While the release of Windows Server 2003 is viewed as evolutionary, there are quite a few new features that make the upgrade attractive.
We suggest you carefully review each of these features and rate them according to the following categories:
You would use the feature immediately.
You would use the feature eventually.
You would never use the feature or it is not important.
Rating each feature will help you determine how much you could benefit from the upgrade. The following is the list of new features, in no particular order:
You can create partitions that can replicate to any domain controller in the forest.
Concurrent LDAP binds do not generate a Kerberos ticket and security token and are therefore much faster than a simple LDAP bind.
This is a transitive trust that allows all the domains in two different forests to trust each other via a single trust defined between two forest root domains.
The rename procedure for domain controllers requires a single reboot.
Domains can now be renamed, but not without significant impact to the user base (e.g. all member computers must be rebooted twice). For more information, check out the following whitepaper: http://www.microsoft.com/windowsserver2003/downloads/domainrename.mspx.
There is now support for the standards-based implementation of dynamic auxiliary classes. Under Windows 2000, auxiliary classes are considered "static" because they are statically defined in the schema. With dynamic auxiliary classes, you can link one when creating an object without it being defined in the schema as an auxiliary class for the object's objectClass.
Traditionally, objects are stored in Active Directory until they are explicitly deleted. With dynamic objects, you can create objects that have a time to live (TTL) value that dictates when they will be automatically deleted unless refreshed.
A much-needed feature allows replica domain controllers to be promoted into a forest using a backup from another domain controller. This can greatly decrease the amount of time it takes to promote domain controllers in large domains.
The Active Directory Users and Computers (ADUC) tool has been enhanced to allow multiselect of objects; other tools such as repadmin and netdom have new options.
A new set of CLI tools provides greater flexibility with managing Active Directory from a commandline. These tools include dsadd, dsmod, dsrm, dsget and dsquery.
Over 100 new GPO settings have been added, providing greater flexibility in managing Active Directory clients.
Resultant Set of Policy (RSoP) has been built into ADUC and can be fully utilized with the Group Policy Management Console (GPMC). RSoP allows administrators to determine what settings of GPOs will be applied to end users and computers.
With Windows 2000, only SSL was supported to encrypt traffic over the wire. TLS, the latest standards-based approach for encrypting LDAP traffic, is now also supported.
In Windows 2000, if users had access to create objects, they could create as many as they wanted, and there was no way to limit it. Quotas allow you to define how many objects a user or group of users can create. Quotas can also dictate how many objects of a certain objectClass can be created.
Used for role-based authorization, the new Authorization Manager allows you to create flexible groups based on information stored with users (e.g., department).
You can redirect the default location to store new users and computers with the redirusr and redircmp commands, respectively.
You can defunct and then redefine attributes and classes in the schema.
You can eliminate the requirement to have a global catalog server present during login by enabling Universal Group Caching. This is enabled at the site level and applies to any clients that log on to domain controllers in the site.
A classic problem in a NOS environment is trying to determine the last time a user or computer logged in. The new lastLogonTimestamp attribute is replicated, which means you can use a single query to find all users or computers that have not logged in within a certain period of time.
In addition to the OU, site, domain, and security group criteria that can be used to filter GPOs, you can now use WMI information on a client's machine to determine if a GPO should be applied.
These new WMI providers provide the ability to query and monitor the health of trusts and replication programmatically.
If you find that you would immediately use more than four or five features or eventually use four or five of them, the benefit may be great enough to warrant a near-term move to Windows Server 2003. If you don't find that you'll take advantage of many of these new features, take a look at the next section to see if you would benefit from any of the functionality differences with Windows 2000.