1.3 Windows 2000 Versus Windows Server 2003

While the first version of Active Directory available with Windows 2000 was very stable and feature-rich, it still had room for improvement, primarily around usability and performance. With Windows Server 2003, Microsoft has addressed many of these issues. To utilize these features you have to upgrade your domain controllers to Windows Server 2003 and raise the domain and forest functional levels as necessary.

The difference between Windows 2000 Active Directory and Windows Server 2003 Active Directory is more evolutionary than revolutionary. The decision to upgrade to Windows Server 2003 is a subjective one, based on your needs. For example, if you have a lot of domain controllers and Active Directory sites, you may want to take advantage of the improvements with replication as soon as possible. Or perhaps you've been dying to rename a domain, a capability available in Windows Server 2003 Active Directory. On the whole, Microsoft added or updated more than 100 features within Active Directory, and we will now discuss some of the more significant ones.

For more information on migrating to Windows Server 2003 from Windows 2000 check out Chapter 14.

Some of the new features are available as soon as you promote the first Windows Server 2003 domain controller into an existing Windows 2000 Active Directory domain. In Table 1-2, the features available when you do so are listed along with descriptions. Note that these features will apply only to the Windows Server 2003 domain controllers in the domain.

Table 1-2. Windows 2000 domain functional level feature list



Application Partitions

You can create your own partitions to store data separately from the default partitions, and you can configure which DCs in the forest replicate it.

GC not required for logon (i.e., universal group caching)

Under Windows 2000, a DC had to contact a GC to determine universal group membership and subsequently to allow users to logon. This feature allows DCs to cache universal group membership so that it is not necessary to contact a GC for logins.

MMC enhancements and new command-line tools

The new Active Directory Users and Computers allows you to save queries, drag and drop, and edit multiple users at once, and it is much more efficient about scrolling through a large number of objects. In addition, several new command-line tools (dsadd, dsmod, dsrm, dsquery, dsget, and dsmove) come installed with the server, allowing for greater flexibility in managing Active Directory.

Install from media

Administrators can create new DCs for an existing domain by installing from a backup of an existing DC that resides on media such as a CD or DVD.

WMI Filtering for GPOs

You can apply a WMI filter, which is a query that can utilize any WMI information on a client, to a GPO, and that query will be run against each targeted client. If the query succeeds, the GPO will continue to process; otherwise it will stop processing.

In Table 1-3, the features available in domains running the Windows Server 2003 functional level are listed. A domain can be changed to the Windows Server 2003 functional level when all domain controllers in the domain are running Windows Server 2003.

Table 1-3. Windows Server 2003 domain functional level feature list



Domain controller rename

With Windows 2000, you had to demote, rename, and repromote a DC if you wanted to rename it. With Windows Server 2003 domains, you can rename DCs, and it only requires a single reboot.

Domain rename

A domain can be renamed, which was not previously possible under Windows 2000. The impact to the environment is pretty significant (i.e., all member computers must be rebooted), so it should be done conservatively.

Logon timestamp replicated

Under Windows 2000, the lastLogon attribute contained a user's last logon timestamp, but that attribute was not replicated among the DCs, thereby forcing you to query every DC to get the effective last logon. With Windows Server 2003, the lastLogonTimeStamp attribute will contain a user's last logon and will be replicated.


Users that have write access to AD can cause a Denial of Service (DOS) attack by creating objects until a DC's disk fills up. You can prevent this type of attack using quotas. With a quota you can restrict the number of objects a security principal can create in a partition, container, or OU. Windows Server 2003 DCs can enforce quotas even when not at the Windows Server 2003 domain functional level, but for it to be enforced everywhere, all DCs must be running Windows Server 2003.

In Table 1-4, the features available to forests running the Windows Server 2003 functional level are listed. A forest can be raised to the Windows Server 2003 functional level when all domains contained within the forest are at the Windows Server 2003 domain functional level.

Table 1-4. Windows Server 2003 forest functional level feature list



GC replication tuning

After an attribute has been added to the GC, a sync of the contents of the GC for every GC server will no longer be performed as it was with Windows 2000.

Reactivation of defunct schema objects

This feature allows deactivated schema classes or attributes to be redefined.

Forest trust

A forest trust is a transitive trust between two forest root domains that allows all domains within the two forests to trust each other. To accomplish the same thing with Windows 2000, you would have to implement trusts for each domain between the two forests.

Per-value replication

This feature allows certain attributes to replicate on a per-value basis instead of a per-attribute basis (i.e., all values). This is vital for group objects because under Windows 2000, a change in the member attribute caused the entire set of values for that attribute to be replicated (unnecessarily).

Improved replication

The Intersite Topology Generator (ISTG) and Knowledge Consistency Checker (KCC) have been greatly improved and will create more efficient replication topologies.

Dynamic auxiliary classes

This feature allows for dynamically assigned per-object auxiliary classes. Under Windows 2000, an object could only utilize auxiliary classes that were statically defined in the schema for its object class.

Dynamic Objects

Dynamic objects have a defined time to live (TTL) after which they will be removed from Active Directory unless the TTL is updated. This can help facilitate data management for short-lived objects.

InetOrgPerson class for users

The InetOrgPerson object class is a standard (RFC 2798) commonly used by directory vendors to represent users. With Windows Server 2003, you can use either the Microsoft defined user object class or the inetOrgPerson object class for user accounts.

In addition to the new features available in Windows Server 2003, Microsoft is developing a lightweight version of Active Directory called Active Directory Application Mode (AD/AM). AD/AM is intended to address certain deployment scenarios related to directory-enabled applications. It runs as a non-operating system service and can be implemented independently or in conjunction with your Active Directory environment. Since it runs as a non-operating system service, you can install multiple instances of AD/AM on a single server, with each instance independently configurable. AD/AM will be similar to a generic LDAP directory, such as OpenLDAP or SunONE Directory Server, with many NOS-specific features and requirements removed. If you are curious about how AD/AM fits into Microsoft's master plan, check out Chapter 17. For more information on AD/AM, check out the following web site:


    Part II: Designing an Active Directory Infrastructure
    Part III: Scripting Active Directory with ADSI, ADO, and WMI