Security and group policy updates to Active Directory

* What to expect from Windows Server 2003 Active Directory

We're continuing our look at the updates to Active Directory (AD), which will ship with the forthcoming Windows Server 2003, due out in June. Last issue, I highlighted the changes in the areas of integration, productivity, performance and scalability. Today we'll take a look at four other areas:

* Administration and configuration management.

* Group policy improvements.

* Security enhancements.

Included with Windows 2003 is a new wizard called "Configure your server" which, among other things, guides you through setting up AD. Now experienced network managers tend to cringe when confronted with these wizards - they've already come to grips with doing it themselves. I still run into people, for example, who want to do everything from the command line and boast about not having a mouse connected to their computer. You can travel from New York to San Francisco by bicycle or rowboat, but I wouldn't recommend either as an efficient form of transportation. But if you keep a bike in your automobile's trunk, or a rowboat tied to your sailing yacht then they do serve a very useful purpose in an emergency situation. That's what I consider the command line to be for - emergency situations.

Wizards help you remember to do all the things you need to do, and the new configuration wizard in Win 2K3 is the best I've seen yet. Additional improvements allow for automating the setup of DNS and DHCP services, an easy place to make mistakes when you do everything manually. But by far my favorite improvement is the ability to replicate AD via media.  You can set up a new server for a remote site and install an AD replica from a CD (or tape or even from a file transfer) and then simply synchronize the changes since the media was created. This can be a tremendous time saver over having to replicate everything in AD over a slow WAN link.

There's a lot more in the realm of configuration management, enough to devote two or three newsletters to that topic alone. And we will do that after Win 2K3 ships. For now, though, get further details at http://www.microsoft.com/windowsserver2003/docs/ADtechover.doc along with information on the other improvements in AD.

Win 2K3 adds the Microsoft Group Policy Management Console as a snap-in to the Microsoft Management Console to tie together all aspects of group policy management in one easy to use utility. This is a great time saver for network managers who currently either have to use multiple tools to manage different aspects of group policies or forego their use entirely. Group policies, when effective, can make network administration much easier so it's nice that Microsoft has seen fit to simplify their use.

When Windows 2000 was released, Microsoft envisioned that most installations would be contained in a single forest; the idea of multiple forests for an enterprise seemed remote. In reality though, there are plenty of reasons for multiple forests, one of which is enhanced security. Of course, there are still users who need cross-forest access to directory trees. AD wasn't designed to make that easy. The updated AD though, does contain a new trust type called "forest trust", which allows you to easily create cross-forest trust relationships without at the same time compromising security.

Cross-forest trusts are not transitive. That is, just because forest A trusts forest B, and forest B trusts forest C, nothing is implied about the relationship of A and C. That's a tremendous security improvement over previous trust scenarios going back to Windows NT domains. Cross-forest trust is only one of the dozen or so enhancements in AD dealing with organizations that have multiple forests or who wish to integrate (either loosely or tightly) multiple forests.

That's a quick overview of AD in Windows Server 2003, come back next time and we'll look at another area of the upcoming operating system.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2003 IDG Communications, Inc.