10. 1
Chapter 1
Windows Server 2003 — What’s New
Introduction
If you’re downloading this eBook, you probably want to know why you should care about Micro-
soft’s latest server OS — Windows Server 2003 (Windows 2003). Inside, you’ll discover which
features might be important to you and why. Whether you’re a Windows 2000-with-Active Direc-
tory (AD) expert or a Windows NT administrator who’s been reading all the trade journals about
Microsoft’s new server family — this book is for you.
To get the most from this eBook, you should have a working knowledge of Win2K and some
AD experience. However, if you’re new to AD, you can still make good use of the information
that you find here.
Windows 2003 brings much that’s either new or improved to the table. I discuss the new fea-
tures and improvements in some depth. In addition, I discuss key topics that many Windows texts
fail to cover, such as AD backup and recovery. I occasionally compare Windows 2003 to Win2K to
illustrate both the similarities and the important new differences between the two server OSs.
n Note This book differs from several currently available Windows 2003 books in that it’s based on
experience with the actual product — not with beta code and outdated screens. The advan-
tage to you is that you won’t be missing any “late-breaking” information.
A Chapter-by-Chapter Roadmap to the Book
To begin, let me give you a chapter-by-chapter roadmap for the book:
Chapter 1: Windows Server 2003 — What’s New
Chapter 1 introduces Windows 2003’s notable new non-AD-related features. You’ll want to
become familiar with what Windows 2003 offers in preparation for the in-depth discussions of
Windows 2003 and AD. In addition, knowing these features can help you make a solid busi-
ness case for deploying Windows 2003.
Chapter 2: What’s New in Windows Server 2003 Active Directory
Chapter 2 covers the different AD domain and forest modes. You might be familiar with Win-
dows 2000’s Mixed and Native modes. Windows 2003 adds a new mode specific to this new
server OS. In this chapter, I discuss how to prepare your existing domains for Windows 2003
with AD.
Chapter 3: What’s New in Windows Server 2003 Management
Chapter 3 introduces some excellent Windows 2003 management features, including new Active
Directory Users and Computers features and the Group Policy Management Console (GPMC). I
Brought to you by NetIQ and Windows & .NET Magazine eBooks
11. 2 Windows 2003: Active Directory Administration Essentials
also review how to use AD’s advanced management features to tie together your Windows 2003,
Win2K, and NT domains.
Chapter 4: Inside Windows Server 2003 Forests and DNS
Chapter 4 explores Windows 2003’s new cross-forest trusts – demonstrating precisely how to
control resources – via the new Authentication Firewall and SIDFiltering techniques. Addition-
ally, I cover what’s new with Windows 2003 DNS: Conditional Forwarding, DNS Stub zones,
and the new DNSLint tool.
Chapter 5: Windows Server 2003 Security Enhancements
Chapter 5 covers client side security with Windows 2003’s new required server rules. I'll dis-
cuss the new ACL editor and explain how Windows 2003 deals with schema changes and
revisions, along with other security enhancements.
Chapter 6: Backup, Restore, and Recovery for Windows Server 2003 and Active Directory
Chapter 6 discusses Windows 2003 AD backup and restore features, including the ins and outs
of resurrecting objects after they’ve been deleted. You’ll want to know how Windows 2003
addresses this situation.
Chapter 7: Command-Line, Support, and Microsoft Windows Server 2003 Resource Kit Tools
Chapter 7 introduces Windows 2003’s extensive set of tools. I cover the plethora of command-
line tools, support tools, and the Microsoft Windows Server 2003 Resource Kit tools.
Chapter 8: Windows Server 2003 Special Domain Operations
Chapter 8 reviews a new Windows 2003 domain renaming feature. You can now rename both
domain controllers (DCs) and complete domains. Should your organization name change from
smallcollege.edu to huge-u.edu, for example, you won’t be plagued by the old name remaining
in the domain.
Windows 2003 offers much that’s new and even more that’s improved. Over the next several
months, I’ll cover the key features in bite-sized chunks. So, welcome to Windows 2003 and AD. It
won’t be long until you’re ready to go forth and deploy!
Jeremy Moskowitz
jeremym@moskowitz-inc.com
If you want to contact me with specific Windows 2003 questions, I’ll take a shot at answering them
or directing you to a solid specific resource. However, I might not be able to research every ques-
tion in depth.
Windows 2003 Editions
Like the Win2K and NT server OSs, Windows 2003 comes in several sizes. According to Microsoft,
you can find a size for every type of business. Win2K offers three servers editions and one client.
Windows 2003 offers four server editions and no client — that is, the client comes in the form of
Windows XP Professional. Table 1.1 presents the different versions of Win2K Server and Windows
2003 and their clients side by side.
The two most commonly deployed Windows 2003 server editions will probably be Windows
2003, Standard Edition and Windows 2003, Enterprise Edition. You might well be asked to influ-
Brought to you by NetIQ and Windows & .NET Magazine eBooks
12. 3
Chapter 1 Command Shell Scripting Basics
ence a purchasing decision between the two. Knowing which features each edition offers can help
you and your company make the best business decision.
n Note Windows 2003, Standard Edition might be just the ticket for most businesses’ day-to-day
needs. However, to weigh which server edition might be right for your business, examine
the features listed in the following text.
Table 1.1
Win2K and Windows 2003 servers and clients
Windows 2000 Windows 2003
Departmental server Win2K Server Windows 2003, Standard Edition
General use server Win2K Advanced Server Windows 2003, Enterprise Edition
Mission-critical server Win2K Datacenter Server Windows 2003, Datacenter Edition
One-stop-shop server for all Win2K Small Business Server Windows 2003, Small Business
business needs Server Edition
Web server None Windows 2003, Web Edition
Preferred client Win2K and Windows XP Windows XP supports extra features and
work equally well optimization.
I explore the different Windows 2003 server editions to give you an overview of each server’s
capabilities, beginning with Windows 2003, Standard Edition to establish a baseline. I then list the
features common to Windows 2003, Standard Edition, Windows 2003, Enterprise Edition, and Win-
dows 2003, Datacenter Server, before I continue with individual edition overviews.
Windows 2003, Standard Edition
According to Microsoft, Windows 2003, Standard Edition targets departments and small businesses
with IT departments for use as a general purpose server. It performs the usual server functions of
ensuring that users can access data in all forms (e.g., through file and print services), housing data-
base systems, running complex business processes, and providing a communications gateway,
such as a VPN.
Windows 2003, Standard Edition can accommodate Four-way Symmetric Multiprocessing (SMP)
machines, which means that the Standard Edition servers can contain up to four processors. Win-
dows 2003, Standard Edition can accommodate up to 4GB of memory — no matter how many
processors you have in the system. You’ll enjoy the room.
Brought to you by NetIQ and Windows & .NET Magazine eBooks
13. 4 Windows 2003: Active Directory Administration Essentials
j Tip
Windows 2003 introduces a new feature that – if you have enough RAM to support it – lets
you eliminate your Windows swap file completely. Consider using this feature only if you
have enough RAM to do without your swap file completely. In Task Manager, view the
Performance tab. Inspect the “Commit Charge” entry to see if the peak commit is less than
the physical memory. If it is, you should be able to eliminate the swap file.
Windows 2003, Standard Edition is the follow-on to Win2K Server. In theory, you can simply
pop the Windows 2003, Standard Edition CD-ROM into existing Win2K servers and upgrade them
“in place.” However, note the caution below.
d Caution
Only upgrade your Win2K servers to Windows 2003 with a change-management plan.
Features Common to Three Windows 2003 Editions
Now that I’ve introduced Windows 2003, Standard Edition, let me briefly review features common
to several of the server editions. The Windows 2003, Standard Edition, Windows 2003, Enterprise
Edition, and Windows 2003, Datacenter Server Edition servers provide a gaggle of new or updated
features. In the following text, I discuss some of these features. Windows 2003, Web Edition’s fea-
tures are significantly different, as I point out later in this chapter. (Windows 2003, Small Business
Server Edition hasn’t yet been released. The server will include many features, such as a built-in
version of Exchange. However, specifications aren’t currently available.)
n Note I mention the features that Microsoft introduced in the various Win2K Server editions for
comparison only.
Active Directory (AD)
Win2K Server brought us AD. Although the first iteration of AD wasn’t designated AD 1.0, it some-
times seemed to be missing features. That situation has changed in Windows 2003 with what I call
“Active Directory 1.1.” As was true with Win2K, DCs still house AD components, respond to client
authentication requests, and share the AD database. I discuss these basic units of AD and the
newest AD features in Chapter 2, Chapter 3, and Chapter 8. Windows 2003 offers too many new
AD features to list here.
Network Load Balancing (NLB)
Win2K Server didn’t support NLB. However, Windows 2003, Standard Edition supports two-node
NLB. Windows 2003, Enterprise Edition and Windows 2003, Datacenter Edition support additional
nodes, as you’ll see where they’re covered individually. (My research indicates that Windows 2003,
Web Edition doesn’t support NLB.)
Brought to you by NetIQ and Windows & .NET Magazine eBooks
14. 5
Chapter 1 Windows Server 2003 — What’s New
Internet Information Services (IIS) 6.0
Windows 2003 IIS 6.0 offers improved architecture and improved speed. The increased speed is
impressive. The Lockdown Wizard is now included rather than being a downloadable add-on.
Internet Connection Firewall (ICF)
All Windows servers now have a basic stateful Internet firewall, which Figure 1.1 shows. ICF can
block or permit traffic by specific traffic type or to specific ports. The “big brother” of this built-in
feature is Microsoft’s Internet Security and Acceleration (ISA) Server 2000. Although ICF isn’t
“industrial strength,” it performs basic security functions.
Remote Access
Microsoft has improved Windows remote access. Specifically, remote access includes a useful new
feature — the Network Access Quarantine Control feature — that lets you “quarantine” users.
Briefly, here’s how the feature works: If client systems don’t run software that you specify, such
as a service pack or a virus scanner, those client systems are quarantined and can’t access your
network.
Figure 1.1
The Internet Connection Firewall
j Tip
The remote access quarantine is a bit difficult to work with. You can download the complete
details at the following URL:
http://www.microsoft.com/windowsserver2003/docs/quarantine.doc
Brought to you by NetIQ and Windows & .NET Magazine eBooks
15. 6 Windows 2003: Active Directory Administration Essentials
Remote Desktop for Administration (Terminal Services in Remote Administration mode)
Win2K introduced many of us to the world of Terminal Services. You’ll recall that Win2K has two
modes for Terminal Services — Full Terminal Services mode (also called Application server mode)
and Terminal Services — Administration Mode (also called Remote administration mode). The latter
mode let two administrators remotely administer the server as if they were practically standing at
the console. With Win2K, you could choose one of the two modes mentioned or choose not to
select a terminal services mode. After loading Terminal Services mode, Win2K requires a reboot. In
contrast, Windows 2003 by default loads the necessary files for the equivalent of Terminal Services
— Administration Mode. To finish enabling Terminal Services — Administration Mode, you need
only select the Remote Desktop check box on the Remote tab of the server’s System Properties,
which Figure 1.2 shows.
Figure 1.2
Enabling Remote Desktop
Server Event Tracking
Microsoft has tried to ensure that latest server editions are the most reliable ever. In the past, many
users shut down and restarted their servers for various reasons, some of them inappropriate. With
NT, for example, it might often have made sense to reboot a server on a Saturday night to clear
out the memory and prevent server crashes the following week. With Windows 2003, Microsoft
Brought to you by NetIQ and Windows & .NET Magazine eBooks
16. 7
Chapter 1 Windows Server 2003 — What’s New
intends to prove to everyone — including your management — that the servers will stay up until
administrators take them down.
To that end, Microsoft has included a small reporting window into which administrators can
type precisely why they choose to shut down a server. The EventcombMT tool from the Windows
Server 2003 Resource Kit can parse the logs from all servers and highlight why administrators
reboot servers.
n Note I discuss more Resource Kit tools in Chapter 7: Command-Line, Support, and Microsoft
Windows Server 2003 Resource Kit Tools.
Figure 1.3 shows a Windows 2003 Event tracking Shut Down Windows screen. In the Shut-
down Event Tracker Option segment of the dialog box, you can specify by category why you’re
shutting the server down.
Figure 1.3
Windows 2003 event-tracking Shut Down Windows screen
Figure 1.4 shows the option selected in Figure 1.3, including the comment field that lets you
enter more detailed information about why you shut down the server. The record of server shut-
downs might be valuable both to you and to Microsoft.
Brought to you by NetIQ and Windows & .NET Magazine eBooks
17. 8 Windows 2003: Active Directory Administration Essentials
Figure 1.4
Shutdown Event Tracker comment field
You might not want to use the Shutdown Event Tracker. Figure 1.5 shows the policy you use
to disable the mechanism. You can enable and disable Shutdown Event Tracker through the
Group Policy Object Editor.
j Tip
You might find the mechanism for disabling the shutdown event annoying, especially in a
testing environment in which machines are rebooted all the time. You might want to turn
this feature off for some servers, but certainly not for all. With that in mind, you can use
these steps to turn off the Server Event Tracking on a particular server.
1. Click Start, Run, and type in GPEDIT.MSC.
2. Traverse to Computer Settings, System, Display Shutdown Event Tracker.
3. Disable the policy.
Brought to you by NetIQ and Windows & .NET Magazine eBooks
18. 9
Chapter 1 Windows Server 2003 — What’s New
Figure 1.5
The Display Shutdown Event Tracker policy
Manage Your Server Wizard
Windows 2003 updates the Manage Your Server Wizard. Even if the Win2K wizards turned you
off, give the Windows 2003 wizards a shot. You might still choose to do your day-to-day tasks
manually, but know that the Windows 2003 wizards often offer a faster way to accomplish a task.
For example, the Manage Your Server Wizard that Figure 1.6 shows lets you easily add or remove
a server role.
Brought to you by NetIQ and Windows & .NET Magazine eBooks
19. 10 Windows 2003: Active Directory Administration Essentials
Figure 1.6
The Manage Your Server Wizard
Help File
Figure 1.7 shows the Windows 2003 Help file, which you’ll find highly useful. Microsoft and the
entire Online Help team have outdone themselves in the level of detail provided at each turn of
the virtual page. I usually click the Index button (circled in the screen shot), then track down what
I need instead of relying on the (somewhat slow) Search facility.
Volume Shadow Copy for Shares
In conjunction with an XP client, this feature lets users “roll back” a data file to a particular point
in time or restore a deleted file.
IP Security (IPSec) over NAT
IPSec is a superior way to secure wired communications between any client and server. In the
past, the problem has been that if either machine were behind a NAT or NAT-style router or fire-
wall, IPSec didn’t work 100 percent. Windows 2003’s IPSec over NAT feature can encrypt both the
header and payload parts of a packet over NAT. IPSec over NAT is an excellent new feature for
servers in DMZs or in other areas that use NAT.
Microsoft .NET Framework
The .NET Framework lets programmers do new magic — and much of that new magic will take
the form of Web services and IIS. System administrators and AD administrators won’t need to use
Brought to you by NetIQ and Windows & .NET Magazine eBooks
20. 11
Chapter 1 Windows Server 2003 — What’s New
or know much about the .NET Framework. Because the framework is already deployed inside the
OS, it’s one less thing you need to address today.
Figure 1.7
The Windows 2003 Help file
Windows 2003, Standard Edition might offer all the server firepower you need to run your
business. However, as I explore Windows 2003, Enterprise Edition, you’ll see that it offers consid-
erably more.
Windows 2003, Enterprise Edition
Windows 2003, Enterprise Edition can accommodate from 1 to 8 processors and up to 32GB of
memory. In addition to the general increase in hardware support, you might find support for key
features that your business needs. Consider whether your business could benefit now (or might
benefit soon) from one of the features listed here.
j Tip
If you think you might not use all the Windows 2003, Enterprise Edition features immediately
but might use them in the future, it’s best to invest the dollars up front and get Enterprise
Edition today, rather than deploying Windows 2003, Standard Edition. Why? Because you
can’t “upgrade” from Windows 2003, Standard Edition to Windows 2003, Enterprise Edition.
Choosing wisely at this stage is paramount.
Brought to you by NetIQ and Windows & .NET Magazine eBooks
21. 12 Windows 2003: Active Directory Administration Essentials
Windows 2003, Enterprise Edition offers more scalability features than either Windows 2003,
Standard Edition or Win2K AS.
• Clustering has been increased from the four nodes available in Win2K AS to eight nodes.
• NLB has increased from the four nodes available in Win2K AS to eight nodes.
• Terminal Services offers a new load-balancing feature in the new Terminal Services Session
Directory. The feature provides a front-end NLB that lets clients easily find an available Ter-
minal Server in a Terminal Server farm.
• Microsoft will support the Microsoft Metadirectory Services (MMS) add-on, a centralized service
meant to bridge the gap between disparate directories such as AD and iPlanet. Apparently,
Microsoft is designing the Windows 2003 version of MMS for deployment upon Enterprise Edi-
tion servers only.
Still other Windows 2003, Enterprise Edition features are available only if your hardware can
leverage those features. The features listed below require high-end servers.
• “Hot-add memory” lets you add memory to a server while it’s running and allocate that memory
to the rest of the server.
• Non-Uniform Memory Access (NUMA) is a hardware-specific feature that returns low-level
information from the hardware to NUMA-compliant applications. This returned data can fine-
tune NUMA-aware applications in real time based on the system’s total stress level.
Windows 2003, Datacenter Edition
Windows 2003, Datacenter Edition is Microsoft’s “big-boy” OS. Datacenter Edition integrates OEM
hardware tightly with Microsoft software to guarantee specific levels of uptime.
Because Windows 2003, Datacenter Server is available only from OEMs, it might be the least
often deployed of the Windows 2003 servers. Nevertheless, when you see it deployed, you’ll rec-
ognize its tremendous power.
Windows 2003, Datacenter Edition supports up to 32 processors and up to 64GB of RAM. The
clustering capability equals that of the Windows 2003, Enterprise Edition (eight nodes), which is
greater than that of its Win2K Datacenter counterpart (four nodes).
The Datacenter Edition adds one special hardware hook — hyperthreading support. Hyper-
threading lets certain Intel processors perform almost double duty. In fact, the Datacenter Edition
server can abstract a single processor and make it appear and work as if it were really two phys-
ical processors. On some single-processor hyperthreading systems, Windows appears to be using
two processors.
n Note For more information about the Windows 2003, Datacenter Edition server program, visit the
URL below.
http://www.microsoft.com/windowsserver2003/evaluation/overview/datacenter.mspx
Brought to you by NetIQ and Windows & .NET Magazine eBooks
22. 13
Chapter 1 Windows Server 2003 — What’s New
Windows 2003, Web Edition
Windows 2003, Web Edition is totally new among the Windows server progeny. Microsoft has one
short-term goal in selling this server: to compete with Linux — at least in the Web services market.
Linux is popular among Web systems, and Microsoft’s Windows 2003, Web Edition is meant to
tackle this growing threat head on.
Like the Windows 2003, Datacenter Edition, Windows 2003, Web Edition is not for sale through
retail channels. To purchase a Windows 2003, Web Edition server, you must work with specific
Windows 2003, Web Edition partners (e.g., Hewlett Packard — HP, Dell, IBM, NEC, Unisys).
Windows 2003, Web Edition isn’t as packed with features as other server family members. In
fact, you can quickly grasp the nature of this edition by considering what it can’t do. Windows
2003, Web Edition
• can’t be a DC (however, it can be a domain member)
• is limited to 2GB of memory and two processors
• can’t be clustered
• doesn’t support NLB
• lacks services for Macintosh
• lacks Windows Media Services
• lacks Remote Installation Services (RIS)
• doesn’t support 64-bit Itanium-family processors
• doesn’t support Hot-Add memory
• doesn’t support NUMA
• doesn’t support ICF
Windows 2003, Web Edition is both the least costly and the least flexible of the server family.
Its single purpose is to serve Web pages.
j Tip
You can find more information about Windows 2003 at the following URL:
http://www.microsoft.com/windowsserver2003/evaluation/overview/web.mspx
Windows 2003 32-Bit and 64-Bit Processing
Microsoft plans to revise its Windows 2003 server line for the new 64-bit Itanium processors. In
fact, some pieces of the 64-bit puzzle are available today. Clearly, 64-bit computing should jump
processing muscle forward much as the change from 16-bit to 32-bit computing jumped it forward
several years ago. Microsoft is betting on the Itanium-family of processors, including Itanium 1 and
Itanium 2. With that in mind, Table 1.2 shows you what each 64-bit version can handle.
Brought to you by NetIQ and Windows & .NET Magazine eBooks
23. 14 Windows 2003: Active Directory Administration Essentials
Table 1.2
Windows 2003 64-bit capabilities
Product Processors RAM
Windows 2003, Standard Edition Won’t be available in a 64-bit edition.
Windows 2003, 64-Bit Enterprise Edition 1—8 64GB Maximum
Windows 2003, 64-Bit Datacenter Edition 8 — 64 512GB Maximum
Windows 2003, Web Edition 1—2 2GB Maximum
Windows XP Pro, 64-Bit Edition 2 (Itanium 1 or Itanium 2) 16 GB
j Tip
You can find more information about XP Professional 64-bit edition at the
following URL:
http://www.microsoft.com/windowsxp/64bit/techinfo/planning/techoverview/default.asp
Windows 2003 Hardware Requirements
Your move to a Windows 2003 installation must start with adequate hardware. Microsoft has pub-
lished specifications for minimum required hardware, which Table 1.3 shows.
Table 1.3
Minimum hardware requirements for Windows 2003 installations
Standard Enterprise Enterprise 64-Bit Web Datacenter
CPU Type Pentium II Pentium II Itanium 1 Pentium II Contact a
Datacenter
Speed 133MHz 133MHz 733MHz 133MHz
vendor for
RAM 128MB 128MB 128MB 128MB
details.
Disk 1.5GB 1.5GB 2.0GB 1.5GB
n Note Although processor speed and processor type aren’t strictly enforced when you attempt to
install, the amount of RAM is. For example, if you don’t have 128MB of RAM, you can’t
load Windows 2003 on a Pentium-class system.
Brought to you by NetIQ and Windows & .NET Magazine eBooks
24. 15
Chapter 1 Windows Server 2003 — What’s New
Real-World Windows 2003 Hardware Requirements
Minimum requirements might work well for a test machine or two, but true production systems
require a bit more firepower. Table 1.4 shows my recommended minimum hardware requirements
for real-world systems.
Table 1.4
Real-world minimum hardware requirements for Windows 2003 installations
Standard Enterprise Enterprise 64-Bit Web Datacenter
CPU type Pentium 4 Pentium 4 Itanium 1 or Pentium 4
Contact a
Itanium 2
Datacenter
Speed 2GHz 2GHz 733MHz 2GHz
vendor for
RAM 256MB – 1GB 256MB – 1GB 256MB – 1GB 256MB – 512MB
details.
Disk 9GB + 9GB + 9GB + 9GB +
Storage for data Storage for data Storage for data Storage for data
Keeping Your System Updated and Secure
Microsoft is “packing in” Windows 2003 features toward the goal of keeping the network up and
running and available to user requests. Windows can go belly up — but usually it doesn’t just
“happen.” For example, frequently damage occurs when bad drivers are installed despite the OS’s
attempts to address the problem. Although loading an imperfect driver doesn’t always mean cur-
tains for the OS, it can result in the blue screen of death that Microsoft refers to as a bugcheck.
If your network experiences problems, you can send a message to Microsoft in several ways.
One way is through the new error-reporting mechanism, which Figure 1.8 shows.
You can specify that an error report be sent when the Windows OS fails and when other loaded
programs fail. You can select those programs through the Choose Programs button that Figure 1.8
shows. As you can see, the default selection involves all Microsoft programs and Windows compo-
nents. In most environments, you might want to keep error reporting enabled. I’m not sure how
Microsoft is going to evolve this feature to offer better support; however, I can see the company
using it to improve the product or link your error reports with your activation ID so that Micro-
soft’s support services can better assist you if you call for support. (Those who are paranoid can
disable the error-reporting feature.)
Brought to you by NetIQ and Windows & .NET Magazine eBooks
25. 16 Windows 2003: Active Directory Administration Essentials
Figure 1.8
Enabling or disabling error reporting in System Properties
Driver Signing
Driver signing isn’t new with Windows 2003, but it’s a highly useful feature. This feature lets you
block drivers that haven’t undergone Windows Hardware Quality Labs (WHQL) testing and signing.
The default sets up Driver Signing to warn you when you’re about to load an unsigned driver, as
Figure 1.9 shows. I recommend that you consider raising the level on all your servers to Block —
Never install unsigned driver software.
Driver Rollback
Even if a driver that shouldn’t have been loaded is loaded, you have another chance to excise it
from your system. You can use the Driver Rollback feature that Figure 1.10 shows to roll back the
current driver to the most recent previously installed driver.
n Note The Driver Rollback feature isn’t designed to keep histories of all the drivers for a device
that you’ve ever loaded. It “remembers” only your most recent previously installed driver.
Brought to you by NetIQ and Windows & .NET Magazine eBooks
26. 17
Chapter 1 Windows Server 2003 — What’s New
Figure 1.9
Selecting the Driver Signing level in System Properties
Figure 1.10
Driver Rollback feature in Device Manager
Brought to you by NetIQ and Windows & .NET Magazine eBooks
27. 18 Windows 2003: Active Directory Administration Essentials
Automatic Updates
Windows 2003 now allows automatic updating when patches become available between service
packs. You can choose between different modes that can help you keep your Windows 2003
servers updated, as Figure 1.11 shows.
Figure 1.11
Configuring Automatic Updates in System Properties
Software Updates with SUS
Despite the capabilities of the Automatic Update feature, the most effective way to manage Microsoft’s
patch updates is to disable the Automatic Update service and set up Microsoft Software Update
Services (SUS), which Figure 1.12 shows. Using SUS helps ensure that new Microsoft patches are
well integrated into your environment. You can test the patches you want to update in a test lab,
then distribute the patches you need to your servers and clients.
You could load SUS on a Windows 2003 or Win2K server or DC, then use group policy to
distribute instructions to target machines about how to download and install the patches. For
more information, see the Windows and .NET Magazine Network Security Administrator article
at http://www.secadministrator.com/articles/index.cfm?articleid=37938 or my article at
http://www.mcpmag.com/features/article.asp?editorialsid=336
j Tip
You can leverage the power of Microsoft’s free SUS to specify which patches you
want to send to your systems. It’s a simple task for an Administrator to test the
proposed patch offline in the test lab, then select which patches will go to servers
and clients. SUS is available for download from Microsoft at
http://www.microsoft.com/windowsxp/64bit/techinfo/planning/techoverview/default.asp
Brought to you by NetIQ and Windows & .NET Magazine eBooks
28. 19
Chapter 1 Windows Server 2003 — What’s New
Figure 1.12
Microsoft SUS
IIS Improvements
Microsoft Internet Information (IIS) Services 6.0 is a wholesale IIS overhaul. In a nutshell, IIS 6.0 is
• faster
• more secure
• easier to administer
Did I mention that it’s faster? IIS 6.0 is so much faster than previous IIS versions that its speed
is hard to describe. Why is it faster? Microsoft has moved the HTTP processor from user mode to
kernel mode, a move that makes IIS 6.0 dramatically faster.
Space constraints keep me from delving into and describing all the IIS 6.0 architecture and
security changes. For an in-depth look at the changes, be sure to read Brett Hill’s Windows & .NET
Magazine article “IIS Overhauled in Version 6.0,” which you’ll find at the following URL:
http://www.winnetmag.com/windowsserver2003/index.cfm?articleid=38285
Brought to you by NetIQ and Windows & .NET Magazine eBooks
29. 20 Windows 2003: Active Directory Administration Essentials
IIS Remote Administration Mode
If you want to set up your servers so you can administer them remotely — from any Web browser
anywhere in the world — you can do so by enabling Remote Administration Mode. You must go
to Add/Remove Windows Components, then traverse to Application Server, Internet Information
Services, World Wide Web Service, and Remote Administration (HTML), as Figure 1.13 shows.
Figure 1.13
Setting Up Remote Administration
When you’re ready to use Remote Administration Mode, go to http://<servername>8089.
You’ll be prompted for credentials. After you’re in, poke around to see what you can do from a
Web browser. Figure 1.14 indicates some of what you can accomplish after you set up Remote
Administration Mode.
Brought to you by NetIQ and Windows & .NET Magazine eBooks
30. 21
Chapter 1 Windows Server 2003 — What’s New
Figure 1.14
Remote Administration Mode
j Tip
You can’t load Remote Administration if the target server is a DC.
Should You Deploy?
Now that Windows 2003 is generally available, it’s certainly worth a look. But how can you decide
whether you’re ready to deploy it? You’ll have to ask yourself some questions about the current
state of your network to see whether, after you commit to Windows 2003, the installation will
remain an uphill battle. You can begin your assessment by asking yourself these questions:
• Am I currently running on older hardware?
If yes, evaluate your hardware to make sure it won’t prohibit the upgrade to Windows 2003.
• Do I have many custom applications or Web applications?
With every new OS release, application incompatibilities can be a problem. With that in mind,
you’ll need to test and retest each custom application if you want it to run on Windows 2003.
Moreover, given the dramatic changes Microsoft has made to IIS 6.0, if you have Web applica-
tions, you need to ensure that they won’t break after you upgrade to IIS 6.0.
Brought to you by NetIQ and Windows & .NET Magazine eBooks
31. 22 Windows 2003: Active Directory Administration Essentials
• What will deployment cost?
Do you have a Microsoft licensing agreement that lets you upgrade to Windows 2003? If so,
you’ll pay only the labor costs of performing the application tests and the upgrade — not the
software costs.
If you don’t have a licensing agreement that lets you upgrade to Windows 2003, try to
figure out how many licenses you’ll need. Be especially careful after you introduce your first
Windows 2003 DC. I’m not an expert on Microsoft licensing, but my understanding is that after
you introduce your first Windows 2003 DC, you’ll need to get current on all your Client Access
Licenses (CALs). Definitely check with your Microsoft licensing representative to get the full
scoop on the upgrade costs.
j Tip
The article at the following URL provides some information about Microsoft licensing:
http://www.winnetmag.com/Articles/Index.cfm?ArticleID=24033
Onward — to Windows 2003 AD
In terms of Windows 2003 features, I’ve barely scratched the surface. Some of the features I’ve
described are “skin deep” but useful. Others offer dramatic improvements over previous capabilities.
Yet other features kick in when you use Windows 2003 as an AD DC, as I explore in Chapter 2:
What’s New in Windows Server 2003 Active Directory and Chapter 3: What’s New in Windows
Server 2003 Management.
Brought to you by NetIQ and Windows & .NET Magazine eBooks
32. 23
Chapter 2:
What’s New in Windows Server 2003
Active Directory
Introduction
“Chapter 1: Windows Server 2003 – What’s New” introduced some of the many compelling features
Windows Server 2003 (Windows 2003) brings to the table. Windows 2003 includes
• a faster, more secure, and re-architected Microsoft Internet Information Services (IIS) 6.0
• remote access quarantine through the Network Access Quarantine Control feature
• server event tracking through Shutdown Event Tracker
• greater scalability with more processors
• greater scalability with more cluster nodes
You can make a strong case for upgrading to Windows 2003 based on those features alone. If
you simply walked around with the Windows 2003 CD-ROM and upgraded all your Windows 2000
member servers, you would have a field day exploring what you can accomplish with the new
features. Of course, you won’t want to walk around with the CD-ROM and perform those upgrades
(you’d be likely to get into trouble). Nevertheless, Figure 2.1 shows the first screen you’ll encounter
when the time to upgrade comes.
Figure 2.1
Windows 2003 CD-ROM initial screen
Brought to you by NetIQ and Windows & .NET Magazine eBooks
33. 24 Windows 2003: Active Directory Administration Essentials
In my opinion, the real magic of Windows 2003 lies in the new Active Directory (AD)-specific
features you gain after you complete your upgrade. This chapter explores what capabilities those
features provide and discusses how to prepare to use them.
Working with Domain Levels
To prepare for Windows 2003 AD, you must first ask yourself two questions: Which kinds of domain
controllers (DCs) do I have and which kinds of DCs do I want to deploy? The answers to these
questions might include Windows NT 4.0 BDCs, Win2K DCs, and Windows 2003 DCs. You’ll want to
begin by stepping back and analyzing your current network configurations.
Analyzing Your Current Network
Your network might contain
• all NT 4.0 DCs
• some Win2K DCs and some NT 4.0 BDCs
• all Win2K DCs
• no Windows-based domains (i.e., no network or a non-Windows network such as Banyan or
Novell)
Each of these situations gives rise to some specific opportunities and concerns. I explore each
scenario in the following text.
n Note Although it makes sense to list the scenario of having all NT 4.0 DCs first (as I did above), I
discuss that scenario last. Moving from all NT 4.0 DCs to Windows 2003 has some unique
considerations. Nevertheless, those of you who have all NT 4.0 DCs will benefit from reading
through the material that precedes the discussion of that particular upgrade.
If You Have Combined Win2K and NT 4.0 BDCs
If you started out with NT 4.0 DCs and introduced a Win2K DC or two, you might remember the
process. You had to begin with an NT 4.0 PDC and upgrade it directly into your Win2K Server. You
probably made a backup of the PDC, then slipped in the Win2K CD-ROM with your fingers crossed.
For 99 percent of the users who approached the upgrade this way, everything went well. For the
other 1 percent of the users, the process involved sweaty palms as they rolled back the upgrade and
tried to figure out what the problem was. After you completed the PDC upgrade, you had your first
Win2K DC. In addition, Win2K advantageously put you directly into what’s called Mixed Mode.
Now that I’m discussing how to analyze your particular scenario, let me remind you how to
discover or verify your network’s mode. To check your current configuration’s mode, run Active
Directory Domains and Trusts, which Figure 2.2 shows.
Brought to you by NetIQ and Windows & .NET Magazine eBooks
34. 25
Chapter 2 What’s New in Windows Server 2003 Active Directory
Figure 2.2
Active Directory Domains and Trusts
In the list of domains that appears, select the name of the domain whose mode you want to
check and right-click Properties. The domain mode should appear. If you have any NT 4.0 BDCs,
you’re probably in Mixed Mode, as is the case with Domain B, which Figure 2.3 shows.
Brought to you by NetIQ and Windows & .NET Magazine eBooks
35. 26 Windows 2003: Active Directory Administration Essentials
Figure 2.3
Ascertaining a domain’s mode
Mixed Mode supports both Win2K and pre-Win2K DCs, which means that you can still add and
remove NT 4.0 BDCs as needed. This capability is a good thing. You might have legacy applications
that require you to keep NT 4.0 BDCs around until you find a Win2K or Windows 2003 solution.
Of course, much of the capability that you have with all Win2K DCs is missing in Win2K and
NT Mixed Mode. (The next section details which capabilities you add if you make the switch to all
Win2K DCs.) However, with the first Win2K DC, you get
• Group Policy support for Win2K and XP Professional clients
• IntelliMirror support for Win2K and XP Professional clients
• domain management capability through either Active Directory Users and Computers (Win2K) or
User Manager for Domains (NT 4.0)
Brought to you by NetIQ and Windows & .NET Magazine eBooks
36. 27
Chapter 2 What’s New in Windows Server 2003 Active Directory
j Tip
For an in-depth discussion of Group Policy and IntelliMirror, see my book Windows 2000:
Group Policy, Profiles, and IntelliMirror. You can find information about the book at the
URL below.
http://www.sybex.com/sybexbooks.nsf/2604971535a28b098825693d0053081b
/d15f21a26eaeed8588256bca0062a12f!OpenDocument&Highlight=0,moskowitz
The promised land, as far as Win2K is concerned, is to get rid of all your NT 4.0 BDCs and have
homogeneous Win2K DCs. Interestingly, new Windows 2003 domains are “born” into Win2K Mixed
Mode. You can see Domain A’s initial mode – Win2K’s Mixed Mode – in the Windows 2003 domain’s
Active Directory Domains and Trusts screen, which Figure 2.4 shows.
Figure 2.4
A new Windows 2003 domain’s initial mode
Therefore, if you build a new Windows 2003 domain from scratch, you could still, if you wanted
to, introduce additional NT 4.0 BDCs. This capability might be helpful should you have legacy
applications, such as a specialized account lookup program or a specialized piece of remote access
equipment, that must reside on a BDC.
Brought to you by NetIQ and Windows & .NET Magazine eBooks
37. 28 Windows 2003: Active Directory Administration Essentials
If You Have All Win2K DCs s
After you leave the last NT 4.0 BDC in the dust, you can make the switch toWin2K’s Native Mode,
which introduces additional useful features.
• Universal Group support – This feature lets you assign groups from any domain to any other
domain if the domains are in the same forest.
• Total Win2K-style replication – Without any NT LAN Manager (NTLM)-style replication to BDCs
and with all your Win2K DCs using native AD replication, the replication process will now be
more efficient.
• Additional capacity for security principals – Additional capacity lets you grow the database that
holds users past the SAM’s restriction of about 40MB. (You’re still restricted even with one NT 4.0
BDC.) If you need this greater capacity, you know it!
• SidHistory – This feature lets a single account have multiple SIDs. (This capability is useful if you
perform an NT 4.0-to-Win2K or an NT 4.0-to-Windows 2003 migration. Users might need to show
alternate credentials to access data in their old domain.)
• Advanced Group nesting – You can now use multiple levels of nesting between different group
types. Additionally, you can change the scope of domain local groups to domain global groups
by clicking one button.
To make the switch to Native Mode on a Win2K domain, just click Change Mode, which Figure
2.3 shows. You’ll be asked to confirm that you want to change the mode. If you answer Yes, the
Domain operation mode changes with little fanfare, as Figure 2.5 shows.
Figure 2.5
Changing the domain’s operation mode to Native Mode
Brought to you by NetIQ and Windows & .NET Magazine eBooks
38. 29
Chapter 2 What’s New in Windows Server 2003 Active Directory
Your Win2K domain is now in Win2K Native Mode, which lets you add Windows 2003 as well
as Win2K DCs. Keep in mind, however, that Windows 2003 in Win2K Native Mode doesn’t allow
NT 4.0 BDCs.
d Caution
When you make the switch to Win2K Native Mode, you effectively abandon any remaining
NT 4.0 BDCs. They won’t receive updates from your Win2K domain. If you don’t disconnect
the NT BDCs, they might introduce network errors (e.g., they might validate deleted users’
access to your network).
If You Have All NT 4.0 Domain Controllers
Now we can discuss a unique case: You have all 4.0 NT DCs and you’re considering switching
directly to Windows 2003. You’re not required to first upgrade your NT 4.0 domain (and therefore
your NT 4.0 BDCs) to Win2K DCs before you move to Windows 2003. What do you need to know
as you consider whether to skip the step of having Win2K DCs?
First, if you have all NT 4.0 DCs, you can still upgrade any NT 4.0 member server to either
Win2K or Windows 2003. You might choose an upgrade for servers such as your SQL servers,
Systems Management Server (SMS) servers, IIS servers, and Oracle servers. If you don’t have any
Win2K or Windows 2003 DCs, you’ll encounter NT 4.0’s inherent limitations, which include
• a SAM size restricted to about 40MB
• no Group Policy
• no IntelliMirror capability
• a single point of failure (If the PDC goes down, no users or administrators can update account
information or change passwords.)
• the old replication model (BDCs pull from PDCs at scheduled intervals.)
• the need to reformat a BDC to remove its role as a DC
n Note A third-party tool, such as Algin Technology’s U-Promote, can in most cases help you promote
or remove an NT 4.0 BDC’s DC status, leaving it a plain server. As with any tool, use
U-Promote only if you have current backups on hand.
j Tip
You can upgrade an NT 4.0 Server to either Windows 2003, Standard Edition or Windows
2003, Enterprise Edition. However, you can upgrade NT 4.0 Server, Enterprise Edition only to
Windows 2003, Enterprise Edition.
Brought to you by NetIQ and Windows & .NET Magazine eBooks
39. 30 Windows 2003: Active Directory Administration Essentials
Decision Point
At this point, if you’re running all NT 4.0 DCs, you’re ready to decide whether to bypass the Win2K
DC step completely. You know that you can jump from NT 4.0 straight into Windows 2003 – but
what else should you consider?
If you know that Win2K DCs won’t ever – and I mean ever – be involved in your journey to
Windows 2003 AD, you can take advantage of a special domain mode, Interim Mode. Interim Mode
is useful in the unique scenario comprised of NT 4.0 BDCs and Windows 2003 DCs – no Win2K DCs
allowed.
d Caution
Interim Mode works only with NT 4.0 BDCs and Windows 2003 DCs.
Getting to Interim Mode
If you currently have 100 percent NT DCs and want to introduce your first Windows 2003 DC, how
do you move into Interim Mode? You select it when you use the Active Directory Installation Wizard
to upgrade an NT 4.0 domain’s PDC. You choose the forest functional level for forests that won’t
contain Win2K DCs, as Figure 2.6 shows.
Why Does Interim Mode Exist?
Interim Mode compensates for a specific limitation of both Win2K Mixed Mode and Win2K Native Mode (one
that doesn’t occur with either NT domains or the Windows 2003 equivalent of Native Mode).
The problem lies in group account memberships. NT 4.0 domains let you maintain more than 5000
members in a security group – for example, in a Domain Global Group. However, after you’ve introduced
Win2K DCs, the group account membership situation changes because Win2K DCs can’t handle more than
5000 members in a group.
Windows 2003, on the other hand, can handle more than 5000 members in a group – just as NT can.
Therefore, you can combine NT 4.0 BDCs and Windows 2003 DCs and use Interim Mode. Interim Mode also
provides better replication – specifically between other Windows 2003 DCs.
Brought to you by NetIQ and Windows & .NET Magazine eBooks
40. 31
Chapter 2 What’s New in Windows Server 2003 Active Directory
Figure 2.6
Choosing Interim Mode
n Note The Active Directory Installation Wizard dialog box is titled Forest Functional Level. I discuss
Forest Functional Levels later in this chapter. If you select Windows Server 2003 interim here,
you’re also changing the domain level to Windows 2003 Interim domain level.
When you upgrade an NT 4.0 PDC (to upgrade your NT 4.0 domain), Dcpromo will run
automatically. As you can see above, the text lets you know that the setting is right for you only if
you’ll never have Win2K DCs. Also, notice the statement in the lower left-hand corner of the dialog
box: Note: both options allow the forest to have Windows NT 4.0 domain controllers. In fact, you can
include NT 4.0 BDCs until you make the switch to Win2K Native Mode or the Windows 2003
equivalent (described below).
After the upgrade is complete, you can see Interim Mode again, in Windows 2003’s Active
Directory Users and Trusts, which Figure 2.7 shows.
Brought to you by NetIQ and Windows & .NET Magazine eBooks
41. 32 Windows 2003: Active Directory Administration Essentials
Figure 2.7
DOMAINC upgraded to Interim Mode
If You Have No Windows-based Domains
If you have no Windows-based domains whatsoever (i.e., in the case of a fresh Windows 2003
domain installation), you’ll probably start with 100 percent Windows 2003 DCs. In that case, you
would bring up your first Windows 2003 Server, run Dcpromo, and create your first domain.
Assuming you won’t need any NT 4.0 BDCs or Win2K DCs, you can get all the benefits of a
homogeneous domain with Windows 2003 DCs at Windows 2003’s domain functional level. First,
however, because you create a Windows 2003 domain as a Win2K Mixed Mode domain, you’ll need
to “bump up” the domain’s functional level. You raise the level through Active Directory Domains
and Trusts by right-clicking the domain name and selecting Raise Domain Functional Level, which
Figure 2.8 shows.
Brought to you by NetIQ and Windows & .NET Magazine eBooks
42. 33
Chapter 2 What’s New in Windows Server 2003 Active Directory
Figure 2.8
Raising a domain’s functional level
Next, you can select the functional level you want to support, as Figure 2.9 shows. Your choices
are to support a domain with Win2K DCs and Windows 2003 DCs or a domain with 100 percent
Windows 2003 DCs.
Figure 2.9
Selecting an available domain functional level
Brought to you by NetIQ and Windows & .NET Magazine eBooks
43. 34 Windows 2003: Active Directory Administration Essentials
Select the domain functional level you want, then click Raise. You can bump one level to
Windows 2000 native or two levels to Windows Server 2003.
d Caution
Raising the level is irreversible. That is, if you select Windows 2000 native, you can’t go back to
Windows 2000 mixed. If you select Windows Server 2003, you can’t go back to either
Windows 2000 native or Windows 2000 mixed.
After a domain is at Windows 2003’s domain functional level, you get the following major
additional features.
• InetOrgPerson becomes a user principal (I discuss this feature in Chapter 5: Windows Server 2003
Security Enhancements).
• Update logon timestamp: This feature lets administrators easily determine when a specific user
logged on and to which DC. You’ll find this information helpful for auditing purposes. I discuss
this feature and a tool that helps you examine the attribute involved in Chapter 7: Command
Line, Support Tools, and Resource Kit Tools.
• Domain rename feature (I discuss this feature in Chapter 8: Special Domain Operations).
Domain Level Review
You might find the different domain levels a little confusing. Table 2.1 offers a quick summary of
Win2K and Windows 2003 domain levels.
Brought to you by NetIQ and Windows & .NET Magazine eBooks
44. 35
Chapter 2 What’s New in Windows Server 2003 Active Directory
Table 2.1
Win2K and Windows 2003 domain levels
Mode or
Functional Machines
Level Allowed When useful Features Notes
Win2K Win2K DCs, When you have an Group Policy and Both Win2K and
Mixed Mode Windows 2003 application on an NT IntelliMirror for Win2K Windows 2003
DCs, and NT 4.0 BDC on which your Professional and XP domains are created in
BDCs business depends Professional clients Mixed Mode. NT 4.0
BDCs can participate in
Win2K Mixed Mode.
Win2K Win2K DCs and When you have a new Universal Group NT 4.0 BDCs are
Native Mode Windows 2003 Win2K domain, a new Support, SidHistory, excluded from this
DCs Windows 2003 SAM limit gone – mode.
domain, or a Win2K replaced by 100
domain with new percent Win2K-style
Windows 2003 DCs replication
Windows Windows 2003 When you’re upgrading Group size of 5000+ You can choose this
2003 DCs and NT 4.0 an NT 4.0 domain and users, enhanced mode only if you’re
Interim BDCs have NT 4.0 BDCs Windows 2003 upgrading an NT 4.0
Level replication to other PDC with a Windows
Windows 2003 DCs 2003 CD-ROM. Win2K
DCs are excluded from
this mode.
Windows Windows 2003 When you’re creating See the text below Win2K DCs and NT
2003 DCs 100 percent new 4.0 BDCs are excluded
Functional Windows 2003 from this mode.
Level domains without any
older DC types
Domain Functional Level Diagram
Understanding precisely when you can progress to each domain level can be a bit daunting. The
graphic in Figure 2.10 should help guide you – whether you have an NT 4.0 domain, a Win2K
domain, or a Windows 2003 domain.
Brought to you by NetIQ and Windows & .NET Magazine eBooks
45. 36 Windows 2003: Active Directory Administration Essentials
Figure 2.10
Upgrading from NT 4.0 or Win2K to Windows 2003
Upgraded
NT 4.0 to
Windows NT 4.0
Windows
Domain
2000
domain
Windows 2000 Windows 2000
Mixed Native
New
Mode Domain Mode Domain
Windows
2003 domain
Windows
Windows
2000 to
2000 to
Windows 2003
Windows 2003
domain
domain
upgrade
upgrade
Upgraded
Windows NT 4.0 to
Windows 2003 Windows 2000 Windows 2000 Windows 2003
domain Mixed Native Functional
New
(option 2) Mode Domain Mode Domain Level
Windows
2003 domain
Upgraded
Windows 2003
Windows NT 4.0 to
Interim
Windows 2003
Mode Domain
domain
(option 1)
d Caution
Let me remind you once more that domain upgrades aren’t reversible. If you select Win2K’s
Native Mode, you can’t go back to Win2K’s Mixed Mode. If you select Windows 2003’s
Interim Level or Windows 2003’s Functional Level, you can’t go back to either Win2K’s
Native Mode or Win2K’s Mixed Mode.
Brought to you by NetIQ and Windows & .NET Magazine eBooks
46. 37
Chapter 2 What’s New in Windows Server 2003 Active Directory
Working with Forest Levels
In the previous section, you saw that a Win2K domain and a Windows 2003 domain could each have
its own domain-wide level. The same is true for a Windows 2003 forest. You create a new Windows
2003 forest at Win2K’s forest functional level.
j Tip
Interestingly, a Win2K forest just “is” – no distinction is made between particular modes.
Only Windows 2003 forests make a distinction between Win2K’s forest functional level and
Windows 2003’s forest functional level.
However, to get to the best features that Windows 2003 AD offers, you must first reach Windows
2003’s forest functional level. To do so, you must ensure that
• all DCs are Windows 2003
• all domains are switched to Windows 2003’s domain functional level
After you’ve completed that preparation, you can take it one step further. That is, you can throw
the switch to bring the entire forest to Windows 2003’s forest functional level – the Holy Grail of
Windows 2003 AD.
To raise the forest level, right-click the Active Directory Domains and Trusts root and select Raise
Forest Functional Level, which Figure 2.11 shows.
Figure 2.11
Raising the forest functional level
After you’ve selected Raise Forest Functional Level, you’ll see the current functional level of the
forest, which Figure 2.12 shows. That level should be Windows 2000. If you run Win2K, Windows
Server 2003 will be the only functional level available.
Brought to you by NetIQ and Windows & .NET Magazine eBooks
47. 38 Windows 2003: Active Directory Administration Essentials
Figure 2.12
Selecting Windows 2003’s forest functional level
If you chose to perform an NT 4.0 upgrade into an Interim level domain and forest, you have
two options: Windows 2000 Server and Windows Server 2003. Note, however, that you’ll need to
throw Windows 2003’s domain functional level switch in each domain before Windows 2003’s forest
functional level is valid. Simply click Raise on the domain functional level you want, and you’re done.
d Caution
As is true in raising a domain’s level, after you raise a forest’s level, you can’t reverse the move.
That is, if you start with Win2K’s forest functional level and you select Windows 2003’s forest
functional level, you can’t go back to Win2K’s forest functional level.
Windows 2003 Forest Functional Level Features
After you make the irreversible move to Windows 2003’s forest functional level, you get a gaggle of
new Windows 2003 AD features. Some features are “under-the-hood” enhancements, and others are
features you can deploy to solve specific business problems.
Here are some enhancements you get “under the hood” with Windows 2003’s forest functional
level:
• Linked Value Replication (LVR) improvements – Under Win2K, you encountered a problem in
replicating the membership of group accounts. If Stacey in the USA and Ralph in Great Britain
modified the Nurses group membership at about the same time (a user initiated a second change
before the replication function completed the first change), you could only guess which change
would “win” in AD. Now those changes merge successfully.
Brought to you by NetIQ and Windows & .NET Magazine eBooks