Search This Blog

Tuesday 1 March 2011

New Active Directory Features


New Active Directory Features

With the new Active Directory features in Standard Edition, Enterprise Edition, and Datacenter Edition, more efficient administration of Active Directory is available to you.
New features can be divided into those available on any domain controller running Windows Server 2003, and those available only when all domain controllers of a domain or forest are running Windows Server 2003.

Features Available If Any Domain Controller Is Running Windows Server 2003

The following list summarizes the Active Directory features that are enabled by default on any domain controller running Windows Server 2003.
  • Multiple selection of user objects. Modify common attributes of multiple user objects at one time.
  • Drag-and-drop functionality. Move Active Directory objects from container to container by dragging and dropping one or more objects to a desired location in the domain hierarchy. You can also add objects to group membership lists by dragging and dropping one or more objects (including other group objects) onto the target group.
  • Efficient search capabilities. Search functionality is object-oriented and provides an efficient browse-less search that minimizes network traffic associated with browsing objects.
  • Saved queries. Save commonly used search parameters for reuse in Active Directory Users and Computers.
  • Active Directory command-line tools. Run new directory service commands for administration scenarios.
  • Selective class creation. Create instances of specified classes in the base schema of a Windows Server 2003 forest. You can create instances of several common classes, including: country or region, person, organizationalPerson, groupOfNames, device, and certificationAuthority.
  • InetOrgPerson class. The inetOrgPerson class has been added to the base schema as a security principal and can be used in the same manner as the user class. The userPassword attribute can also be used to set the account password.
  • Application directory partitions. Configure the replication scope for application-specific data among domain controllers running Standard Edition, Enterprise Edition, and Datacenter Edition. For example, you can control the replication scope of Domain Name System (DNS) zone data stored in Active Directory so that only specific domain controllers in the forest participate in DNS zone replication.
  • Add additional domain controllers to existing domains using backup media. Reduce the time it takes to add an additional domain controller in an existing domain by using backup media.
  • Universal group membership caching. Prevent the need to locate a global catalog across a wide area network (WAN) during logons by storing user universal group memberships on an authenticating domain controller.

 

 

Features Available When All Domain Controllers Are Running Windows Server 2003

New domain- or forest-wide Active Directory features can be enabled only when all domain controllers in a domain or forest are running Windows Server 2003 and the domain functionality or forest functionality has been set to Windows Server 2003. 
The following list summarizes the domain- and forest-wide Active Directory features that can be enabled when either a domain or forest functional level has been raised to Windows Server 2003.
  • Domain controller rename tool. Rename domain controllers without first demoting them.
  • Domain rename. Rename any domain running Windows Server 2003 domain controllers. You can change the NetBIOS name or DNS name of any child, parent, tree- or forest-root domain.
  • Forest trusts. Create a forest trust to extend two-way transitivity beyond the scope of a single forest to a second forest.
  • Forest restructuring. Move existing domains to other locations in the domain hierarchy.
  • Defunct schema objects. Deactivate unnecessary classes or attributes from the schema.
  • Dynamic auxiliary classes. Provides support for dynamically linking auxiliary classes to individual objects, and not just to entire classes of objects. In addition, auxiliary classes that have been attached to an object instance can subsequently be removed from the instance.
  • Global catalog replication tuning. Preserves the synchronization state of the global catalog when an administrative action results in an extension of the partial attribute set. This minimizes the work generated as a result of a partial attribute set extension by only transmitting attributes that were added.
  • Replication enhancements. Linked value replication allows individual group members to be replicated across the network instead of treating the entire group membership as a single unit of replication.

Raising Domain Functional Levels

Domains can operate at three functional levels: Windows 2000 mixed, the default setting (which includes domain controllers running Windows 2000, Windows NT 4.0, and Windows Server 2003), Windows 2000 native (which includes domain controllers running Windows 2000 and Windows Server 2003), and Windows Server 2003 (which only includes domain controllers running Windows Server 2003).
Once all domain controllers are running on Windows Server 2003, you can raise the Domain and Forest Functionality to Windows Server 2003 by opening Active Directory Domains and Trusts, right clicking the domain for which you want to raise functionality, and then clicking Raise Domain Functional Level.
Note that once you raise the domain functional level, domain controllers running earlier operating systems cannot be introduced into the domain. For example, if you raise the domain functional level to Windows Server 2003, domain controllers running Windows 2000 Server cannot be added to that domain.
The following table describes the domain-wide features that are enabled for the corresponding domain functional level:
Domain Feature
Windows 2000 mixed
Windows 2000 native
Windows Server 2003
Domain controller rename tool
Disabled
Disabled
Enabled
Update logon timestamp
Disabled
Disabled
Enabled
Kerberos KDC key version numbers
Disabled
Disabled
Enabled
User password on InetOrgPerson object
Disabled
Disabled
Enabled
Universal Groups
Enabled for distribution groups.
Disabled for security groups.
Enabled
Allows both security and distribution groups.
Enabled
Allows both security and distribution groups.
Group Nesting
Enabled for distribution groups.
Disabled for security groups, except for domain local security groups that can have global groups as members.
Enabled
Allows full group nesting.
Enabled
Allows full group nesting.
Converting Groups
Disabled
No group conversions allowed.
Enabled
Allows conversion between security groups and distribution groups.
Enabled
Allows conversion between security groups and distribution groups.
 SID History
Disabled
Enabled
Allows migration of security principals from one domain to another.
Enabled
Allows migration of security principals from one domain to another.





Raising Forest Functional Levels

Forest functionality enables features across all the domains within your forest. Two forest functional levels are available: Windows 2000 (which supports domain controllers running Windows NT 4.0, Windows 2000, and Windows Server 2003) and Windows Server 2003 (which only supports domain controllers running Windows Server 2003). If you are upgrading your first Windows NT domain so that it becomes the first domain in a new Windows Server 2003 forest, there is an additional forest functional level that you can choose called Windows Server 2003 interim.
By default, forests operate at the Windows 2000 functional level. You can raise the forest functional level to Windows Server 2003. Once forest functional level has been raised, domain controllers running earlier operating systems cannot be introduced into the forest.
The following table describes the forest-wide features that are enabled for the corresponding forest functional level:
Forest Feature
Windows 2000
Windows Server 2003
Global catalog replication tuning
Disabled
Enabled
Defunct schema objects
Disabled
Enabled
Forest trust
Disabled
Enabled
Linked value replication
Disabled
Enabled
Domain rename
Disabled
Enabled
Improved replication algorithms
Disabled
Enabled
Dynamic auxiliary classes
Disabled
Enabled
InetOrgPerson objectClass change
Disabled
Enabled

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)