ii




                                    Books

Contents
Chapter 1 Windows Server 2003 — What’s New . . . . . . . . . . ...
iii




                                          Books

Contents
Chapter 2 What’s New in Windows Server 2003 Active Direc...
iv




                                     Books

Contents
Chapter 3 What’s New in Windows 2003 Active Directory
Manageme...
v




                                        Books

Contents
Chapter 4 Inside Windows Server 2003 Forests and DNS . . . ....
vi




                                     Books

Contents
Chapter 5 Windows Server 2003 Security Enhancements . . . . . ...
vii




                                         Books

Contents
Chapter 6 Backup, Restore, and Recovery for Windows Serve...
viii




                                          Books

Contents
Chapter 7 Command-Line, Support, and
Microsoft Windows ...
ix




                                            Books

Contents
Chapter 8 Special Domain Operations . . . . . . . . . ....
1


Chapter 1

Windows Server 2003 — What’s New
Introduction
If you’re downloading this eBook, you probably want to know w...
2   Windows 2003: Active Directory Administration Essentials


   also review how to use AD’s advanced management features...
3
                                                                    Chapter 1 Command Shell Scripting Basics


ence a pu...
4   Windows 2003: Active Directory Administration Essentials




    j     Tip
          Windows 2003 introduces a new fea...
5
                                                          Chapter 1 Windows Server 2003 — What’s New



Internet Informa...
6   Windows 2003: Active Directory Administration Essentials



Remote Desktop for Administration (Terminal Services in Re...
7
                                                        Chapter 1 Windows Server 2003 — What’s New


intends to prove to...
8   Windows 2003: Active Directory Administration Essentials



                                                  Figure 1...
9
                                                      Chapter 1 Windows Server 2003 — What’s New



                    ...
10   Windows 2003: Active Directory Administration Essentials



                                                  Figure ...
11
                                                       Chapter 1 Windows Server 2003 — What’s New


or know much about ...
12   Windows 2003: Active Directory Administration Essentials


    Windows 2003, Enterprise Edition offers more scalabili...
13
                                                      Chapter 1 Windows Server 2003 — What’s New



Windows 2003, Web E...
14    Windows 2003: Active Directory Administration Essentials



                                                    Tabl...
15
                                                         Chapter 1 Windows Server 2003 — What’s New



Real-World Windo...
16   Windows 2003: Active Directory Administration Essentials



                                                  Figure ...
17
                               Chapter 1 Windows Server 2003 — What’s New



                          Figure 1.9
Selec...
18   Windows 2003: Active Directory Administration Essentials



Automatic Updates
Windows 2003 now allows automatic updat...
19
                                                       Chapter 1 Windows Server 2003 — What’s New



                  ...
20   Windows 2003: Active Directory Administration Essentials



IIS Remote Administration Mode
If you want to set up your...
21
                                                      Chapter 1 Windows Server 2003 — What’s New



                   ...
22   Windows 2003: Active Directory Administration Essentials


 • What will deployment cost?
   Do you have a Microsoft l...
23


Chapter 2:

What’s New in Windows Server 2003
Active Directory
Introduction
“Chapter 1: Windows Server 2003 – What’s ...
24   Windows 2003: Active Directory Administration Essentials


     In my opinion, the real magic of Windows 2003 lies in...
25
                                 Chapter 2 What’s New in Windows Server 2003 Active Directory



                      ...
26   Windows 2003: Active Directory Administration Essentials



                                                  Figure ...
27
                                    Chapter 2 What’s New in Windows Server 2003 Active Directory




 j       Tip
     ...
28   Windows 2003: Active Directory Administration Essentials



If You Have All Win2K DCs s
After you leave the last NT 4...
29
                                    Chapter 2 What’s New in Windows Server 2003 Active Directory


    Your Win2K domai...
30   Windows 2003: Active Directory Administration Essentials


Decision Point
At this point, if you’re running all NT 4.0...
31
                                    Chapter 2 What’s New in Windows Server 2003 Active Directory



                   ...
32   Windows 2003: Active Directory Administration Essentials



                                                  Figure ...
33
                                   Chapter 2 What’s New in Windows Server 2003 Active Directory



                    ...
34   Windows 2003: Active Directory Administration Essentials


   Select the domain functional level you want, then click...
35
                                     Chapter 2 What’s New in Windows Server 2003 Active Directory



                  ...
36   Windows 2003: Active Directory Administration Essentials



                                                    Figur...
37
                                    Chapter 2 What’s New in Windows Server 2003 Active Directory



Working with Forest...
38   Windows 2003: Active Directory Administration Essentials



                                                   Figure...
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Ad Ch.1 8 (1)
Upcoming SlideShare
Loading in...5
×

Ad Ch.1 8 (1)

6,631

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
6,631
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
54
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Ad Ch.1 8 (1)

  1. 1. ii Books Contents Chapter 1 Windows Server 2003 — What’s New . . . . . . . . . . . . . . . . . . . 1 Introduction .................................................... 1 A Chapter-by-Chapter Roadmap to the Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Windows 2003 Editions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Windows 2003, Standard Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Features Common to Three Windows 2003 Editions . . . . . . . . . . . . . . . . . . . . . . . . 4 Active Directory (AD) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Network Load Balancing (NLB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Internet Information Services (IIS) 6.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Internet Connection Firewall (ICF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Remote Desktop for Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Server Event Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Manage Your Server Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Help File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Volume Shadow Copy for Shares . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 IP Security (IPSec) over NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Microsoft .NET Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Windows 2003, Enterprise Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Windows 2003, Datacenter Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Windows 2003, Web Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Windows 2003 32-Bit and 64-Bit Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Windows 2003 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Real-World Windows 2003 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . 15 Keeping Your System Updated and Secure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Driver Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Driver Rollback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Software Updates with SUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 IIS Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 IIS Remote Administration Mode ..................................... 20 Should You Deploy? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Onward — to Windows 2003 AD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
  2. 2. iii Books Contents Chapter 2 What’s New in Windows Server 2003 Active Directory . . . . . . 23 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Working with Domain Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Analyzing Your Current Network . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . 24 If You Have Combined Win2K and NT 4.0 BDCs . . . . . . . . . . . . . . . . . . . . . . . 24 If You Have All Win2K DCs . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . 28 If You Have All NT 4.0 Domain Controllers . . . . .. . . . . . . . . . . . . . . . . . . . . . . 29 Decision Point . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . 30 Getting to Interim Mode . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . 30 Sidebar: Why Does Interim Mode Exist? . . .. . . . . . . . . . . . . . . . . . . . . . . 30 If You Have No Windows-based Domains . . . . .. . . . . . . . . . . . . . . . . . . . . . . 32 Domain Level Review . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . 34 Domain Functional Level Diagram . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . 35 Working with Forest Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Windows 2003 Forest Functional Level Features . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Preparing for the Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Using Adprep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Running Adprep /forestprep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Running Adprep /domainprep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Next: Window 2003 AD Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
  3. 3. iv Books Contents Chapter 3 What’s New in Windows 2003 Active Directory Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 New Administration Console Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Drag-and-Drop Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Multiple Select Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Saved Queries Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Group Policy Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Installation and Initial Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 GPMC Basic Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 the GPMC’s New Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 New Forest Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Defining the Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Win2K’s Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Windows 2003’s Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 What a Federation Does and Doesn’t Offer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Creating Cross-Forest Trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Next: Delegation and Security in Windows 2003 . . . . . . . . . . . . . . . . . . . . . . . . 62
  4. 4. v Books Contents Chapter 4 Inside Windows Server 2003 Forests and DNS . . . . . . . . . . . . . 63 Securing Forest Trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Cross-Forest Trust Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Authentication Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 SID Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Windows 2003 DNS Additions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 DNS Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Windows 2003 DNSLINT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Conditional Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Setting Up Conditional Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Stub Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Creating Stub Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Conditional Forwarding vs. Stub-Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Next: Windows 2003 Security Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
  5. 5. vi Books Contents Chapter 5 Windows Server 2003 Security Enhancements . . . . . . . . . . . . . 81 Securing the Wire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Shoring Up with SMB Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Win98 Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 NT 4.0 Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Win95 Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Manipulating the Servers to Not Require SMB Signing . . . . . . . . . . . . . . . . . . . . . 85 Shoring Up with Secure Channel Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Shoring Up with LDAP Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Shoring Up by Eliminating NTLM and LM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Enabling NTLMv2 Authentication at the Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 NTLMv2 for NT 4.0 Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 NTLMv2 for Win9x Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Disabling NTLM and LM at the Domain Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 ACL Viewing and Editing Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Security Principals Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Schema Updates and Modifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Next: Backup, Restore, and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
  6. 6. vii Books Contents Chapter 6 Backup, Restore, and Recovery for Windows Server 2003 and Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Using the RC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Deploying EMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Understanding Out-of-Band Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Configuring the SAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Understanding !SAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Additional EMS Thoughts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Performing an AD Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 AD Backup Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Performing a System State Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Creating an AD Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 AD Nonauthritative Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 AD Authoritative Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 The New Windows 2003 Backup API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Enabling ASR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Replicating DCs from Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Next: New Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
  7. 7. viii Books Contents Chapter 7 Command-Line, Support, and Microsoft Windows Server 2003 Resource Kit Tools . . . . . . . . . . . . . . . . . 123 Windows 2003 Built-In Command-Line Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Built-In Command-Line Event-Log Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Eventcreate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Eventquery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Eventtriggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Built-In AD Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Dsadd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Dsadd User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Dsquery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Dsquery User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Windows 2003 Support Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Support Tools Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 AD Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Dcdiag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Dcdiag with Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Dcdiag with Dcpromo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Replmon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Windows 2003 Resource Kit Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Active Directory Users and Computers Enancement Tools . . . . . . . . . . . . . . . . . . . . 139 Acctinfo.dll . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Rcontrolad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Event Manipulation Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Custreasonedit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 EventCombMT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Next: Special Domain Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
  8. 8. ix Books Contents Chapter 8 Special Domain Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 FSMO Role Review and Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Knowing Role Holders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Dumpfsmos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Replmon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Transferring Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Role Transfer Through the GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Role Transfer Through the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Seizing Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Cleaning Up the AD Metabase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Metabase Clean-Up Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Renaming DCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 DC Rename Through the GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 DE Rename Through the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Renaming Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Domain Rename — A History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Windows 2003 Domain Rename — An Alternative . . . . . . . . . . . . . . . . . . . . . . . . . 165 Windows 2003 Domain Rename — How To . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Final Thoughts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Thank You . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Dedication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
  9. 9. 1 Chapter 1 Windows Server 2003 — What’s New Introduction If you’re downloading this eBook, you probably want to know why you should care about Micro- soft’s latest server OS — Windows Server 2003 (Windows 2003). Inside, you’ll discover which features might be important to you and why. Whether you’re a Windows 2000-with-Active Direc- tory (AD) expert or a Windows NT administrator who’s been reading all the trade journals about Microsoft’s new server family — this book is for you. To get the most from this eBook, you should have a working knowledge of Win2K and some AD experience. However, if you’re new to AD, you can still make good use of the information that you find here. Windows 2003 brings much that’s either new or improved to the table. I discuss the new fea- tures and improvements in some depth. In addition, I discuss key topics that many Windows texts fail to cover, such as AD backup and recovery. I occasionally compare Windows 2003 to Win2K to illustrate both the similarities and the important new differences between the two server OSs. n Note This book differs from several currently available Windows 2003 books in that it’s based on experience with the actual product — not with beta code and outdated screens. The advan- tage to you is that you won’t be missing any “late-breaking” information. A Chapter-by-Chapter Roadmap to the Book To begin, let me give you a chapter-by-chapter roadmap for the book: Chapter 1: Windows Server 2003 — What’s New Chapter 1 introduces Windows 2003’s notable new non-AD-related features. You’ll want to become familiar with what Windows 2003 offers in preparation for the in-depth discussions of Windows 2003 and AD. In addition, knowing these features can help you make a solid busi- ness case for deploying Windows 2003. Chapter 2: What’s New in Windows Server 2003 Active Directory Chapter 2 covers the different AD domain and forest modes. You might be familiar with Win- dows 2000’s Mixed and Native modes. Windows 2003 adds a new mode specific to this new server OS. In this chapter, I discuss how to prepare your existing domains for Windows 2003 with AD. Chapter 3: What’s New in Windows Server 2003 Management Chapter 3 introduces some excellent Windows 2003 management features, including new Active Directory Users and Computers features and the Group Policy Management Console (GPMC). I Brought to you by NetIQ and Windows & .NET Magazine eBooks
  10. 10. 2 Windows 2003: Active Directory Administration Essentials also review how to use AD’s advanced management features to tie together your Windows 2003, Win2K, and NT domains. Chapter 4: Inside Windows Server 2003 Forests and DNS Chapter 4 explores Windows 2003’s new cross-forest trusts – demonstrating precisely how to control resources – via the new Authentication Firewall and SIDFiltering techniques. Addition- ally, I cover what’s new with Windows 2003 DNS: Conditional Forwarding, DNS Stub zones, and the new DNSLint tool. Chapter 5: Windows Server 2003 Security Enhancements Chapter 5 covers client side security with Windows 2003’s new required server rules. I'll dis- cuss the new ACL editor and explain how Windows 2003 deals with schema changes and revisions, along with other security enhancements. Chapter 6: Backup, Restore, and Recovery for Windows Server 2003 and Active Directory Chapter 6 discusses Windows 2003 AD backup and restore features, including the ins and outs of resurrecting objects after they’ve been deleted. You’ll want to know how Windows 2003 addresses this situation. Chapter 7: Command-Line, Support, and Microsoft Windows Server 2003 Resource Kit Tools Chapter 7 introduces Windows 2003’s extensive set of tools. I cover the plethora of command- line tools, support tools, and the Microsoft Windows Server 2003 Resource Kit tools. Chapter 8: Windows Server 2003 Special Domain Operations Chapter 8 reviews a new Windows 2003 domain renaming feature. You can now rename both domain controllers (DCs) and complete domains. Should your organization name change from smallcollege.edu to huge-u.edu, for example, you won’t be plagued by the old name remaining in the domain. Windows 2003 offers much that’s new and even more that’s improved. Over the next several months, I’ll cover the key features in bite-sized chunks. So, welcome to Windows 2003 and AD. It won’t be long until you’re ready to go forth and deploy! Jeremy Moskowitz jeremym@moskowitz-inc.com If you want to contact me with specific Windows 2003 questions, I’ll take a shot at answering them or directing you to a solid specific resource. However, I might not be able to research every ques- tion in depth. Windows 2003 Editions Like the Win2K and NT server OSs, Windows 2003 comes in several sizes. According to Microsoft, you can find a size for every type of business. Win2K offers three servers editions and one client. Windows 2003 offers four server editions and no client — that is, the client comes in the form of Windows XP Professional. Table 1.1 presents the different versions of Win2K Server and Windows 2003 and their clients side by side. The two most commonly deployed Windows 2003 server editions will probably be Windows 2003, Standard Edition and Windows 2003, Enterprise Edition. You might well be asked to influ- Brought to you by NetIQ and Windows & .NET Magazine eBooks
  11. 11. 3 Chapter 1 Command Shell Scripting Basics ence a purchasing decision between the two. Knowing which features each edition offers can help you and your company make the best business decision. n Note Windows 2003, Standard Edition might be just the ticket for most businesses’ day-to-day needs. However, to weigh which server edition might be right for your business, examine the features listed in the following text. Table 1.1 Win2K and Windows 2003 servers and clients Windows 2000 Windows 2003 Departmental server Win2K Server Windows 2003, Standard Edition General use server Win2K Advanced Server Windows 2003, Enterprise Edition Mission-critical server Win2K Datacenter Server Windows 2003, Datacenter Edition One-stop-shop server for all Win2K Small Business Server Windows 2003, Small Business business needs Server Edition Web server None Windows 2003, Web Edition Preferred client Win2K and Windows XP Windows XP supports extra features and work equally well optimization. I explore the different Windows 2003 server editions to give you an overview of each server’s capabilities, beginning with Windows 2003, Standard Edition to establish a baseline. I then list the features common to Windows 2003, Standard Edition, Windows 2003, Enterprise Edition, and Win- dows 2003, Datacenter Server, before I continue with individual edition overviews. Windows 2003, Standard Edition According to Microsoft, Windows 2003, Standard Edition targets departments and small businesses with IT departments for use as a general purpose server. It performs the usual server functions of ensuring that users can access data in all forms (e.g., through file and print services), housing data- base systems, running complex business processes, and providing a communications gateway, such as a VPN. Windows 2003, Standard Edition can accommodate Four-way Symmetric Multiprocessing (SMP) machines, which means that the Standard Edition servers can contain up to four processors. Win- dows 2003, Standard Edition can accommodate up to 4GB of memory — no matter how many processors you have in the system. You’ll enjoy the room. Brought to you by NetIQ and Windows & .NET Magazine eBooks
  12. 12. 4 Windows 2003: Active Directory Administration Essentials j Tip Windows 2003 introduces a new feature that – if you have enough RAM to support it – lets you eliminate your Windows swap file completely. Consider using this feature only if you have enough RAM to do without your swap file completely. In Task Manager, view the Performance tab. Inspect the “Commit Charge” entry to see if the peak commit is less than the physical memory. If it is, you should be able to eliminate the swap file. Windows 2003, Standard Edition is the follow-on to Win2K Server. In theory, you can simply pop the Windows 2003, Standard Edition CD-ROM into existing Win2K servers and upgrade them “in place.” However, note the caution below. d Caution Only upgrade your Win2K servers to Windows 2003 with a change-management plan. Features Common to Three Windows 2003 Editions Now that I’ve introduced Windows 2003, Standard Edition, let me briefly review features common to several of the server editions. The Windows 2003, Standard Edition, Windows 2003, Enterprise Edition, and Windows 2003, Datacenter Server Edition servers provide a gaggle of new or updated features. In the following text, I discuss some of these features. Windows 2003, Web Edition’s fea- tures are significantly different, as I point out later in this chapter. (Windows 2003, Small Business Server Edition hasn’t yet been released. The server will include many features, such as a built-in version of Exchange. However, specifications aren’t currently available.) n Note I mention the features that Microsoft introduced in the various Win2K Server editions for comparison only. Active Directory (AD) Win2K Server brought us AD. Although the first iteration of AD wasn’t designated AD 1.0, it some- times seemed to be missing features. That situation has changed in Windows 2003 with what I call “Active Directory 1.1.” As was true with Win2K, DCs still house AD components, respond to client authentication requests, and share the AD database. I discuss these basic units of AD and the newest AD features in Chapter 2, Chapter 3, and Chapter 8. Windows 2003 offers too many new AD features to list here. Network Load Balancing (NLB) Win2K Server didn’t support NLB. However, Windows 2003, Standard Edition supports two-node NLB. Windows 2003, Enterprise Edition and Windows 2003, Datacenter Edition support additional nodes, as you’ll see where they’re covered individually. (My research indicates that Windows 2003, Web Edition doesn’t support NLB.) Brought to you by NetIQ and Windows & .NET Magazine eBooks
  13. 13. 5 Chapter 1 Windows Server 2003 — What’s New Internet Information Services (IIS) 6.0 Windows 2003 IIS 6.0 offers improved architecture and improved speed. The increased speed is impressive. The Lockdown Wizard is now included rather than being a downloadable add-on. Internet Connection Firewall (ICF) All Windows servers now have a basic stateful Internet firewall, which Figure 1.1 shows. ICF can block or permit traffic by specific traffic type or to specific ports. The “big brother” of this built-in feature is Microsoft’s Internet Security and Acceleration (ISA) Server 2000. Although ICF isn’t “industrial strength,” it performs basic security functions. Remote Access Microsoft has improved Windows remote access. Specifically, remote access includes a useful new feature — the Network Access Quarantine Control feature — that lets you “quarantine” users. Briefly, here’s how the feature works: If client systems don’t run software that you specify, such as a service pack or a virus scanner, those client systems are quarantined and can’t access your network. Figure 1.1 The Internet Connection Firewall j Tip The remote access quarantine is a bit difficult to work with. You can download the complete details at the following URL: http://www.microsoft.com/windowsserver2003/docs/quarantine.doc Brought to you by NetIQ and Windows & .NET Magazine eBooks
  14. 14. 6 Windows 2003: Active Directory Administration Essentials Remote Desktop for Administration (Terminal Services in Remote Administration mode) Win2K introduced many of us to the world of Terminal Services. You’ll recall that Win2K has two modes for Terminal Services — Full Terminal Services mode (also called Application server mode) and Terminal Services — Administration Mode (also called Remote administration mode). The latter mode let two administrators remotely administer the server as if they were practically standing at the console. With Win2K, you could choose one of the two modes mentioned or choose not to select a terminal services mode. After loading Terminal Services mode, Win2K requires a reboot. In contrast, Windows 2003 by default loads the necessary files for the equivalent of Terminal Services — Administration Mode. To finish enabling Terminal Services — Administration Mode, you need only select the Remote Desktop check box on the Remote tab of the server’s System Properties, which Figure 1.2 shows. Figure 1.2 Enabling Remote Desktop Server Event Tracking Microsoft has tried to ensure that latest server editions are the most reliable ever. In the past, many users shut down and restarted their servers for various reasons, some of them inappropriate. With NT, for example, it might often have made sense to reboot a server on a Saturday night to clear out the memory and prevent server crashes the following week. With Windows 2003, Microsoft Brought to you by NetIQ and Windows & .NET Magazine eBooks
  15. 15. 7 Chapter 1 Windows Server 2003 — What’s New intends to prove to everyone — including your management — that the servers will stay up until administrators take them down. To that end, Microsoft has included a small reporting window into which administrators can type precisely why they choose to shut down a server. The EventcombMT tool from the Windows Server 2003 Resource Kit can parse the logs from all servers and highlight why administrators reboot servers. n Note I discuss more Resource Kit tools in Chapter 7: Command-Line, Support, and Microsoft Windows Server 2003 Resource Kit Tools. Figure 1.3 shows a Windows 2003 Event tracking Shut Down Windows screen. In the Shut- down Event Tracker Option segment of the dialog box, you can specify by category why you’re shutting the server down. Figure 1.3 Windows 2003 event-tracking Shut Down Windows screen Figure 1.4 shows the option selected in Figure 1.3, including the comment field that lets you enter more detailed information about why you shut down the server. The record of server shut- downs might be valuable both to you and to Microsoft. Brought to you by NetIQ and Windows & .NET Magazine eBooks
  16. 16. 8 Windows 2003: Active Directory Administration Essentials Figure 1.4 Shutdown Event Tracker comment field You might not want to use the Shutdown Event Tracker. Figure 1.5 shows the policy you use to disable the mechanism. You can enable and disable Shutdown Event Tracker through the Group Policy Object Editor. j Tip You might find the mechanism for disabling the shutdown event annoying, especially in a testing environment in which machines are rebooted all the time. You might want to turn this feature off for some servers, but certainly not for all. With that in mind, you can use these steps to turn off the Server Event Tracking on a particular server. 1. Click Start, Run, and type in GPEDIT.MSC. 2. Traverse to Computer Settings, System, Display Shutdown Event Tracker. 3. Disable the policy. Brought to you by NetIQ and Windows & .NET Magazine eBooks
  17. 17. 9 Chapter 1 Windows Server 2003 — What’s New Figure 1.5 The Display Shutdown Event Tracker policy Manage Your Server Wizard Windows 2003 updates the Manage Your Server Wizard. Even if the Win2K wizards turned you off, give the Windows 2003 wizards a shot. You might still choose to do your day-to-day tasks manually, but know that the Windows 2003 wizards often offer a faster way to accomplish a task. For example, the Manage Your Server Wizard that Figure 1.6 shows lets you easily add or remove a server role. Brought to you by NetIQ and Windows & .NET Magazine eBooks
  18. 18. 10 Windows 2003: Active Directory Administration Essentials Figure 1.6 The Manage Your Server Wizard Help File Figure 1.7 shows the Windows 2003 Help file, which you’ll find highly useful. Microsoft and the entire Online Help team have outdone themselves in the level of detail provided at each turn of the virtual page. I usually click the Index button (circled in the screen shot), then track down what I need instead of relying on the (somewhat slow) Search facility. Volume Shadow Copy for Shares In conjunction with an XP client, this feature lets users “roll back” a data file to a particular point in time or restore a deleted file. IP Security (IPSec) over NAT IPSec is a superior way to secure wired communications between any client and server. In the past, the problem has been that if either machine were behind a NAT or NAT-style router or fire- wall, IPSec didn’t work 100 percent. Windows 2003’s IPSec over NAT feature can encrypt both the header and payload parts of a packet over NAT. IPSec over NAT is an excellent new feature for servers in DMZs or in other areas that use NAT. Microsoft .NET Framework The .NET Framework lets programmers do new magic — and much of that new magic will take the form of Web services and IIS. System administrators and AD administrators won’t need to use Brought to you by NetIQ and Windows & .NET Magazine eBooks
  19. 19. 11 Chapter 1 Windows Server 2003 — What’s New or know much about the .NET Framework. Because the framework is already deployed inside the OS, it’s one less thing you need to address today. Figure 1.7 The Windows 2003 Help file Windows 2003, Standard Edition might offer all the server firepower you need to run your business. However, as I explore Windows 2003, Enterprise Edition, you’ll see that it offers consid- erably more. Windows 2003, Enterprise Edition Windows 2003, Enterprise Edition can accommodate from 1 to 8 processors and up to 32GB of memory. In addition to the general increase in hardware support, you might find support for key features that your business needs. Consider whether your business could benefit now (or might benefit soon) from one of the features listed here. j Tip If you think you might not use all the Windows 2003, Enterprise Edition features immediately but might use them in the future, it’s best to invest the dollars up front and get Enterprise Edition today, rather than deploying Windows 2003, Standard Edition. Why? Because you can’t “upgrade” from Windows 2003, Standard Edition to Windows 2003, Enterprise Edition. Choosing wisely at this stage is paramount. Brought to you by NetIQ and Windows & .NET Magazine eBooks
  20. 20. 12 Windows 2003: Active Directory Administration Essentials Windows 2003, Enterprise Edition offers more scalability features than either Windows 2003, Standard Edition or Win2K AS. • Clustering has been increased from the four nodes available in Win2K AS to eight nodes. • NLB has increased from the four nodes available in Win2K AS to eight nodes. • Terminal Services offers a new load-balancing feature in the new Terminal Services Session Directory. The feature provides a front-end NLB that lets clients easily find an available Ter- minal Server in a Terminal Server farm. • Microsoft will support the Microsoft Metadirectory Services (MMS) add-on, a centralized service meant to bridge the gap between disparate directories such as AD and iPlanet. Apparently, Microsoft is designing the Windows 2003 version of MMS for deployment upon Enterprise Edi- tion servers only. Still other Windows 2003, Enterprise Edition features are available only if your hardware can leverage those features. The features listed below require high-end servers. • “Hot-add memory” lets you add memory to a server while it’s running and allocate that memory to the rest of the server. • Non-Uniform Memory Access (NUMA) is a hardware-specific feature that returns low-level information from the hardware to NUMA-compliant applications. This returned data can fine- tune NUMA-aware applications in real time based on the system’s total stress level. Windows 2003, Datacenter Edition Windows 2003, Datacenter Edition is Microsoft’s “big-boy” OS. Datacenter Edition integrates OEM hardware tightly with Microsoft software to guarantee specific levels of uptime. Because Windows 2003, Datacenter Server is available only from OEMs, it might be the least often deployed of the Windows 2003 servers. Nevertheless, when you see it deployed, you’ll rec- ognize its tremendous power. Windows 2003, Datacenter Edition supports up to 32 processors and up to 64GB of RAM. The clustering capability equals that of the Windows 2003, Enterprise Edition (eight nodes), which is greater than that of its Win2K Datacenter counterpart (four nodes). The Datacenter Edition adds one special hardware hook — hyperthreading support. Hyper- threading lets certain Intel processors perform almost double duty. In fact, the Datacenter Edition server can abstract a single processor and make it appear and work as if it were really two phys- ical processors. On some single-processor hyperthreading systems, Windows appears to be using two processors. n Note For more information about the Windows 2003, Datacenter Edition server program, visit the URL below. http://www.microsoft.com/windowsserver2003/evaluation/overview/datacenter.mspx Brought to you by NetIQ and Windows & .NET Magazine eBooks
  21. 21. 13 Chapter 1 Windows Server 2003 — What’s New Windows 2003, Web Edition Windows 2003, Web Edition is totally new among the Windows server progeny. Microsoft has one short-term goal in selling this server: to compete with Linux — at least in the Web services market. Linux is popular among Web systems, and Microsoft’s Windows 2003, Web Edition is meant to tackle this growing threat head on. Like the Windows 2003, Datacenter Edition, Windows 2003, Web Edition is not for sale through retail channels. To purchase a Windows 2003, Web Edition server, you must work with specific Windows 2003, Web Edition partners (e.g., Hewlett Packard — HP, Dell, IBM, NEC, Unisys). Windows 2003, Web Edition isn’t as packed with features as other server family members. In fact, you can quickly grasp the nature of this edition by considering what it can’t do. Windows 2003, Web Edition • can’t be a DC (however, it can be a domain member) • is limited to 2GB of memory and two processors • can’t be clustered • doesn’t support NLB • lacks services for Macintosh • lacks Windows Media Services • lacks Remote Installation Services (RIS) • doesn’t support 64-bit Itanium-family processors • doesn’t support Hot-Add memory • doesn’t support NUMA • doesn’t support ICF Windows 2003, Web Edition is both the least costly and the least flexible of the server family. Its single purpose is to serve Web pages. j Tip You can find more information about Windows 2003 at the following URL: http://www.microsoft.com/windowsserver2003/evaluation/overview/web.mspx Windows 2003 32-Bit and 64-Bit Processing Microsoft plans to revise its Windows 2003 server line for the new 64-bit Itanium processors. In fact, some pieces of the 64-bit puzzle are available today. Clearly, 64-bit computing should jump processing muscle forward much as the change from 16-bit to 32-bit computing jumped it forward several years ago. Microsoft is betting on the Itanium-family of processors, including Itanium 1 and Itanium 2. With that in mind, Table 1.2 shows you what each 64-bit version can handle. Brought to you by NetIQ and Windows & .NET Magazine eBooks
  22. 22. 14 Windows 2003: Active Directory Administration Essentials Table 1.2 Windows 2003 64-bit capabilities Product Processors RAM Windows 2003, Standard Edition Won’t be available in a 64-bit edition. Windows 2003, 64-Bit Enterprise Edition 1—8 64GB Maximum Windows 2003, 64-Bit Datacenter Edition 8 — 64 512GB Maximum Windows 2003, Web Edition 1—2 2GB Maximum Windows XP Pro, 64-Bit Edition 2 (Itanium 1 or Itanium 2) 16 GB j Tip You can find more information about XP Professional 64-bit edition at the following URL: http://www.microsoft.com/windowsxp/64bit/techinfo/planning/techoverview/default.asp Windows 2003 Hardware Requirements Your move to a Windows 2003 installation must start with adequate hardware. Microsoft has pub- lished specifications for minimum required hardware, which Table 1.3 shows. Table 1.3 Minimum hardware requirements for Windows 2003 installations Standard Enterprise Enterprise 64-Bit Web Datacenter CPU Type Pentium II Pentium II Itanium 1 Pentium II Contact a Datacenter Speed 133MHz 133MHz 733MHz 133MHz vendor for RAM 128MB 128MB 128MB 128MB details. Disk 1.5GB 1.5GB 2.0GB 1.5GB n Note Although processor speed and processor type aren’t strictly enforced when you attempt to install, the amount of RAM is. For example, if you don’t have 128MB of RAM, you can’t load Windows 2003 on a Pentium-class system. Brought to you by NetIQ and Windows & .NET Magazine eBooks
  23. 23. 15 Chapter 1 Windows Server 2003 — What’s New Real-World Windows 2003 Hardware Requirements Minimum requirements might work well for a test machine or two, but true production systems require a bit more firepower. Table 1.4 shows my recommended minimum hardware requirements for real-world systems. Table 1.4 Real-world minimum hardware requirements for Windows 2003 installations Standard Enterprise Enterprise 64-Bit Web Datacenter CPU type Pentium 4 Pentium 4 Itanium 1 or Pentium 4 Contact a Itanium 2 Datacenter Speed 2GHz 2GHz 733MHz 2GHz vendor for RAM 256MB – 1GB 256MB – 1GB 256MB – 1GB 256MB – 512MB details. Disk 9GB + 9GB + 9GB + 9GB + Storage for data Storage for data Storage for data Storage for data Keeping Your System Updated and Secure Microsoft is “packing in” Windows 2003 features toward the goal of keeping the network up and running and available to user requests. Windows can go belly up — but usually it doesn’t just “happen.” For example, frequently damage occurs when bad drivers are installed despite the OS’s attempts to address the problem. Although loading an imperfect driver doesn’t always mean cur- tains for the OS, it can result in the blue screen of death that Microsoft refers to as a bugcheck. If your network experiences problems, you can send a message to Microsoft in several ways. One way is through the new error-reporting mechanism, which Figure 1.8 shows. You can specify that an error report be sent when the Windows OS fails and when other loaded programs fail. You can select those programs through the Choose Programs button that Figure 1.8 shows. As you can see, the default selection involves all Microsoft programs and Windows compo- nents. In most environments, you might want to keep error reporting enabled. I’m not sure how Microsoft is going to evolve this feature to offer better support; however, I can see the company using it to improve the product or link your error reports with your activation ID so that Micro- soft’s support services can better assist you if you call for support. (Those who are paranoid can disable the error-reporting feature.) Brought to you by NetIQ and Windows & .NET Magazine eBooks
  24. 24. 16 Windows 2003: Active Directory Administration Essentials Figure 1.8 Enabling or disabling error reporting in System Properties Driver Signing Driver signing isn’t new with Windows 2003, but it’s a highly useful feature. This feature lets you block drivers that haven’t undergone Windows Hardware Quality Labs (WHQL) testing and signing. The default sets up Driver Signing to warn you when you’re about to load an unsigned driver, as Figure 1.9 shows. I recommend that you consider raising the level on all your servers to Block — Never install unsigned driver software. Driver Rollback Even if a driver that shouldn’t have been loaded is loaded, you have another chance to excise it from your system. You can use the Driver Rollback feature that Figure 1.10 shows to roll back the current driver to the most recent previously installed driver. n Note The Driver Rollback feature isn’t designed to keep histories of all the drivers for a device that you’ve ever loaded. It “remembers” only your most recent previously installed driver. Brought to you by NetIQ and Windows & .NET Magazine eBooks
  25. 25. 17 Chapter 1 Windows Server 2003 — What’s New Figure 1.9 Selecting the Driver Signing level in System Properties Figure 1.10 Driver Rollback feature in Device Manager Brought to you by NetIQ and Windows & .NET Magazine eBooks
  26. 26. 18 Windows 2003: Active Directory Administration Essentials Automatic Updates Windows 2003 now allows automatic updating when patches become available between service packs. You can choose between different modes that can help you keep your Windows 2003 servers updated, as Figure 1.11 shows. Figure 1.11 Configuring Automatic Updates in System Properties Software Updates with SUS Despite the capabilities of the Automatic Update feature, the most effective way to manage Microsoft’s patch updates is to disable the Automatic Update service and set up Microsoft Software Update Services (SUS), which Figure 1.12 shows. Using SUS helps ensure that new Microsoft patches are well integrated into your environment. You can test the patches you want to update in a test lab, then distribute the patches you need to your servers and clients. You could load SUS on a Windows 2003 or Win2K server or DC, then use group policy to distribute instructions to target machines about how to download and install the patches. For more information, see the Windows and .NET Magazine Network Security Administrator article at http://www.secadministrator.com/articles/index.cfm?articleid=37938 or my article at http://www.mcpmag.com/features/article.asp?editorialsid=336 j Tip You can leverage the power of Microsoft’s free SUS to specify which patches you want to send to your systems. It’s a simple task for an Administrator to test the proposed patch offline in the test lab, then select which patches will go to servers and clients. SUS is available for download from Microsoft at http://www.microsoft.com/windowsxp/64bit/techinfo/planning/techoverview/default.asp Brought to you by NetIQ and Windows & .NET Magazine eBooks
  27. 27. 19 Chapter 1 Windows Server 2003 — What’s New Figure 1.12 Microsoft SUS IIS Improvements Microsoft Internet Information (IIS) Services 6.0 is a wholesale IIS overhaul. In a nutshell, IIS 6.0 is • faster • more secure • easier to administer Did I mention that it’s faster? IIS 6.0 is so much faster than previous IIS versions that its speed is hard to describe. Why is it faster? Microsoft has moved the HTTP processor from user mode to kernel mode, a move that makes IIS 6.0 dramatically faster. Space constraints keep me from delving into and describing all the IIS 6.0 architecture and security changes. For an in-depth look at the changes, be sure to read Brett Hill’s Windows & .NET Magazine article “IIS Overhauled in Version 6.0,” which you’ll find at the following URL: http://www.winnetmag.com/windowsserver2003/index.cfm?articleid=38285 Brought to you by NetIQ and Windows & .NET Magazine eBooks
  28. 28. 20 Windows 2003: Active Directory Administration Essentials IIS Remote Administration Mode If you want to set up your servers so you can administer them remotely — from any Web browser anywhere in the world — you can do so by enabling Remote Administration Mode. You must go to Add/Remove Windows Components, then traverse to Application Server, Internet Information Services, World Wide Web Service, and Remote Administration (HTML), as Figure 1.13 shows. Figure 1.13 Setting Up Remote Administration When you’re ready to use Remote Administration Mode, go to http://<servername>8089. You’ll be prompted for credentials. After you’re in, poke around to see what you can do from a Web browser. Figure 1.14 indicates some of what you can accomplish after you set up Remote Administration Mode. Brought to you by NetIQ and Windows & .NET Magazine eBooks
  29. 29. 21 Chapter 1 Windows Server 2003 — What’s New Figure 1.14 Remote Administration Mode j Tip You can’t load Remote Administration if the target server is a DC. Should You Deploy? Now that Windows 2003 is generally available, it’s certainly worth a look. But how can you decide whether you’re ready to deploy it? You’ll have to ask yourself some questions about the current state of your network to see whether, after you commit to Windows 2003, the installation will remain an uphill battle. You can begin your assessment by asking yourself these questions: • Am I currently running on older hardware? If yes, evaluate your hardware to make sure it won’t prohibit the upgrade to Windows 2003. • Do I have many custom applications or Web applications? With every new OS release, application incompatibilities can be a problem. With that in mind, you’ll need to test and retest each custom application if you want it to run on Windows 2003. Moreover, given the dramatic changes Microsoft has made to IIS 6.0, if you have Web applica- tions, you need to ensure that they won’t break after you upgrade to IIS 6.0. Brought to you by NetIQ and Windows & .NET Magazine eBooks
  30. 30. 22 Windows 2003: Active Directory Administration Essentials • What will deployment cost? Do you have a Microsoft licensing agreement that lets you upgrade to Windows 2003? If so, you’ll pay only the labor costs of performing the application tests and the upgrade — not the software costs. If you don’t have a licensing agreement that lets you upgrade to Windows 2003, try to figure out how many licenses you’ll need. Be especially careful after you introduce your first Windows 2003 DC. I’m not an expert on Microsoft licensing, but my understanding is that after you introduce your first Windows 2003 DC, you’ll need to get current on all your Client Access Licenses (CALs). Definitely check with your Microsoft licensing representative to get the full scoop on the upgrade costs. j Tip The article at the following URL provides some information about Microsoft licensing: http://www.winnetmag.com/Articles/Index.cfm?ArticleID=24033 Onward — to Windows 2003 AD In terms of Windows 2003 features, I’ve barely scratched the surface. Some of the features I’ve described are “skin deep” but useful. Others offer dramatic improvements over previous capabilities. Yet other features kick in when you use Windows 2003 as an AD DC, as I explore in Chapter 2: What’s New in Windows Server 2003 Active Directory and Chapter 3: What’s New in Windows Server 2003 Management. Brought to you by NetIQ and Windows & .NET Magazine eBooks
  31. 31. 23 Chapter 2: What’s New in Windows Server 2003 Active Directory Introduction “Chapter 1: Windows Server 2003 – What’s New” introduced some of the many compelling features Windows Server 2003 (Windows 2003) brings to the table. Windows 2003 includes • a faster, more secure, and re-architected Microsoft Internet Information Services (IIS) 6.0 • remote access quarantine through the Network Access Quarantine Control feature • server event tracking through Shutdown Event Tracker • greater scalability with more processors • greater scalability with more cluster nodes You can make a strong case for upgrading to Windows 2003 based on those features alone. If you simply walked around with the Windows 2003 CD-ROM and upgraded all your Windows 2000 member servers, you would have a field day exploring what you can accomplish with the new features. Of course, you won’t want to walk around with the CD-ROM and perform those upgrades (you’d be likely to get into trouble). Nevertheless, Figure 2.1 shows the first screen you’ll encounter when the time to upgrade comes. Figure 2.1 Windows 2003 CD-ROM initial screen Brought to you by NetIQ and Windows & .NET Magazine eBooks
  32. 32. 24 Windows 2003: Active Directory Administration Essentials In my opinion, the real magic of Windows 2003 lies in the new Active Directory (AD)-specific features you gain after you complete your upgrade. This chapter explores what capabilities those features provide and discusses how to prepare to use them. Working with Domain Levels To prepare for Windows 2003 AD, you must first ask yourself two questions: Which kinds of domain controllers (DCs) do I have and which kinds of DCs do I want to deploy? The answers to these questions might include Windows NT 4.0 BDCs, Win2K DCs, and Windows 2003 DCs. You’ll want to begin by stepping back and analyzing your current network configurations. Analyzing Your Current Network Your network might contain • all NT 4.0 DCs • some Win2K DCs and some NT 4.0 BDCs • all Win2K DCs • no Windows-based domains (i.e., no network or a non-Windows network such as Banyan or Novell) Each of these situations gives rise to some specific opportunities and concerns. I explore each scenario in the following text. n Note Although it makes sense to list the scenario of having all NT 4.0 DCs first (as I did above), I discuss that scenario last. Moving from all NT 4.0 DCs to Windows 2003 has some unique considerations. Nevertheless, those of you who have all NT 4.0 DCs will benefit from reading through the material that precedes the discussion of that particular upgrade. If You Have Combined Win2K and NT 4.0 BDCs If you started out with NT 4.0 DCs and introduced a Win2K DC or two, you might remember the process. You had to begin with an NT 4.0 PDC and upgrade it directly into your Win2K Server. You probably made a backup of the PDC, then slipped in the Win2K CD-ROM with your fingers crossed. For 99 percent of the users who approached the upgrade this way, everything went well. For the other 1 percent of the users, the process involved sweaty palms as they rolled back the upgrade and tried to figure out what the problem was. After you completed the PDC upgrade, you had your first Win2K DC. In addition, Win2K advantageously put you directly into what’s called Mixed Mode. Now that I’m discussing how to analyze your particular scenario, let me remind you how to discover or verify your network’s mode. To check your current configuration’s mode, run Active Directory Domains and Trusts, which Figure 2.2 shows. Brought to you by NetIQ and Windows & .NET Magazine eBooks
  33. 33. 25 Chapter 2 What’s New in Windows Server 2003 Active Directory Figure 2.2 Active Directory Domains and Trusts In the list of domains that appears, select the name of the domain whose mode you want to check and right-click Properties. The domain mode should appear. If you have any NT 4.0 BDCs, you’re probably in Mixed Mode, as is the case with Domain B, which Figure 2.3 shows. Brought to you by NetIQ and Windows & .NET Magazine eBooks
  34. 34. 26 Windows 2003: Active Directory Administration Essentials Figure 2.3 Ascertaining a domain’s mode Mixed Mode supports both Win2K and pre-Win2K DCs, which means that you can still add and remove NT 4.0 BDCs as needed. This capability is a good thing. You might have legacy applications that require you to keep NT 4.0 BDCs around until you find a Win2K or Windows 2003 solution. Of course, much of the capability that you have with all Win2K DCs is missing in Win2K and NT Mixed Mode. (The next section details which capabilities you add if you make the switch to all Win2K DCs.) However, with the first Win2K DC, you get • Group Policy support for Win2K and XP Professional clients • IntelliMirror support for Win2K and XP Professional clients • domain management capability through either Active Directory Users and Computers (Win2K) or User Manager for Domains (NT 4.0) Brought to you by NetIQ and Windows & .NET Magazine eBooks
  35. 35. 27 Chapter 2 What’s New in Windows Server 2003 Active Directory j Tip For an in-depth discussion of Group Policy and IntelliMirror, see my book Windows 2000: Group Policy, Profiles, and IntelliMirror. You can find information about the book at the URL below. http://www.sybex.com/sybexbooks.nsf/2604971535a28b098825693d0053081b /d15f21a26eaeed8588256bca0062a12f!OpenDocument&Highlight=0,moskowitz The promised land, as far as Win2K is concerned, is to get rid of all your NT 4.0 BDCs and have homogeneous Win2K DCs. Interestingly, new Windows 2003 domains are “born” into Win2K Mixed Mode. You can see Domain A’s initial mode – Win2K’s Mixed Mode – in the Windows 2003 domain’s Active Directory Domains and Trusts screen, which Figure 2.4 shows. Figure 2.4 A new Windows 2003 domain’s initial mode Therefore, if you build a new Windows 2003 domain from scratch, you could still, if you wanted to, introduce additional NT 4.0 BDCs. This capability might be helpful should you have legacy applications, such as a specialized account lookup program or a specialized piece of remote access equipment, that must reside on a BDC. Brought to you by NetIQ and Windows & .NET Magazine eBooks
  36. 36. 28 Windows 2003: Active Directory Administration Essentials If You Have All Win2K DCs s After you leave the last NT 4.0 BDC in the dust, you can make the switch toWin2K’s Native Mode, which introduces additional useful features. • Universal Group support – This feature lets you assign groups from any domain to any other domain if the domains are in the same forest. • Total Win2K-style replication – Without any NT LAN Manager (NTLM)-style replication to BDCs and with all your Win2K DCs using native AD replication, the replication process will now be more efficient. • Additional capacity for security principals – Additional capacity lets you grow the database that holds users past the SAM’s restriction of about 40MB. (You’re still restricted even with one NT 4.0 BDC.) If you need this greater capacity, you know it! • SidHistory – This feature lets a single account have multiple SIDs. (This capability is useful if you perform an NT 4.0-to-Win2K or an NT 4.0-to-Windows 2003 migration. Users might need to show alternate credentials to access data in their old domain.) • Advanced Group nesting – You can now use multiple levels of nesting between different group types. Additionally, you can change the scope of domain local groups to domain global groups by clicking one button. To make the switch to Native Mode on a Win2K domain, just click Change Mode, which Figure 2.3 shows. You’ll be asked to confirm that you want to change the mode. If you answer Yes, the Domain operation mode changes with little fanfare, as Figure 2.5 shows. Figure 2.5 Changing the domain’s operation mode to Native Mode Brought to you by NetIQ and Windows & .NET Magazine eBooks
  37. 37. 29 Chapter 2 What’s New in Windows Server 2003 Active Directory Your Win2K domain is now in Win2K Native Mode, which lets you add Windows 2003 as well as Win2K DCs. Keep in mind, however, that Windows 2003 in Win2K Native Mode doesn’t allow NT 4.0 BDCs. d Caution When you make the switch to Win2K Native Mode, you effectively abandon any remaining NT 4.0 BDCs. They won’t receive updates from your Win2K domain. If you don’t disconnect the NT BDCs, they might introduce network errors (e.g., they might validate deleted users’ access to your network). If You Have All NT 4.0 Domain Controllers Now we can discuss a unique case: You have all 4.0 NT DCs and you’re considering switching directly to Windows 2003. You’re not required to first upgrade your NT 4.0 domain (and therefore your NT 4.0 BDCs) to Win2K DCs before you move to Windows 2003. What do you need to know as you consider whether to skip the step of having Win2K DCs? First, if you have all NT 4.0 DCs, you can still upgrade any NT 4.0 member server to either Win2K or Windows 2003. You might choose an upgrade for servers such as your SQL servers, Systems Management Server (SMS) servers, IIS servers, and Oracle servers. If you don’t have any Win2K or Windows 2003 DCs, you’ll encounter NT 4.0’s inherent limitations, which include • a SAM size restricted to about 40MB • no Group Policy • no IntelliMirror capability • a single point of failure (If the PDC goes down, no users or administrators can update account information or change passwords.) • the old replication model (BDCs pull from PDCs at scheduled intervals.) • the need to reformat a BDC to remove its role as a DC n Note A third-party tool, such as Algin Technology’s U-Promote, can in most cases help you promote or remove an NT 4.0 BDC’s DC status, leaving it a plain server. As with any tool, use U-Promote only if you have current backups on hand. j Tip You can upgrade an NT 4.0 Server to either Windows 2003, Standard Edition or Windows 2003, Enterprise Edition. However, you can upgrade NT 4.0 Server, Enterprise Edition only to Windows 2003, Enterprise Edition. Brought to you by NetIQ and Windows & .NET Magazine eBooks
  38. 38. 30 Windows 2003: Active Directory Administration Essentials Decision Point At this point, if you’re running all NT 4.0 DCs, you’re ready to decide whether to bypass the Win2K DC step completely. You know that you can jump from NT 4.0 straight into Windows 2003 – but what else should you consider? If you know that Win2K DCs won’t ever – and I mean ever – be involved in your journey to Windows 2003 AD, you can take advantage of a special domain mode, Interim Mode. Interim Mode is useful in the unique scenario comprised of NT 4.0 BDCs and Windows 2003 DCs – no Win2K DCs allowed. d Caution Interim Mode works only with NT 4.0 BDCs and Windows 2003 DCs. Getting to Interim Mode If you currently have 100 percent NT DCs and want to introduce your first Windows 2003 DC, how do you move into Interim Mode? You select it when you use the Active Directory Installation Wizard to upgrade an NT 4.0 domain’s PDC. You choose the forest functional level for forests that won’t contain Win2K DCs, as Figure 2.6 shows. Why Does Interim Mode Exist? Interim Mode compensates for a specific limitation of both Win2K Mixed Mode and Win2K Native Mode (one that doesn’t occur with either NT domains or the Windows 2003 equivalent of Native Mode). The problem lies in group account memberships. NT 4.0 domains let you maintain more than 5000 members in a security group – for example, in a Domain Global Group. However, after you’ve introduced Win2K DCs, the group account membership situation changes because Win2K DCs can’t handle more than 5000 members in a group. Windows 2003, on the other hand, can handle more than 5000 members in a group – just as NT can. Therefore, you can combine NT 4.0 BDCs and Windows 2003 DCs and use Interim Mode. Interim Mode also provides better replication – specifically between other Windows 2003 DCs. Brought to you by NetIQ and Windows & .NET Magazine eBooks
  39. 39. 31 Chapter 2 What’s New in Windows Server 2003 Active Directory Figure 2.6 Choosing Interim Mode n Note The Active Directory Installation Wizard dialog box is titled Forest Functional Level. I discuss Forest Functional Levels later in this chapter. If you select Windows Server 2003 interim here, you’re also changing the domain level to Windows 2003 Interim domain level. When you upgrade an NT 4.0 PDC (to upgrade your NT 4.0 domain), Dcpromo will run automatically. As you can see above, the text lets you know that the setting is right for you only if you’ll never have Win2K DCs. Also, notice the statement in the lower left-hand corner of the dialog box: Note: both options allow the forest to have Windows NT 4.0 domain controllers. In fact, you can include NT 4.0 BDCs until you make the switch to Win2K Native Mode or the Windows 2003 equivalent (described below). After the upgrade is complete, you can see Interim Mode again, in Windows 2003’s Active Directory Users and Trusts, which Figure 2.7 shows. Brought to you by NetIQ and Windows & .NET Magazine eBooks
  40. 40. 32 Windows 2003: Active Directory Administration Essentials Figure 2.7 DOMAINC upgraded to Interim Mode If You Have No Windows-based Domains If you have no Windows-based domains whatsoever (i.e., in the case of a fresh Windows 2003 domain installation), you’ll probably start with 100 percent Windows 2003 DCs. In that case, you would bring up your first Windows 2003 Server, run Dcpromo, and create your first domain. Assuming you won’t need any NT 4.0 BDCs or Win2K DCs, you can get all the benefits of a homogeneous domain with Windows 2003 DCs at Windows 2003’s domain functional level. First, however, because you create a Windows 2003 domain as a Win2K Mixed Mode domain, you’ll need to “bump up” the domain’s functional level. You raise the level through Active Directory Domains and Trusts by right-clicking the domain name and selecting Raise Domain Functional Level, which Figure 2.8 shows. Brought to you by NetIQ and Windows & .NET Magazine eBooks
  41. 41. 33 Chapter 2 What’s New in Windows Server 2003 Active Directory Figure 2.8 Raising a domain’s functional level Next, you can select the functional level you want to support, as Figure 2.9 shows. Your choices are to support a domain with Win2K DCs and Windows 2003 DCs or a domain with 100 percent Windows 2003 DCs. Figure 2.9 Selecting an available domain functional level Brought to you by NetIQ and Windows & .NET Magazine eBooks
  42. 42. 34 Windows 2003: Active Directory Administration Essentials Select the domain functional level you want, then click Raise. You can bump one level to Windows 2000 native or two levels to Windows Server 2003. d Caution Raising the level is irreversible. That is, if you select Windows 2000 native, you can’t go back to Windows 2000 mixed. If you select Windows Server 2003, you can’t go back to either Windows 2000 native or Windows 2000 mixed. After a domain is at Windows 2003’s domain functional level, you get the following major additional features. • InetOrgPerson becomes a user principal (I discuss this feature in Chapter 5: Windows Server 2003 Security Enhancements). • Update logon timestamp: This feature lets administrators easily determine when a specific user logged on and to which DC. You’ll find this information helpful for auditing purposes. I discuss this feature and a tool that helps you examine the attribute involved in Chapter 7: Command Line, Support Tools, and Resource Kit Tools. • Domain rename feature (I discuss this feature in Chapter 8: Special Domain Operations). Domain Level Review You might find the different domain levels a little confusing. Table 2.1 offers a quick summary of Win2K and Windows 2003 domain levels. Brought to you by NetIQ and Windows & .NET Magazine eBooks
  43. 43. 35 Chapter 2 What’s New in Windows Server 2003 Active Directory Table 2.1 Win2K and Windows 2003 domain levels Mode or Functional Machines Level Allowed When useful Features Notes Win2K Win2K DCs, When you have an Group Policy and Both Win2K and Mixed Mode Windows 2003 application on an NT IntelliMirror for Win2K Windows 2003 DCs, and NT 4.0 BDC on which your Professional and XP domains are created in BDCs business depends Professional clients Mixed Mode. NT 4.0 BDCs can participate in Win2K Mixed Mode. Win2K Win2K DCs and When you have a new Universal Group NT 4.0 BDCs are Native Mode Windows 2003 Win2K domain, a new Support, SidHistory, excluded from this DCs Windows 2003 SAM limit gone – mode. domain, or a Win2K replaced by 100 domain with new percent Win2K-style Windows 2003 DCs replication Windows Windows 2003 When you’re upgrading Group size of 5000+ You can choose this 2003 DCs and NT 4.0 an NT 4.0 domain and users, enhanced mode only if you’re Interim BDCs have NT 4.0 BDCs Windows 2003 upgrading an NT 4.0 Level replication to other PDC with a Windows Windows 2003 DCs 2003 CD-ROM. Win2K DCs are excluded from this mode. Windows Windows 2003 When you’re creating See the text below Win2K DCs and NT 2003 DCs 100 percent new 4.0 BDCs are excluded Functional Windows 2003 from this mode. Level domains without any older DC types Domain Functional Level Diagram Understanding precisely when you can progress to each domain level can be a bit daunting. The graphic in Figure 2.10 should help guide you – whether you have an NT 4.0 domain, a Win2K domain, or a Windows 2003 domain. Brought to you by NetIQ and Windows & .NET Magazine eBooks
  44. 44. 36 Windows 2003: Active Directory Administration Essentials Figure 2.10 Upgrading from NT 4.0 or Win2K to Windows 2003 Upgraded NT 4.0 to Windows NT 4.0 Windows Domain 2000 domain Windows 2000 Windows 2000 Mixed Native New Mode Domain Mode Domain Windows 2003 domain Windows Windows 2000 to 2000 to Windows 2003 Windows 2003 domain domain upgrade upgrade Upgraded Windows NT 4.0 to Windows 2003 Windows 2000 Windows 2000 Windows 2003 domain Mixed Native Functional New (option 2) Mode Domain Mode Domain Level Windows 2003 domain Upgraded Windows 2003 Windows NT 4.0 to Interim Windows 2003 Mode Domain domain (option 1) d Caution Let me remind you once more that domain upgrades aren’t reversible. If you select Win2K’s Native Mode, you can’t go back to Win2K’s Mixed Mode. If you select Windows 2003’s Interim Level or Windows 2003’s Functional Level, you can’t go back to either Win2K’s Native Mode or Win2K’s Mixed Mode. Brought to you by NetIQ and Windows & .NET Magazine eBooks
  45. 45. 37 Chapter 2 What’s New in Windows Server 2003 Active Directory Working with Forest Levels In the previous section, you saw that a Win2K domain and a Windows 2003 domain could each have its own domain-wide level. The same is true for a Windows 2003 forest. You create a new Windows 2003 forest at Win2K’s forest functional level. j Tip Interestingly, a Win2K forest just “is” – no distinction is made between particular modes. Only Windows 2003 forests make a distinction between Win2K’s forest functional level and Windows 2003’s forest functional level. However, to get to the best features that Windows 2003 AD offers, you must first reach Windows 2003’s forest functional level. To do so, you must ensure that • all DCs are Windows 2003 • all domains are switched to Windows 2003’s domain functional level After you’ve completed that preparation, you can take it one step further. That is, you can throw the switch to bring the entire forest to Windows 2003’s forest functional level – the Holy Grail of Windows 2003 AD. To raise the forest level, right-click the Active Directory Domains and Trusts root and select Raise Forest Functional Level, which Figure 2.11 shows. Figure 2.11 Raising the forest functional level After you’ve selected Raise Forest Functional Level, you’ll see the current functional level of the forest, which Figure 2.12 shows. That level should be Windows 2000. If you run Win2K, Windows Server 2003 will be the only functional level available. Brought to you by NetIQ and Windows & .NET Magazine eBooks
  46. 46. 38 Windows 2003: Active Directory Administration Essentials Figure 2.12 Selecting Windows 2003’s forest functional level If you chose to perform an NT 4.0 upgrade into an Interim level domain and forest, you have two options: Windows 2000 Server and Windows Server 2003. Note, however, that you’ll need to throw Windows 2003’s domain functional level switch in each domain before Windows 2003’s forest functional level is valid. Simply click Raise on the domain functional level you want, and you’re done. d Caution As is true in raising a domain’s level, after you raise a forest’s level, you can’t reverse the move. That is, if you start with Win2K’s forest functional level and you select Windows 2003’s forest functional level, you can’t go back to Win2K’s forest functional level. Windows 2003 Forest Functional Level Features After you make the irreversible move to Windows 2003’s forest functional level, you get a gaggle of new Windows 2003 AD features. Some features are “under-the-hood” enhancements, and others are features you can deploy to solve specific business problems. Here are some enhancements you get “under the hood” with Windows 2003’s forest functional level: • Linked Value Replication (LVR) improvements – Under Win2K, you encountered a problem in replicating the membership of group accounts. If Stacey in the USA and Ralph in Great Britain modified the Nurses group membership at about the same time (a user initiated a second change before the replication function completed the first change), you could only guess which change would “win” in AD. Now those changes merge successfully. Brought to you by NetIQ and Windows & .NET Magazine eBooks

×