Finally, this section covers the Active Directory changes and improvements that affect day-to-day operations. Fortunately, most of these features enable themselves automatically when your domain or forest is in the correct functional level. Even though you don't need to enable these features, it's good to know about them so that you can take advantage of them.

Active Directory Application Mode

Microsoft has been disappointed with the rate at which companies have adopted Active Directory. Actually, the problem has been the rate at which companies aren't adopting Active Directory and are instead remaining on Windows NT-based domains. This hesitation on the part of Microsoft users is understandable: Active Directory represent a massive change in the way domains are planned, implemented, and managed, and not every company is convinced of the value Active Directory offers.

Aside from sad faces at Microsoft stockholder meetings, Active Directory's slow adoption has had a major impact on Microsoft's other product divisions. Exchange 2000 Server, for example, has had the slowest and lowest adoption rate of any version of Exchange, due primarily, we suspect, to its reliance on Active Directory. Other Microsoft products, such as Internet Security and Acceleration Server, require Active Directory for advanced functionality and can operate only in a limited fashion without it. This growing reliance on Active Directory, coupled with Active Directory's slow acceptance, has created a general slowdown in product adoption throughout Microsoft.

Microsoft's answer is Active Directory Application Mode (AD/AM). Essentially, AD/AM is a nondomain version of Active Directory designed to support applications that require Active Directory. You can implement AD/AM on regular servers and use it within an NT-based domain or without a domain at all.

AD/AM is considered part of the Windows Server 2003 product, but it isn't delivered on the product CD. It's a separate piece of Windows you can obtain directly from Microsoft or one of its certified partners.

Updating Logon Times

A helpful new feature of Windows Server 2003 domains running in the Windows Server 2003 functional level is the last logon timestamp attribute. This attribute is present for all security principals in a domain and is replicated to all domain controllers in the domain. It is updated each time the security principal logs on and can be useful in conducting security audits for unused or rarely used user and computer accounts. You can query this attribute in Active Directory Users and Computers, as described earlier in this chapter, in the section "Saved Queries."

Remote Office Logons

Windows 2000 domains have a significant weakness with respect to branch offices. Many organizations have deployed domain controllers to branch offices on the assumption that users would be able to log on to the local domain controller if the network connection between the branch office and the main office was unavailable. Unfortunately, these organizations didn't realize that Windows clients require a GC server to even find a domain controller. Without a GC at each branch office, the local domain controller can't be used for logging on when the network connection to the main office is unavailable.

An easy solution is to simply add a GC to each branch office. After all, any domain controller can be a GC. However, adding a GC simply to ensure logon capabilities is overkill, resulting in additional over-the-WAN network traffic.

Windows Server 2003 provides a better solution by supporting the capability of branch office clients to log on to a local domain controller even if a GC server isn't present. Organizations can now decommission GC servers located in remote offices, assured that their domain controllers will be capable of handling local logon traffic even if the WAN connection to the main office is unavailable.

Replication from Media

Whenever you build a new domain controller in a remote office, waiting for it to perform its first replication of Active Directory can be scary and time-consuming. WAN links don't offer the best bandwidth for whole-directory replication, but that's what a new domain controller requires.

Windows Server 2003 supports a new feature called replication from media. Essentially, you back up the domain database to a CD, tape drive, or some other removable media. You can then physically carry the media to the new remote domain controller running Windows Server 2003 and allow it to perform its first replication from that media. Subsequent replications include only changes and therefore are much smaller.

  • For more information on Windows Server 2003's new security features, see "What's New," p. 45.

  • For details on the new Group Policy user interface, see "Group Policy Management User Interface," p. 86.

  • For information on what's new and changed in Active Directory Group Policy, see "What's New," p. 81.

  • For a list of new Active Directory command-line utilities, see "New Command-Line Tools," p. 225.

  • For differences between 32-bit and 64-bit editions of Windows, see "Significant Differences," p. 259.