| What's New in Active Directory
The Active Directory® service provides single-logon capability and a central repository for information for your entire infrastructure, vastly simplifying user and computer management and providing superior access to networked resources. This article provides an overview of benefits, new features, and improvements for Active Directory in Windows Server 2003.
Benefits
Improvements in Active Directory deliver key strategic benefits for medium and large enterprises, enabling greater administrator and user productivity. Expanding on the foundation established in Windows 2000, Windows Server 2003 improves the versatility, manageability, and dependability of Active Directory. Organizations can benefit from further reductions in cost while increasing the efficiency in which they share and manage the various elements of the enterprise.
1. Greater Flexibility
Active Directory introduces important new features ensuring that it is one of the most flexible directory structures in the marketplace today. As directory-enabled applications become more prevalent, organizations can utilize the capabilities of Active Directory to manage the most complicated enterprise network environments. From Internet data centers to large distributed branch office enterprises, the improvements provided by Windows Server 2003 simplify administration and increase performance and efficiency, making it a very versatile solution.
2. Reduced Total Cost of Ownership
Active Directory has been enhanced to reduce total cost of ownership (TCO) and operation within the enterprise. New features and enhancements have been provided at all levels of the product to extend versatility, simplify management, and increase dependability.
New Features and Improvements
Windows Server 2003 brings many improvements to Active Directory, making it even more versatile, dependable, and economical to use. Specifically, Active Directory in Windows Server 2003 provides:
- Easier deployment and management
- Greater security
- Improved performance and dependability
Easier Deployment and Management
Windows Server 2003 enhances the administrator's ability to efficiently configure and manage Active Directory even in very large enterprises with multiple forests, domains, and sites. Improved migration and management tools, along with the ability to rename Active Directory domains, make deploying Active Directory significantly easier than when the directory service was first introduced in Windows 2000 Server. Better tools bring drag-and-drop capabilities, multi-object selection, and the ability to save and reuse queries. Plus, improvements in Group Policy make it easier and more efficient to manage groups of users and computers in an Active Directory environment.
1. ADMT version 2.0
It is now easier to migrate to Active Directory through a number of improvements that have been made to the Active Directory Migration Tool (ADMT). ADMT 2.0 now allows migrating passwords from Microsoft Windows NT® 4.0 to Windows 2000 and Windows Server 2003 or from Windows 2000 to Windows Server 2003 domains.
2. Domain Rename
This supports changing the Domain Name System (DNS) and/or NetBIOS names of existing domains in a forest, keeping the resulting forest still "well formed." Administrators have greater flexibility in changing the Active Directory structure after it is deployed. Design decisions are now reversible, which benefits organizations that may be in involved in a merger or significant restructuring.
3. Schema Redefine
The flexibility of Active Directory has been enhanced to allow the deactivation of attributes and class definitions in the Active Directory schema. Attributes and classes can be redefined if an error was made in the original definition.
4. AD/AM
Active Directory in Application Mode (AD/AM) is a new capability of Active Directory that addresses certain deployment scenarios related to directory-enabled applications. AD/AM runs as a non-operating system service and, as such, does not require deployment on a domain controller. Running as a non-operating system service means that multiple instances of AD/AM can run concurrently on a single server, with each instance being independently configurable.
5. Group Policy Improvements
In conjunction with Windows Server 2003, Microsoft is releasing a new Group Policy management solution that unifies management of Group Policy. The Microsoft Group Policy Management Console (GPMC) provides a single solution for managing all Group Policy-related tasks. GPMC lets administrators manage Group Policy for multiple domains and sites within a given forest, all in a simplified user interface (UI) with drag-and-drop support. Highlights include new functionality such as backup, restore, import, copy, and reporting of Group Policy objects (GPOs). These operations are fully scriptable, which lets administrators customize and automate management. Together these advantages make Group Policy much easier to use and help you manage your enterprise easier.
6. Enhanced UI
As the principal means to manage enterprise identities, objects, and relationships, improved interfaces increase efficiency and integration capabilities. Microsoft Management Console (MMC) plug-ins now include drag-and-drop capabilities, multi-object selection, and the ability to save and reuse queries. Administrators may now edit multiple user objects simultaneously, reset access control list (ACL) permissions to the default, show effective permissions on a security principal, and indicate the parent of an inherited permission.
back to top
Greater Security
Additional security features make it easier to manage the multiple forests and cross-domain trusts. Cross forest trust provides a new type of Windows trust for managing the security relationship between two forests-greatly simplifying cross-forest security administration and authentication. Users can securely access resources in other forests without sacrificing the single sign-on and administrative benefits of having only one user ID and password maintained in the user's home forest. This provides the flexibility to account for the need for some divisions or areas to have their own forest, yet maintain benefits of Active Directory. In addition, a new credential manager provides a secure store of user credentials and X.509 certificates. Software restriction policies let administrators prevent unwanted programs from being installed on computers throughout the network.
1. Cross-Forest Authentication
Cross-forest authentication enables secure access to resources when the user account is in one forest and the computer account is in another forest. This feature allows users to securely access resources in other forests, using either Kerberos or NTLM, without sacrificing the single sign-on and administrative benefits of having only one user ID and password maintained in the user's home forest.
2. Cross-Forest Authorization
Cross-forest authorization makes it easy for administrators to select users and groups from trusted forests for inclusion in local groups or ACLs. This feature maintains the integrity of the forest security boundary while allowing trust between forests. It enables the trusting forest to enforce constraints on what security identifiers (SIDs) it will accept when users from trusted forests attempt to access protected resources.
3. Cross-Certification Enhancements
The Windows Server 2003 client cross-certification feature is enhanced by enabling the capability for department-level and global-level cross certifications. For example, WinLogon will now be able to query for cross certificates and download these into the "enterprise trust/enterprise store." As a chain is built, all cross certificates will be downloaded.
4. IAS and Cross-Forest Authentication
If Active Directory forests are in cross-forest mode with two-way trusts, then Internet Authentication Service/Remote Authentication Dial-In User Service (IAS/RADIUS) can authenticate the user account in the other forest with this feature. This gives administrators the capability to easily integrate new forests with already existing IAS/RADIUS services in their forest.
5. Credential Manager
The Credential Manager provides a secure store of user credentials, including passwords and X.509 certificates. This will provide a consistent single-sign on experience for users, including roaming users. For example, when a user accesses a line-of-business application within their company's network, the first attempt to access this application requires authentication and the user is prompted to supply a credential. After the user provides this credential, it will be associated with the requesting application.
6. Software Restriction Policies
Software restriction policies address the need to regulate unknown or untrusted software. With software restriction policies, you can protect your computing environment from untrusted software by identifying and specifying which software is allowed to run. You can define a default security level of unrestricted or disallowed for a GPO so that software is either allowed or not allowed to run by default. You can make exceptions to this default security level by creating rules for specific software.
back to top
Improved Performance and Dependability
Windows Server 2003 more efficiently manages the replication and synchronization of Active Directory information. Administrators can better control the types of information that are replicated and synchronized between domain controllers both within a domain as well as across domains. In addition, Active Directory provides more features to intelligently select only changed information for replication-no longer requiring updating entire portions of the directory.
1. Easier Logon for Remote Offices
Branch offices with domain controllers can provide user logon through cached credentials without first contacting the global catalog, improving system performance and robustness over unreliable wide area networks (WANs). The loss of connectivity between a branch office and a global catalog no longer impacts the ability of branch users to log on. Branch offices can be supported more effectively and bandwidth consumption over WAN links is reduced.
2. Group Membership Replication Enhancements
As group members are added, changed, or deleted, only the changes are replicated, a benefit that reduces the burden on network bandwidth and processor usage. This largely eliminates the possibility of lost updates during simultaneous updates.
3. Application Directory Partitions
Some directory information does not need to be made globally available. This feature provides the capability to host data in Active Directory without significantly impacting network performance by providing control over the scope of replication and placement of replicas.
4. Install Replica from Media
Instead of replicating a complete copy of the Active Directory database over the network, this feature allows an administrator to source initial replication from files created when backing up an existing domain controller or global catalog server.est.
4. Dependability Improvements
Active Directory includes several new features that increase dependability such as Health Monitoring, which allows administrators to verify replications between domain controllers, improved global catalog replication, and an updated Inter-Site Topology Generator (ISTG) that scales better by supporting forests with a greater number of sites than Windows 2000.
back to top
|
