Professor Windows - May 2003
Active Directory Services in Windows Server 2003
Andreas Luther, Program Manager Directory Services, Microsoft Corporation
As much as there can be no modern life without facilities such as electricity and water, there can be no computerized organizations without a directory service today. Directories fill many needs in organizations today, from Secure Network Operating Systems, through applicative directories and up to metadirectories. While there is a comprehensive directory services solution from Microsoft based on a few products and technologies, this document focuses mainly on the role of the Network Operations System directory service, which is important for all that surrounds our information technologies environment.
No matter if you're still "stuck" in Windows NT4.0 domains, fully deployed with Windows 2000 Active Directory (AD) or in a Windows 2000 deployment phase, this platform probably has all you dream about. Windows Server 2003 Active Directory is much easier to deploy, and has features that increase flexibility during and after deployment. With reduced replication demands and easy integration into applications, you can today enable more applications to use the directory in more scenarios. In addition, Security comes into play at top priority in this release.
And the biggest news - there's no requirement to re-design your Windows 2000 deployment to gain any of the advantages that it has to offer.
This article assumes the reader has knowledge of Active Directory terminology and architecture. To read more on Active Directory Technologies, see the following link: http://www.microsoft.com/windows2000/technologies/directory/default.asp
Deployment Made Easier
We all know that autonomous branch offices require Global Catalog (GC) servers for login. Since domain controllers (DCs) contact the GC during native mode logon to evaluate Universal group membership, logon fails if the GC cannot be reached. Multiple Global Catalog Servers mean additional replication and higher disk space usage. Windows Server 2003 AD introduces Universal Group Cachingthe ability for a domain controller to cache complete group membership. The cache is populated at first user logon and refreshed periodically from the nearest GC. This feature is enabled as an attribute of the site object.
I recall a specific customer of mine that had a concern where deploying additional domain controllers would possibly take hours or days in his scenario. The initial replication of a Domain Controller with a large database over a slow link can take a while to complete, and is expensive to the network traffic. When I introduced the Create Replica From Media feature for that customer, he practically jumped in the air: Windows Server 2003 DCs allow the source initial replication to be taken from backup files instead of network. You backup your AD regularly, restore/copy to the new DC/GC, and save plenty of time/traffic. Note that network connectivity is still required (needs to contact Domain Naming Master during DCPROMO, etc).
And what about that 5,000 members limit in a group? Or more importantly, that updates to group membership could be discarded during conflict resolution? Well, not anymore, thanks to more efficient replication of multi-valued attributes. Linked-Value Replication (LVR) stores replication metadata per-value for multi-valued linked-value attributes, so individual changes get replicated instead of the whole membership. This feature requires Windows Server 2003 forest functional level (see the last section of this document for more information on Functional Levels).
In Windows 2000, if you had more than 200 sites, you simply couldn't use automatic replication topology. The Inter-site Topology Generator (ISTG) was impractical for a large number of sites, and topology had to be done manually. This is all sorted with Windows Server 2003 new ISTG, with an enhanced algorithm that removes the need for manual topology generation.
Other replication related changes include:
- The default intra-site replication latency reduced from 5 minutes with 30 seconds pause notification interval between replication partners to 15 seconds with 3 seconds pause notification interval between replication partners.
- The ability to use multiple bridgeheads
- New compression algorithm that reduces CPU load on bridgehead servers
- Replication-traffic compression between domain controllers residing in different sites can be disabled today. This can reduce the CPU demand on the domain controllers, thereby increasing performance if needed.
- Read/manage multiple DCs at a time with the new enhanced repadmin.exe tool (known from Support Tools).
Can You Fix The Past? Active Directory Can!
Windows Server 2003 Active Directory brings to life important customer feedback, where planning domain names is hard and subject to change (due to acquisitions, Mergers, human errors, etc.). Using a new tool named rendom.exe, Domain Rename allows you to rename any domain and result in a well-formed forest. This process has several steps, during which every DC in the forest is updated and rebooted (although not all DCs have to be rebooted at the same time, and you can split the DCs into different groups). Member machines in renamed domains must also be rebooted, Group Polices need to run a separate tool (GPFixUp.exe), etc., but the bottom line is it's there, and there will certainly be cases where it will be preferred over creating pristine forests and starting resource migrations. Domain Rename is enabled at Windows Server 2003 forest functional level only (see the last section of this document for more information on functional levels). And while we're dealing with renaming things, there's a new capability in NETDOM.exe that allows renaming a domain controller without having to go through DCPROMO again (as long as it's not hosting a Certificate Authority). The DC Rename capability can also be accomplished through the UI.
Get Ready For the New Management Tools
Side by side with the many improved features, Active Directory version 2003 hasn't neglected the manageability admin tools improvements. For example, the Active Directory Users and Computers MMC snap-in today allows drag-and-drop operations (watch where you're dragging!). The AD MMC also allows multi-selection and editing of user objects, a capability reclaimed to us from the NT User Manager days. One of the biggest changes in the MMC is Saved Queries. Saved Queries allow you to build XML-based queries into your AD Users & Computers MMC and refresh them from time to time to get the updated results (see figure 1). This gives you the ability to actually create custom views and reports on your directory objects based upon a certain criteria that you can give. For example, you can build a search query for all the users with a certain description, or all the computers which have a certain operating system version or build number. Along with the capability to pick up your search criteria from a pull-down menu of attributes to each object, since "Saved Queries" essentially builds an XML file to each query, it also enables us to edit or write our own search criteria(s) using XML syntax. Pay attention that query definitions for your "Saved Queries" are kept locally on the machine you've created them, so if you want to view the queries you've created on other machines as well, you can use the import/export option when you right click a query definition.
If your browser does not support inline frames, click here to view on a separate page.
Figure 1 Saved Queries
But not only the GUI gets a "face lift": there's a full new suite of command line tools that enable you to query and update Active Directory, saving lots of time to look for similar tools and scripts. These tools are: dsadd, dsget, dsmod, dsquery, dsmove, dsrm. If you're a command-line kind of person (like myself, depending on the mood), you will love these new tools.
There are many other improvements to managing Active Directory, such as a new option to Reset restore mode administrative password while the Directory Service is online using NTDSUTIL, Some new Group Policy settings including Domain controller DNS registration and Time service configuration parameters, and updates to DCPROMO, the Active Directory setup wizard, that include improved DNS configuration selection and forced demotion capability (using the /ForcedRemoval flag).
Last, but definitely not least, in Windows Server 2003, you can redirect new users and computers creation to a location of your choice, rather than the default users and computers containers. This is so important because the Down-level APIs use the default 'Users' and 'Computers' containers as the location for newly created objects. The default Users and Computers containers are of object class 'Container' and you cannot apply Group Policies directly to these containers. In Windows Server 2003 Active Directory you can use redirusr.exe and redircmp.exe to change the default containers for newly created accounts. This feature is enabled at Windows Server 2003 domain functional level (see the last section of this document for more information on functional levels).
Improvements for Applications Integration
First and foremost, dealing with the Schema has been enhanced considerably. Schema Redefine eliminates the chance for mistakes and allows redefinition of a class/attribute in the schema. The redefined attribute/class can stay with the same LDAP display name, same OID but have a different syntax. The effect of the defunct action is reversible, and it does not purge schema objects from database, but rather "takes them out of order" so they can be re-used.
Schema re-define is enabled at Windows Server 2003 forest functional level. In addition, adding new attributes to the global catalog does not cause all GCs to do full synchronization like it used to. Windows Server 2003 replicates only added attributes between Windows Server 2003 domain controllers. It will still do a full sync if the destination is a Windows 2000 DC.
But the greatest change for Applications in Windows Server 2003 AD is the ability to create Application Partitions, which are essentially partitions in AD like any other partition (Domain, Configuration, Schema), but can be created on any DC in the forest and replicated to any other DC in the forest selectively. Application Partitions cannot contain security principals. They use the same forest schema as other partitions and their objects are not replicated to the GC. They are however fully located through DNS and leverage the powerful query, extensible schema and rich access control that Active Directory has to offer for Directory-Enabled applications.
Windows Server 2003 DS-integrated DNS zones are a good example for storing their data in application partitions using two automatically configured partitions for domain-wide (DCs running DNS in the domain) and forest-wide (DCs running DNS in the forest). This allows data to only replicate to DCs running DNS, and not to overload other DCs/GCs.
If you are an application developer, there is even more for you in the near future. Active Directory Application Mode (AD/AM) is one of the new capabilities that are part of Microsoft's fully integrated directory service available with Windows Server 2003. This product will allow better integration of applications with directory services. The beta release of Active Directory Application Mode is now available for download. You can read more information and download the beta build here .
AD, LDAP and the Big City
The good old LDAP protocol also gets special attention in Windows Server 2003 AD:
- Virtual list view support that enables recursing through large data sets.
- Correcting Auxiliary class support so that you attach Aux class to object instances instead of object class definitions.
- Support for inetOrgPerson class in the UI just as user class and ability to convert users to inetOrgPerson.
- Dynamic entries support (RFC 2589) allows attaching TTL to newly created objects and the objects will self-delete after that TTL expires.
For large-scale AD implementations and/or "outward facing" Directories (such as in Web portal applications, for example), there are many core performance improvements that are felt significantly in every operation you generate against AD. Furthermore, the new fast "concurrent bind" support for LDAP simple binds allows you to pipeline binds down to a single LDAP connection. There are also reduced storage requirements by single instancing of Security descriptors. The new 64-bit support makes it possible to load the entire DS into in-memory cache. The 32-bit and 64-bit versions of AD are fully interoperable.
Designed With Security in Mind
If you're a security-minded person, you will certainly appreciate the new security-related updates in Windows Server 2003 Active Directory Services:
- New Objects Quotas allow limiting number of objects created by users, thus reducing the concern from a denial of service (DoS) attack by exhausting the disk space on DCs. Object Quotas are assigned per-partition to user directly or through group memberships, and count the objects owned by that account, including tombstones. If there are multiple assignments (such as per user and per group that the user belongs to), the highest wins. You can manage object quotas using dsadd, dsmod, dsquery from the command-line.
- SMB signing is enabled by default on all domain controllers running Windows Server 2003.
Important note While this helps to strengthen your overall security in the organization, Windows 95 and Windows NT 4.0, pre-SP3 clients will not be able to log in to the domain unless they have the latest DSClient. There are full details about this scenario in the Windows Server 2003 deployment Planning Kit.
- Cross-Forest trusts allow two-way Kerberos-based transitive trust between Windows Server 2003 forests, enabling a transitive trust between all the domains in the two forests. There's a new Selective Authentication Option that can be used with Forest Trusts in Windows Server 2003 that allows only specific authentication requests.
- Using this mechanism we let the domain controller decide if that user is allowed to authenticate to a specific resource before allowing the user access. This helps you get more granular control on who can access what across a forest trust. You need to configure which users from the other side of the trust can authenticate to which resources in your domain. The implementation is performed by new control access right called "Allowed to authenticate" on an object, that becomes available when you switch to Windows Server 2003 forest mode.
- To prevent elevation of privilege attacks, Windows Server 2003 will filter the SIDs to make sure they are relative to one of the domains in the trusted forest. This ensures that the other forest issues authorization information only for domains which it is supposed to, and is not passing in any unauthorized SIDs. SID filtering is enabled automatically across a Forest Trust. In Windows 2000 SP4, SID filtering is also enabled by default on external trust relationships. This is especially interesting if you have a mix of pre-Windows 2000 SP4 DCs and higher versions; because the result will depend on what DC you used to create the trust.
Important Note SID Filtering must be manually disabled if migrating users to a trusted domain using SID History.
- All LDAP traffic is Signed & Sealed between Windows Server 2003 DCs and also when working with Windows 2000 SP3 and above.
- Better Smart Card Login support (Auto-Enrollment, Terminal Services support and more).
- New permission to allow Login through Terminal Services only (replaces the Allow logon interactively permission with a more restrictive permission that prevents logon from the physical server console).
- Anonymous queries to the Directory are disabled by default.
- Much more meaningful auditing is enabled by default on fresh installed domains.
- The AdminSDHolder process today touches the Access Control List (ACL) of members of all built-in and well-known groups with the exception of the Domain Users and the Users groups (formerly only touched members of Domain Admins and Administrators groups).
You can either do an in-place upgrade or migrate from Windows NT 4.0, and this hasn't changed from the Windows NT 4.0 to Windows 2000 Upgrade. Upgrading from Windows 2000 Server is easy, and there's no need to redesign in order to take advantage of new features. Windows 2000 Server and Windows Server 2003 in a mixed environment are fully interoperable. Simple in-place upgrade from Windows 2000 requires you to know one tool named Adprep. You need to run Adprep in the existing forest to prepare it for Windows Server 2003 DCs. This needs to be run once per forest, using "adprep /forestprep". In addition, you need to run "adprep /domainprep" once per domain.
For migrations, the useful Active Directory Migration Tool (ADMT) arrives in version 2.0 which includes secure Password migration, NT 4.0-to-Windows 2000/2003 migrations, forest-to -forest migrations, scripting support, and command line support. It can also be used to migrate to Windows 2000 Active Directory. ADMTv2.0 can be found on the Windows Server 2003 CD under the i386\ADMT folder. For more information on ADMT, see this previous column on Migrating domains .
Climbing Up To New (Functional) Levels
In order for some non-backward-compatible features to be enabled, functional levels are required. This is similar to what we had in Windows 2000 with native and mixed mode, only you can think of it as "Windows 2000 Native Mode++". The administrator manually advances the version number when all the DCs in the scope of the desired functional level are upgraded, and the version only increases, so there's no going back: Legacy DCs are blocked from joining/starting once the version has been advanced. There are Domain behavior version and Forest behavior version. Since the features that become enabled with a higher domain functional level are few and not the ones that are needed most, it usually makes no sense to increase functional levels of individual domains. A good best practice is to wait until all domain controllers in a forest were upgraded to Windows Server 2003 and then raise the forest functional level. This will automatically raise all domains functional levels in the forest.
Regardless of the functional levels, many of the features are available immediately, such as:
- Universal Group Caching (No-GC logon)
- Create replica from media
- No-GC-full-synchronization (Reduced Traffic)
- Application partitions
- The use of DNS in Application Partitions
- All the mentioned administrative tools improvements
- DC rename
- Reset the Restore Mode Password while online
- ADMTv2.0 improvements
- Reduced storage requirements (Single instancing of Security Descriptors)
- Object quotas
There are two main features enabled at the Windows Server 2003 domain level:
- Two-stage DC rename
- Redirect default User and Computer creation
Note Another small feature enabled in Windows Server 2003 domain level is the LastLogonTimeStamp attribute, which keeps the calculated last login time for a user in the domain. This can be helpful since the current lastlogin attribute is per DC and is not replicated to other DCs.
The following are enabled at the Windows Server 2003 forest level:
- Per-value replication (e.g. Link Value Replication of Group membership)
- New ISTG algorithm
- Domain rename
- Schema redefine
- Convert user to INetOrgPerson class
- Corrected Aux class support
- Cross-Forest Trusts
To sum up, Windows Server 2003 Active Directory was driven by a lot of customer and partner feedback that helped address key issues and achieve greater flexibility in deployment, improved application integration and great new capabilities.
- Technical Overview of Windows Server 2003 Active Directory
- Windows Server 2003 Domain Rename Tools
- Windows Server 2003 Trust Enhancements
For any feedback regarding the content of this column, please write to Microsoft TechNet . Please be aware that a response is not guaranteed.