I’ve been working with Active Directory (AD) since the early days of Windows 2000 (windows NT 5.0 as it was then), and to be perfectly honest wondered how much there could be that’s new with the latest version. Whilst the session was possibly a little lightweight, I was surprised to learn just how many new features there are, as my previous view of Windows Server 2003 was that much of the improved functionality comes in the form of new services.
The new AD features fall into in four main areas:
- Simplified management.
- Connecting forests.
- Connecting small offices.
- Managing group policies.
The rest of this post will discuss each of these in turn.
Simplified management is about improving the user experience for administrators. For example, within the AD User and Computers and AD Sites and Services Active Directory management tools, users can now drag and drop users into new containers, OUs or groups, e.g. when adding user(s) or group(s) to a group, or moving a server to a new site.
Tip: Within AD users and computers it helps if the option to view users, groups and computers as containers is selected.
Improvements have also been made in locating objects, with new functionality such as saved queries in AD users and computers, accessed like a folder, e.g. queries based on a user or group name or description, or the number of days since the last logon). The queries are LDAP-based and can have their own root (i.e. do not have to be relative to the whole domain). It should also be noted that saved queries are local to the computer and can be exported – e.g. Å±bergeek queries can be created and exported to a help desk machine.
Tip: To see exactly where an object exists in the directory, turn on advanced features and look in the object page of the item properties.
There are also a whole head of new tools, which can be called from the command line or from within custom scripts, allowing for repetitive tasks to be automated and complex commands to be simplified. Back in September 2004, I posted further information on new commands in recent Windows releases and Microsoft knowledge base article 322684 discusses using the directory service command-line tools to manage Active Directory objects in Windows Server 2003.
It is now possible to connect forests using trusts (e.g. following a merger or acquisition, of under some business partnership scenarios), simplifying access to resources in both forests, and facilitating single sign-on.
Forest trusts can be one- or two-way and create a transitive trust between the domains in each forest, but not between forests. With a forest trust, UPN suffixes are used to publish namespaces, which in turn are used to establish where a logon originates from. Each forest is trusted to be authoritative for the namespace(s) which it publishes.
In order to support forest trusts, both forests must be running at Windows Server 2003 forest functional level.
Connecting small offices
Small or branch offices are often characterised by low speed wide area network links and may not have a local global catalog server, leading to slow logons. Windows Server 2003 includes a new option in the Active Directory Installation Wizard (dcpromo) to create a domain controller from a replica. It works by backing up the system state from an existing domain controller to removable media, then restoring that data on a remote server and running dcpromo /adv. In this way, the initial synchronisation time is reduced, as all the new domain controller needs to synchronise is the changes since the backup was taken. There is one gotcha through – the backup cannot be older than the tombstone lifetime (60 days by default).
Another useful new feature when connecting small offices is universal group membership caching. Because universal groups may span multiple domains, a global catalog server is required to query the membership (non-global catalog-enabled domain controllers only hold full details for objects in their own domain).
By caching the membership lists for universal groups, global catalog lookups only need to occur once for each universal group. The membership list is held indefinitely, but is refreshed every 8 hours. Universal group membership caching is enabled at the site level, within the NTDS Site Settings.
One alternative to universal group membership caching is to make each branch office domain controller a global catalog server, but this has a cost in increased domain replication traffic.
Managing group policies
One of the major criticisms of Active Directory group policy objects (GPOs) is that they are is difficult to administer. Microsoft does provide tools, but until recently, they have been limited in their capabilities. Shortly after Windows Server 2003 was released, Microsoft made the Group Policy Management Console (GPMC) available for download. Since then, GPMC with service pack 1 has been released which includes a number of bug fixes, revised licensing (to allow GPMC to be run against Windows 2000 domain controllers), support for more languages and a revised XML engine.
The GPMC is a new administrative tool for centralised management of GPOs, together with a collection of scriptable objects and associated scripts, which use a combination of Windows Management Instrumentation (WMI), Active Directory Services Interfaces (ADSI) and the GPMC object model.
Surprisingly, although in almost every organisation which uses Active Directory, GPOs affect every user within the business, many organisations do not think about backing up and restoring GPOs. Whilst they can be restored with an authoritative AD restore, that is not a simple process, and the scripts provided with the GPMC allow policies to be backed up and restored, as well as exported and imported (e.g. between test and production domains/forests).
Tip: Beware (as I found out with one of my clients), that if naming standards allow the use of non-standard characters (e.g. & and ‘) the GPMC scripts may not work as intended. For further information, refer to the September 2004 post which discusses recommendations for Active Directory object naming.
The GPMC also allows modelling of group policies in a similar manner to the previous Resultant Set of Policy (RSoP) tool. This is particularly useful for its ability to highlight the winning GPO for a policy setting, as well as the ability to view (and save) reports in HTML, or XML format (e.g. for intranet publishing and reference by IT support staff). Note that some settings (e.g. WMI, loopback, IPSec, Wireless, and disk quotas) may be estimates. Also, if a client PC used for modelling is running Windows XP service pack 2 with the default Windows Firewall settings and the original version of GPMC is used (i.e. without service pack 1), it will fail as described in Microsoft knowledge base article 883611.
Other useful group policy management tools include Group Policy Monitor (gpmonitor), which is used to create and display reports when policy settings are refreshed and the Group Policy Verification Tool (gpotool), which allows administrators to check GPO stability and monitor policy replication including checking for consistency within and across domains. This tool also displays information about GPOs, including properties that cannot be accessed through the Group Policy Object Editor such as the functionality version number and extension globally unique identifiers (GUIDs). Other diagnostic tools (also available in Windows XP) include Group Policy Results (gpresult) and the Group Policy Refresh Utility (gpupdate).
When diagnosing issues with GPOs, it is also worth checking DNS, as at the event I attended, Microsoft commented that 50% of GPO-related support calls are actually DNS issues.
Another new feature of Windows Server 2003 group policy is software restriction policies, which can be used to confront the problem of regulating unknown or untrusted code. Software restriction policy rules create one or more exceptions to the default security level, defined by software restriction policies.
The following types of software restriction policy rules can be created:
- Certificate rules, which recognise software that is digitally signed by an authenticode software publisher certificate.
- Hash rules, which recognise specific software based on a hash of the software.
- Path rules, which recognise software based on the location in which the software is stored.
- Registry path rules, which recognise software based on the location of the software as it is stored in the registry.
- Internet zone rules, which recognise software based on the zone of the Internet from which the software is downloaded.