Active Directory for Windows .NET Server 2003: Deployment enhancements

Following the announcement of release candidate 2 (RC2) by Bill Gates at Comdex a little over a week ago, over the next three weeks we will outline what these features will offer both existing Active Directory installations as well as organisations considering moving to Active Directory in line with the release of Windows .NET Server 2003.

These new Active Directory features and enhancements were first touted over a year ago when Microsoft began outlining what would be included when .NET Server 2003 shipped. The features outlined at the time were designed to address issues including ease of deployment, scalability, and improved application integration capabilities.

This - the first in the series - provides an overview of features designed to help deploy Active Directory. They include capabilities to overcome existing Active Directory limitations of particular interest to larger enterprises, enhancements to make remote office deployment more effective, and new graphical and command-line management tools.

Deployment Enhancements

No Global Catalog (GC) Logon: Currently users must connect to a Global Catalog to be able to logon. Consequently, administrators must either have a Global Catalog at each remote site - increasing server load and WAN traffic - or allow users to authenticate to the Global Catalog across WAN links. This can potentially result in slow response during authentication, increased WAN traffic, or failed logons if the link is congested or unavailable. With the .NET Server 2003 version of Active Directory, Domain Controllers will store a cache of user information that is populated at initial logon. The server then keeps the cache up to date at intervals that can be set by the administrator. This eliminates the need to have the Global Catalog at each site, and makes logons a LAN traffic activity. This feature will also ease the management burden, allowing administrators to centralise the Global Catalog.

Create Replica from Media: Currently, when setting up domain controllers for remote sites, administrators must either: accept lengthy, expensive and link degrading replication over the remote site WAN; or, set the server up on the LAN and physically ship the server to the remote site. Even when this second method is used, the delay in shipping and deployment can still cause WAN link impacts, as the system must update to include all changes that have occurred since the device was last connected to the LAN. With Active Directory in .NET Server 2003 it will be possible to use backup software to backup the domain at one site and then restore to new domain controllers. This capability will also support backup and restore of Global Catalogs.

Linked-value Replication: The 5000 direct member limit on groups is no more with this enhancement. This is achieved because only the changed information for individual group members will be replicated, rather than treating the entire membership as a single unit and replicating that to every domain controller. Consequently network usage is reduced and groups can have more direct members. For larger organisations and particularly large Exchange installations, this is a major improvement.

Improved Inter-Site Topology Generator: Active Directory currently supports a service called the Inter-Site Topology Generator (ISTG). This is a service that automatically develops what is effectively a routing table for Active Directory. Currently this service can support a maximum of 200 sites. For most Australian organisations this is not an issue. However, for a small number (Michael Leworthy, Windows Server Product Manager at Microsoft Australia estimates two or three organisations in Australia) - the increase of this limit from 200 sites to 5000 sites in Windows .NET Server 2003 is a significant enhancement.

Domain Rename: Common scenarios for renaming domains are mergers and acquisitions, organisation consolidation, and organisation reorganisation. Under Active Directory on Windows 2000 this can be done but it is a difficult task to perform. With .NET Server 2003, domains can be renamed provided the resulting forest? is well formed. The proviso being that domain controllers in the renamed domains must be rebooted, that the forest root role cannot be moved, and that domain member computers be rebooted twice.

Cross-Forest Trust: Again common in merger and acquisition scenarios, trust relationships must be formed to provide resources to members of either domain. These transitive trusts are currently achieved based on NTLM(?). With .NET Server 2003, a cross-forest trust can be set up, eliminating the set up of a complex mesh of trusts as well as providing the security benefit of Kerberos authentication.

Manageability: New tools are included in the Active Directory MMC interface that offer drag and drop admin, multiple select and edits, and queries to be saved by the administrator for reuse at any site. For sites with strict password change requirements, administrators no longer have to reboot to change the Restore Mode Admin Password - you can do it while Domain Services are still online. Plus, directory services command line tools will be provided allowing administrators the ability to write scripts for easier management.

DNS: Domain controller renaming will only require a single reboot, rather than the three it currently takes on Windows 2000. Also included are improvements to DNS auto-configuration in DCPROMO (?) as well as the ability to force a demotion in the DNS.

Next week, in the second of this series we will outline application support and security enhancements in Active Directory for Windows .NET Server 2003.

We encourage your feedback and suggestions on both this series and future articles via emailing

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ben Gerholt

PC World
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?