renamed.

    Domain Rename does not include changing which domain is the forest root domain. In other words, although a forest root domain can be renamed, a different domain cannot be designated to become the new forest root.

    To complete the Domain Rename process, every Domain Controller must be rebooted. Each member computer of the renamed domain must also be rebooted twice. Although this feature provides a supported means to rename a domain, it is not viewed as nor meant to be a routine IT operation.

    IT administrators may utilize Domain Rename to address the following two scenarios:

  • A corporation is undergoing a legal name change and would like to ensure that its Active Directory forest is named consistent with the change. Prior to Beta 3, the only option was to build a new forest with the desired new name, migrate all users/computers to the new forest and decommission the old forest. The Domain Rename feature aids IT administrators in enabling them merely to change the forest name.

  • Two companies undergo a merger. Although they may not merge their corporate forests, they want to ensure that their Active Directory forest/domain names reflect the new merged company name. Domain Rename enables IT administrators to change the DNS name(s) of their Active Directory forest/domains in place.
  • Active Directory: Deactivation of Attributes/Classes in the Schema

    The Active Directory service has been enhanced to allow the deactivation of attributes and class definitions in the Active Directory schema, such that attributes and classes can be redefined if an error was made in the original definition. Deactivation provides the ability to supercede the definition of an attribute or class after it has been added to the schema if an error was made in setting an immutable property. As an added safeguard, deactivation is also a reversible operation, so it will be possible to undo an accidental deactivation.

    This feature may be utilized in the following scenarios:

  • In the event that a new schema object is added incorrectly, IT administrators can use this feature to deactivate the object and re-enter the correct definition.

  • A business group has replaced several applications that extended the Active Directory schema with a new application that also uses the Active Directory schema. With this feature, IT administrators can deactivate the unused schema objects from the retired applications to prevent any conflicts with new extensions that may be installed.
  • Active Directory: Lingering Objects Removal Mechanism

    Beta 3 provides the ability to delete lingering objects in the Active Directory. Lingering objects may exist due to the extended unavailability of a Domain Controller, during which the objects were tombstoned, the tombstone lifetime expired and the tombstoned objects were removed from the Active Directory. This feature helps prevent inconsistency between various replicas of the Active Directory and reduces unnecessary growth of the Active Directory database.

    Active Directory: Removal of Non-X.500-Compliant Relative Distinguished Name Restrictions

    In Active Directory, the naming attribute, also known as the Relative Distinguished Name (RDN), is defined in the schema for each class. The user class Common Name (CN) is an example of a naming attribute. Classes that do not define a naming attribute inherit the naming attribute from their parent class. Once a naming attribute is selected, it cannot be changed. Active Directory requires that all RDNs within a container be unique, which means two users with the same RDN cannot reside in the same container.

    Beta 3 allows an IT administrator to delete inetOrgPerson, which uses CN as the naming attribute in the default schema, and re-create it using any Unicode string attribute as the naming attribute. Thus, instead of CN, any other attribute can be used as the naming attribute. For example, if an IT administrator finds there are several users in the same Organizational Unit with identical names, this feature enables the IT administrator to select a unique attribute, such as an employee identification number, to guarantee that there are no naming collisions.

    DNS - Active Directory Integrated DNS Zones Stored in Application Partitions

    Beta 3 enables storage and replication of the Domain Name System (DNS) zones stored in the Active Directory application partition. Using the application partition to store DNS data results in a reduced number of objects stored in the Global Catalog. By default, DNS-specific application partitions contain only Domain Controllers running the DNS server; thus, this feature provides the added benefit of only replicating to the subset of Domain Controllers specified in the application partition, as well as enabling replication of the DNS zone to DNS servers running on different domains within an Active Directory forest.

    See TechNet's Windows .NET Server Beta 3 Reviewer?s Guide to view the complete document.

    Dig Deeper on Microsoft Active Directory Design and Administration

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.