14.1 New Features in Windows Server 2003

While the release of Windows Server 2003 is viewed as evolutionary, there are quite a few new features that make the upgrade attractive.

By "feature" we mean new functionality that is not just a modification of the way it worked in Windows 2000. In this sense, a feature is something you have to use or implement explicitly. Functionality differences with Windows 2000 are covered in the next section.

We suggest you carefully review each of these features and rate them according to the following categories:

  1. You would use the feature immediately.

  2. You would use the feature eventually.

  3. You would never use the feature or it is not important.

Rating each feature will help you determine how much you could benefit from the upgrade. The following is the list of new features, in no particular order:

Application partitions

You can create partitions that can replicate to any domain controller in the forest.

Concurrent LDAP binds

Concurrent LDAP binds do not generate a Kerberos ticket and security token and are therefore much faster than a simple LDAP bind.

Cross-forest trust

This is a transitive trust that allows all the domains in two different forests to trust each other via a single trust defined between two forest root domains.

Domain controller rename

The rename procedure for domain controllers requires a single reboot.

Domain rename

Domains can now be renamed, but not without significant impact to the user base (e.g. all member computers must be rebooted twice). For more information, check out the following whitepaper: http://www.microsoft.com/windowsserver2003/downloads/domainrename.mspx.

Dynamic auxiliary classes

There is now support for the standards-based implementation of dynamic auxiliary classes. Under Windows 2000, auxiliary classes are considered "static" because they are statically defined in the schema. With dynamic auxiliary classes, you can link one when creating an object without it being defined in the schema as an auxiliary class for the object's objectClass.

Dynamic objects

Traditionally, objects are stored in Active Directory until they are explicitly deleted. With dynamic objects, you can create objects that have a time to live (TTL) value that dictates when they will be automatically deleted unless refreshed.

Install from media

A much-needed feature allows replica domain controllers to be promoted into a forest using a backup from another domain controller. This can greatly decrease the amount of time it takes to promote domain controllers in large domains.

MMC and CLI enhancements

The Active Directory Users and Computers (ADUC) tool has been enhanced to allow multiselect of objects; other tools such as repadmin and netdom have new options.

New DS CLI tools

A new set of CLI tools provides greater flexibility with managing Active Directory from a commandline. These tools include dsadd, dsmod, dsrm, dsget and dsquery.

New GPO settings

Over 100 new GPO settings have been added, providing greater flexibility in managing Active Directory clients.


Resultant Set of Policy (RSoP) has been built into ADUC and can be fully utilized with the Group Policy Management Console (GPMC). RSoP allows administrators to determine what settings of GPOs will be applied to end users and computers.

TLS support

With Windows 2000, only SSL was supported to encrypt traffic over the wire. TLS, the latest standards-based approach for encrypting LDAP traffic, is now also supported.


In Windows 2000, if users had access to create objects, they could create as many as they wanted, and there was no way to limit it. Quotas allow you to define how many objects a user or group of users can create. Quotas can also dictate how many objects of a certain objectClass can be created.

Query based groups

Used for role-based authorization, the new Authorization Manager allows you to create flexible groups based on information stored with users (e.g., department).

Redirect users and computers

You can redirect the default location to store new users and computers with the redirusr and redircmp commands, respectively.

Schema redefine

You can defunct and then redefine attributes and classes in the schema.

Universal Group Caching

You can eliminate the requirement to have a global catalog server present during login by enabling Universal Group Caching. This is enabled at the site level and applies to any clients that log on to domain controllers in the site.

Last logon timestamp attribute

A classic problem in a NOS environment is trying to determine the last time a user or computer logged in. The new lastLogonTimestamp attribute is replicated, which means you can use a single query to find all users or computers that have not logged in within a certain period of time.

WMI filtering of GPOs

In addition to the OU, site, domain, and security group criteria that can be used to filter GPOs, you can now use WMI information on a client's machine to determine if a GPO should be applied.

WMI providers for trust and replication monitoring

These new WMI providers provide the ability to query and monitor the health of trusts and replication programmatically.

If you find that you would immediately use more than four or five features or eventually use four or five of them, the benefit may be great enough to warrant a near-term move to Windows Server 2003. If you don't find that you'll take advantage of many of these new features, take a look at the next section to see if you would benefit from any of the functionality differences with Windows 2000.

    Part II: Designing an Active Directory Infrastructure
    Part III: Scripting Active Directory with ADSI, ADO, and WMI