Active Directory for Windows .NET Server 2003: Deployment enhancements

Following the announcement of release candidate 2 (RC2) by Bill Gates at Comdex a little over a week ago, over the next three weeks we will outline what these features will offer both existing Active Directory installations as well as organisations considering moving to Active Directory in line with the release of Windows .NET Server 2003.

These new Active Directory features and enhancements were first touted over a year ago when Microsoft began outlining what would be included when .NET Server 2003 shipped. The features outlined at the time were designed to address issues including ease of deployment, scalability, and improved application integration capabilities.

This - the first in the series - provides an overview of features designed to help deploy Active Directory. They include capabilities to overcome existing Active Directory limitations of particular interest to larger enterprises, enhancements to make remote office deployment more effective, and new graphical and command-line management tools.

Deployment Enhancements

No Global Catalog (GC) Logon: Currently users must connect to a Global Catalog to be able to logon. Consequently, administrators must either have a Global Catalog at each remote site - increasing server load and WAN traffic - or allow users to authenticate to the Global Catalog across WAN links. This can potentially result in slow response during authentication, increased WAN traffic, or failed logons if the link is congested or unavailable. With the .NET Server 2003 version of Active Directory, Domain Controllers will store a cache of user information that is populated at initial logon. The server then keeps the cache up to date at intervals that can be set by the administrator. This eliminates the need to have the Global Catalog at each site, and makes logons a LAN traffic activity. This feature will also ease the management burden, allowing administrators to centralise the Global Catalog.

Create Replica from Media: Currently, when setting up domain controllers for remote sites, administrators must either: accept lengthy, expensive and link degrading replication over the remote site WAN; or, set the server up on the LAN and physically ship the server to the remote site. Even when this second method is used, the delay in shipping and deployment can still cause WAN link impacts, as the system must update to include all changes that have occurred since the device was last connected to the LAN. With Active Directory in .NET Server 2003 it will be possible to use backup software to backup the domain at one site and then restore to new domain controllers. This capability will also support backup and restore of Global Catalogs.

Linked-value Replication: The 5000 direct member limit on groups is no more with this enhancement. This is achieved because only the changed information for individual group members will be replicated, rather than treating the entire membership as a single unit and replicating that to every domain controller. Consequently network usage is reduced and groups can have more direct members. For larger organisations and particularly large Exchange installations, this is a major improvement.

Improved Inter-Site Topology Generator: Active Directory currently supports a service called the Inter-Site Topology Generator (ISTG). This is a service that automatically develops what is effectively a routing table for Active Directory. Currently this service can support a maximum of 200 sites. For most Australian organisations this is not an issue. However, for a small number (Michael Leworthy, Windows Server Product Manager at Microsoft Australia estimates two or three organisations in Australia) - the increase of this limit from 200 sites to 5000 sites in Windows .NET Server 2003 is a significant enhancement.

Domain Rename: Common scenarios for renaming domains are mergers and acquisitions, organisation consolidation, and organisation reorganisation. Under Active Directory on Windows 2000 this can be done but it is a difficult task to perform. With .NET Server 2003, domains can be renamed provided the resulting forest? is well formed. The proviso being that domain controllers in the renamed domains must be rebooted, that the forest root role cannot be moved, and that domain member computers be rebooted twice.

Cross-Forest Trust: Again common in merger and acquisition scenarios, trust relationships must be formed to provide resources to members of either domain. These transitive trusts are currently achieved based on NTLM(?). With .NET Server 2003, a cross-forest trust can be set up, eliminating the set up of a complex mesh of trusts as well as providing the security benefit of Kerberos authentication.

Manageability: New tools are included in the Active Directory MMC interface that offer drag and drop admin, multiple select and edits, and queries to be saved by the administrator for reuse at any site. For sites with strict password change requirements, administrators no longer have to reboot to change the Restore Mode Admin Password - you can do it while Domain Services are still online. Plus, directory services command line tools will be provided allowing administrators the ability to write scripts for easier management.

DNS: Domain controller renaming will only require a single reboot, rather than the three it currently takes on Windows 2000. Also included are improvements to DNS auto-configuration in DCPROMO (?) as well as the ability to force a demotion in the DNS.

Next week, in the second of this series we will outline application support and security enhancements in Active Directory for Windows .NET Server 2003.

We encourage your feedback and suggestions on both this series and future articles via emailing