Active Directory for Windows .NET Server 2003: Deployment enhancements

Following the announcement of release candidate 2 (RC2) by Bill Gates at Comdex a little over a week ago, over the next three weeks we will outline what these features will offer both existing Active Directory installations as well as organisations considering moving to Active Directory in line with the release of Windows .NET Server 2003.

These new Active Directory features and enhancements were first touted over a year ago when Microsoft began outlining what would be included when .NET Server 2003 shipped. The features outlined at the time were designed to address issues including ease of deployment, scalability, and improved application integration capabilities.

This - the first in the series - provides an overview of features designed to help deploy Active Directory. They include capabilities to overcome existing Active Directory limitations of particular interest to larger enterprises, enhancements to make remote office deployment more effective, and new graphical and command-line management tools.

Deployment Enhancements

No Global Catalog (GC) Logon: Currently users must connect to a Global Catalog to be able to logon. Consequently, administrators must either have a Global Catalog at each remote site - increasing server load and WAN traffic - or allow users to authenticate to the Global Catalog across WAN links. This can potentially result in slow response during authentication, increased WAN traffic, or failed logons if the link is congested or unavailable. With the .NET Server 2003 version of Active Directory, Domain Controllers will store a cache of user information that is populated at initial logon. The server then keeps the cache up to date at intervals that can be set by the administrator. This eliminates the need to have the Global Catalog at each site, and makes logons a LAN traffic activity. This feature will also ease the management burden, allowing administrators to centralise the Global Catalog.

Create Replica from Media: Currently, when setting up domain controllers for remote sites, administrators must either: accept lengthy, expensive and link degrading replication over the remote site WAN; or, set the server up on the LAN and physically ship the server to the remote site. Even when this second method is used, the delay in shipping and deployment can still cause WAN link impacts, as the system must update to include all changes that have occurred since the device was last connected to the LAN. With Active Directory in .NET Server 2003 it will be possible to use backup software to backup the domain at one site and then restore to new domain controllers. This capability will also support backup and restore of Global Catalogs.

Linked-value Replication: The 5000 direct member limit on groups is no more with this enhancement. This is achieved because only the changed information for individual group members will be replicated, rather than treating the entire membership as a single unit and replicating that to every domain controller. Consequently network usage is reduced and groups can have more direct members. For larger organisations and particularly large Exchange installations, this is a major improvement.

Improved Inter-Site Topology Generator: Active Directory currently supports a service called the Inter-Site Topology Generator (ISTG). This is a service that automatically develops what is effectively a routing table for Active Directory. Currently this service can support a maximum of 200 sites. For most Australian organisations this is not an issue. However, for a small number (Michael Leworthy, Windows Server Product Manager at Microsoft Australia estimates two or three organisations in Australia) - the increase of this limit from 200 sites to 5000 sites in Windows .NET Server 2003 is a significant enhancement.

Domain Rename: Common scenarios for renaming domains are mergers and acquisitions, organisation consolidation, and organisation reorganisation. Under Active Directory on Windows 2000 this can be done but it is a difficult task to perform. With .NET Server 2003, domains can be renamed provided the resulting forest? is well formed. The proviso being that domain controllers in the renamed domains must be rebooted, that the forest root role cannot be moved, and that domain member computers be rebooted twice.

Cross-Forest Trust: Again common in merger and acquisition scenarios, trust relationships must be formed to provide resources to members of either domain. These transitive trusts are currently achieved based on NTLM(?). With .NET Server 2003, a cross-forest trust can be set up, eliminating the set up of a complex mesh of trusts as well as providing the security benefit of Kerberos authentication.

Manageability: New tools are included in the Active Directory MMC interface that offer drag and drop admin, multiple select and edits, and queries to be saved by the administrator for reuse at any site. For sites with strict password change requirements, administrators no longer have to reboot to change the Restore Mode Admin Password - you can do it while Domain Services are still online. Plus, directory services command line tools will be provided allowing administrators the ability to write scripts for easier management.

DNS: Domain controller renaming will only require a single reboot, rather than the three it currently takes on Windows 2000. Also included are improvements to DNS auto-configuration in DCPROMO (?) as well as the ability to force a demotion in the DNS.

Next week, in the second of this series we will outline application support and security enhancements in Active Directory for Windows .NET Server 2003.

We encourage your feedback and suggestions on both this series and future articles via emailing

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ben Gerholt

PC World
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?