Active Directory in Windows Server 2003 Service Pack 1
Applies To: Windows Server 2003 with SP1
What does Active Directory do?
Active Directory® is a directory service that stores information about objects on a network and makes this information available to users and network administrators. Active Directory objects typically include shared resources such as servers, volumes, printers, and the network user and computer accounts.
Active Directory is composed of the following:
Schema. This is a set of rules that defines the classes of objects and attributes contained in the directory, the constraints and limits on instances of these objects, and the format of their names.
Global catalog. This data store contains information about every object in the directory. This allows users and administrators to find directory information regardless of which domain in the directory actually contains the data.
Query and index. Using this mechanism objects and their properties can be published and found by network users or applications.
Replication service. This service distributes directory data across a network. All domain controllers in a domain participate in replication and contain a complete copy of all directory information for their domain. Any change to directory data is replicated to all domain controllers in the domain.
Active Directory client software. The Active Directory client enables many of the Active Directory features available on Windows 2000 Professional or Windows XP Professional clients for computers running Windows 95, Windows 98, and Windows NT 4.0.
Who does this feature apply to?
The changes in Active Directory for Windows Server 2003 Service Pack 1 (SP1) will be of interest to:
IT professionals who support Active Directory, such as Active Directory administrators, Active Directory schema administrators, Domain Name System (DNS) administrators, and domain controller administrators.
Help desk professionals.
What functionality is changing in Windows Server 2003 Service Pack 1?
Directory service backup reminders
A new event message, event ID 2089, provides the backup status of each directory partition that a domain controller stores, including application directory partitions and Active Directory Application Mode (ADAM) partitions. If halfway through the backup latency interval (tombstone lifetime) a partition has not been backed up, this event is logged in the Directory Service event log and continues daily until the partition is backed up.
Added replication security and fewer replication errors
Replication metadata for domain controllers from which Active Directory has been removed is no longer retained by default, although a waiting period can be configured. This change improves replication security and eliminates replication error messages that are caused by failed attempts to replicate with decommissioned domain controllers. For more information about preserving replication metadata, see "How the Active Directory Replication Model Works" on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=46510.
Install from Media improvement for installing DNS servers
Install from Media improvements make it easier to create a new domain controller that is a DNS server by providing the new option to include application directory partitions in the backup media that is used to install the new domain controller. This option eliminates the requirement for replication of the DomainDNSZones and ForestDNSZones application directory partitions before the DNS server is operational.
Enhancements for replication and DNS testing
The Dcdiag.exe command-line tool, which is available in Windows Support Tools, provides new reporting on the overall health of replication with respect to Active Directory security. This test provides a summary of results along with detailed information for each domain controller that is tested and a diagnosis of any security errors. Dcdiag.exe also has new DNS tests for connectivity, service availability, forwarders and root hints, delegation, dynamic update, locator record registrations, external name resolution, and enterprise infrastructure. These tests can be performed on one domain controller or on all domain controllers in a forest. For more information about the changes to Dcdiag.exe, see the Dcdiag.exe section of this article.
Support for running domain controllers in virtual machines
On a single physical server that is running Windows Server 2003 and Microsoft Virtual Server 2005, you can install multiple Windows Server 2003 or Windows 2000 Server domain controllers in separate virtual machines. This platform is well suited for test environments. By using virtual machines, you can effectively host multiple domains, multiple domain controllers for the same domain, or even multiple forests on one physical server that is running a single operating system. Windows Server 2003 SP1 also provides protection against directory corruption that can result from improper backup and restoration of domain controller images. For more information about running domain controllers in virtual machines, see "Running Domain Controllers in Virtual Server 2005" on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=38330.
Operations master health and status reporting
If an operation that requires a domain controller that holds an operations master role (also known as flexible single-master operations (FSMO)) cannot be performed, events are now logged in the Directory Service event log. Events identify role holders that do not exist, exist but are not available, or are available but have not replicated recently with the contacting domain controller. For more information about operations masters, see "How Operations Masters Work" on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=38333.
Extended storage of deleted objects
The default period that a copy of a deleted object is retained in Active Directory, called the tombstone lifetime, is extended from 60 days to 180 days. Longer tombstone lifetime decreases the chance that a deleted object remains in the local directory of a disconnected domain controller beyond the time when the object is permanently deleted from online domain controllers. The tombstone lifetime is not changed automatically when you upgrade to Windows Server 2003 with SP1, but you can change the tombstone lifetime manually after the upgrade. New forests that are installed with Windows Server 2003 with SP1 have a default tombstone lifetime of 180 days. For more information about tombstone lifetime, see "How the Data Store Works" on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=38339.
Improved domain controller name resolution
In response to Domain Name System (DNS) name resolution failures that may be encountered during location of replication partners and global catalog servers, domain controllers running Windows Server 2003 with SP1 request other variations of the server name that might be registered, which results in fewer failures due to DNS delays and misconfiguration. For more information about DNS name resolution, see "How DNS Support for Active Directory Works" on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=38335.
Simplified process for server metadata removal
The Ntdsutil.exe command-line tool for managing the Active Directory database has new commands that make it easier to remove domain controller metadata. Preliminary steps, such as connecting to a server, domain, and site, are no longer required. You simply specify the server to remove. You can also specify the server on which to make the deletion. For more information about the changes to Ntdsutil.exe, see the Ntdsutil.exe section of this article.
Improved security to protect confidential attributes
To prevent Read access to confidential attributes, such as a Social Security number, while allowing Read access to other object attributes, you can designate specific attributes as confidential by setting a search flag on the respective attributeSchema object. By default, only domain administrators have Read access to confidential attributes, but this access can be delegated. For more information about access to attributes, see "How Security Descriptors and Access Control Lists Work" on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=45972.
Retention of SID history on tombstones
The sIDHistory attribute has been added to the set of attributes that are retained on an object tombstone when the object is deleted. If a tombstoned object is reactivated (undeleted), the sIDHistory attribute is now restored with the object. For more information about tombstones, see "How the Data Store Works" on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=45973.
Adprep.exe improvements for Windows 2000 Server upgrades
The Adprep.exe tool has been improved to reduce the impact of File Replication service (FRS) synchronization that results from updating SYSVOL files during upgrade. Adprep.exe is used to upgrade the Windows 2000 Server schema to the Windows Server 2003 schema and to update some forest- and domain-specific configuration, including SYSVOL, that is required for a Windows Server 2003 domain controller to be operational. The tool now allows performing SYSVOL operations in a separate step when preparing the domain for upgrade. A new switch,
/gpprep, has been added to accommodate the SYSVOL updates, which can be performed at a convenient time following the upgrade. The
adprep /domainprep command, which formerly performed both directory and SYSVOL updates, now updates only the directory. Adprep.exe also now detects third-party schema extensions that block an upgrade, identifies the blocking extensions, and recommends fixes. Microsoft Exchange Server schema objects are also detected so that the Exchange Server schema can be prepared appropriately to accommodate InetOrgPerson naming. For more information about the changes to Adprep.exe, see the Adprep.exe section of this article.
Changes in dragging and dropping objects in Active Directory Users and computers
In Windows Server 2003, Service Pack 1 two changes to the drag and drop behavior in the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in were made in response to customer feedback.
First, by default there is now a confirmation dialog when dragging and dropping objects in Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. In Windows Server 2003 drag and drop support in Active Directory Users and Computers was enabled. However, it did not provide any confirmation dialog when moving objects. This made it easier to move objects, but also made it easier to inadvertently move an object to the wrong location and cause client workstations to lose access to critical resources. By adding a confirmation dialog to the drag and drop behavior, the administrator has a chance to correct an unintentional error before it impacts the organization. When the confirmation dialog is displayed there is a check box for Don’t show this warning while this snap-in is open.
If the user selects the Don’t show this warning while this snap-in is open checkbox, then the confirmation dialog will no longer be shown throughout the current snap-in session. Subsequent drag and drop attempts in that snap-in session will occur without any confirmation.
If the user doesn't select the Don’t show this warning while this snap-in is open checkbox, then the warning message will be shown every time the user tries to drag or drop an object.
Second, an administrator can choose to disable dragging and dropping completely by setting the flags attribute on the Display Specifiers container. The display specifiers container is in the directory at: CN=DisplaySpecifiers,CN=Configuration,DC=<insert domain name>. This attribute can be set using ADSIedit.msc, which is available in Windows Support Tools.
The overall behavior is:
If the flags attribute is set to any value, then drag and drop is disabled. This is not the default.
If the flags attribute is not set (default case), then the user will be able to use drag and drop to move objects in the Active Directory Computers and Users MMC snap-in.