Active Directory gets souped up in Windows Server 2003

As promised in the last issue, we’ll take a look today at the upcoming Windows Server 2003 to see what’s new. First, though, I’ve been surprised to see some writers, pundits and analysts dismiss this version as “only a point upgrade” (i.e., an upgrade from version “x” to version “x.1”). What I think they are overlooking is that it has been three years since the previous release, Windows 2000, and a lot has changed since then.

Certainly some of the features in Windows 2003 have been around for a while, either as part of Windows XP or as updates to Windows 2000. But just as XP was built on the foundation of Windows 2000, so too is Windows 2K3 built on the foundation of XP. Compared to what shipped as Windows 2000, it is more than a point upgrade.

We’ll begin our look at an area that is near and dear to my heart, directory services. Download and read the document at https://www.microsoft.com/windowsserver2003/docs/ADtechover.doc for a fuller explanation of the improvements in Active Directory (AD). For now, we’ll look at the highlights.

AD was first introduced with Windows 2000 and is beginning to come of age as a legitimate enterprise directory service. The changes and improvements in AD can be grouped in six areas:

* Integration and productivity.

* Performance and scalability.

* Administration and configuration management.

* Group policy improvements.

* Security enhancements.

Under integration and productivity, AD has been enhanced to accommodate the inetOrgPerson class which means that applications using user objects in other Lightweight Directory Access Protocol-compliant directory systems (such as Novell’s eDirectory or the Sun One Directory Server) can now work directly with AD. The Directory is also now integrated with Microsoft’s Passport service so that Passport information can be directly imported into the directory. Other changes in this area include provisions for better integration with Microsoft’s monitoring facilities, messaging products and server environments.

AD performance was one of the considerations for the slow uptake in installation of Windows 2000 servers. In particular, networks linked by slow WAN connections suffered enormously. With Windows 2003, AD performance, especially in a WAN environment, has been greatly improved.

Instead of contacting a remote global catalog each time a user logs on to a domain controller, the DC caches the universal group membership of users who have previously logged on from that site or from off-site global catalog servers when the network was available. Users are then allowed to log on without the need for the DC to contact a global catalog server at logon time, which reduces the demand on slow or unreliable networks.

This improvement also provides added reliability if a global catalog is unavailable to process logon requests for users. The result is faster logons for outlying users and translates to fewer phone calls to you complaining about network speed.

AD has also changed the way groups and their membership is replicated between and among servers so that only small, changed bits of information need to be propagated which also improves performance.

New the directory service is the concept of dynamic objects that have, in essence, an expiration date after which they are automatically removed. This is useful for storing application data and personalization information either during a session or for a longer but still limited period of time. This means fewer objects in the directory, especially so-called “stale objects” whose usefulness has passed. Fewer objects equals faster replication as well as more information in a smaller amount of file space.

Come back next issue and we’ll finish up the improvements and changes to AD in Windows Server 2003.