 | |||
|
|
||
| |||
| |||
| |
|
Home > Active Directory Changes Guide |
| |
|
|
|
|
| Learning Guide: |
|
||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|
||||||||||||||||||||||||||
Table of contents:
Microsoft has made many changes and improvements to Active Directory since its first incarnation for Windows 2000 Server. It is important for IT managers and administrators to understand the differences in Active Directory in regards to which version of Windows they are using. Differences in Active Directory for Windows 2000 and Windows 2003 For the new features and improvements that were built into Windows Server 2003's Active Directory, Microsoft focused on five areas: Some changes in the areas of integration and productivity include the abilities to edit multiple Active Directory objects simultaneously, as well as improved interoperability via inetOrgPerson for Novell and Netscape solutions. Replication monitoring was also improved for Windows Server 2003. In particular, a replication enhancement called linked-value replication for objects such as Active Directory group objects was significant, especially for large environments. Linked-value replication solved problems such as inconsistent replication and delays by replicating multi-valued attributes separately. As far as performance and scalability goes, Microsoft eliminated the need to contact a global catalog (GC) server each time a user logs in. For Windows Server 2003, the GC information is cached at the local domain controller. Other enhancements include support for clustered virtual servers, DC overload prevention and GC replication tuning controls. For better configuration management, Microsoft added automated DNS zone creation, improved inter-site replication and the ability to rename domains. Better migration and command-line tools were also created for Windows Server 2003 Active Directory. Some of the new command-line tools include: As for Group Policy, Windows Server 2003 greatly improved the Group Policy management interface, which is able to interact with both 2003 and 2000 GPOs. Other improvements included GPO results reports, over 150 new GPO controls and improved client management features. New security features included forest trusts, trusted namespaces, cross-forest authentication and authorization, and a credential manager. Other changes to Active Directory for Windows Server 2003 include the "Install from Media" option for promoting new domain controllers into a domain, and the Users and Computers MMC snap-in which allows admins to move an object from one location in the directory tree to another more easily. Active Directory improvements with Windows Server 2003 SP1 Several changes in Windows Server 2003 Service Pack 1 have to do with the way Active Directory handles "tombstoned" objects. Just like in Windows 2000, when you delete an Active Directory object, it is not immediately deleted; instead, it's marked as a tombstoned object. This allows the deletion to be replicated properly to other domain controllers. Once an object has been in this tombstoned state for a certain amount of time, it is finally deleted outright. In Windows 2000, the default tombstone lifetime was 60 days. However, in Windows Server 2003, Microsoft changed it to 180 days, effectively tripling the amount of time that a deletion had to be communicated to all of the domain controllers in an environment. However, if you have already installed Active Directory using either Windows 2000 or the original Windows Server 2003 media, the default tombstone lifetime will not automatically change when you upgrade to Windows Server 2003 SP1. You will only receive the 180-day tombstone lifetime value automatically by building a pristine 2003 SP1 Active Directory forest. In addition to modifying the tombstone lifetime for new Active Directory installations, 2003 Service Pack 1 added the SID History attribute to the list of attributes that are retained when an object is tombstoned. When an Active Directory object is tombstoned, it is stripped of most of its attributes, so the tombstoned object only takes up a fraction of the size of the original object within the Active Directory database. Each user, group and computer object within Active Directory is assigned a numeric security identifier, or SID. SIDs are unique within the domain and do not change, even if the security principal is renamed or moved to another container within the same domain. Prior to Windows Server 2003 SP1, one of the attributes that was stripped when an object was tombstoned was this SID History attribute, which meant that if you restored an object, any previous SIDs that were recorded in its SID History were lost. Fortunately, Windows Server 2003 SP1 includes SID History among the attributes retained when an object is deleted. Service Pack 1 also made changes in the types of Active Directory information that are logged in the Event Viewer on a domain controller, thus allowing for more proactive monitoring and easier troubleshooting. One such update is Event ID 2089, which is recorded in the Directory Service event log if any directory partition has not been backed up for a significant length of time (half of the tombstone lifetime or more). The event is logged whether the partition is the Schema, Configuration, or domain partitions -- or any application partitions or ADAM partitions that are hosted on the DC in question. Ever since SP1, administrators can also now run domain controllers using virtualization technology such as Microsoft Virtual Server 2005. That allows you to run multiple domains or forests on a single machine or to use virtualization to reduce the attack footprint of a physical server by separating its roles onto multiple virtual machines. Changes to Active Directory for Windows Server 2008 Once again, many changes to Active Directory were made with Windows Server 2008. Microsoft has incorporated two very significant features with Windows Server 2008 that will probably relate to most Active Directory deployments: the read-only domain controller (RODC) and server roles. The read-only domain controller is perhaps the marquee feature for Active Directory in Windows Server 2008. The RODC hosts a read-only copy of the Active Directory database. That is, you can't make any changes to the Active Directory database from a read-only domain controller. You can connect to an RODC to read any information you like (with a few exceptions, which we'll get to in a moment), but you will not be able to perform any write operations without connecting to or being referred to a writeable domain controller. Also with RODC, the administrator can determine which accounts will be replicated to the domain controller, and replication is unidirectional. RODC does not perform any outbound replication. This is a fundamental change from the typical multi-master replication model that many have become familiar with in Active Directory. In Windows 2000 Server and Windows Server 2003, an administrator can connect to any domain controller to make a change, and that change will be replicated out to the rest of Active Directory via outbound replication from the DC that the change originated from. This is not so with the RODC. The read-only domain controller will receive inbound replication from other writeable Windows Server 2008 DCs, but it will not replicate any information whatsoever out to other DCs. This solves a lot of security issues at remote sites since it will minimize accounts exposed at the site (presumably not any admin accounts), and anything compromised at the site will not make it out of the site. Combined with the new BitLocker technology, RODC will allow deployment of DCs at smaller sites where it was not feasible before. Server Core was also developed for Windows Server 2008 as a response to customer requests to provide a lean server operating system that would permit specific server functions to run without all the overhead of the GUI. It has been referred to by Microsoft as a bare bones installation of Windows Server 2008. With Server Core, after logon, a user will be presented with a desktop with no start menu, taskbar or icons, and two command windows. Installation of roles such as Dynamic Host Configuration Protocol (DHCP), DNS, file services and print server will be done completely from the command line. However, this environment will still allow users to open applications such as Event Viewer, notepad and others. In addition to making the server better defined for administrative purposes and reducing the hardware resources required, Server Core also permits better security at remote sites, allowing a smaller footprint of exposure. Other changes include the Restartable Active Directory, which allows AD to be restarted without rebooting the server. You can accomplish this via the command line and MMC Snap-ins. It is designed to save admins time on offline operations (like an offline defrag of Active Directory) without taking the server offline and shutting down other services and applications.
Table of contents:
|
|
|
|||||||||||||||||||||||||
|
|
 |  |  | |  | |  | |  | |  | |  | |  | |
|
|
About Us | Contact Us | For Advertisers | For Business Partners | Site Index | RSS |
|
|
||
|
|||||||
