New features for Active Directory
With the new ® features available in XOX; XOX; and XOX, more efficient administration of the Active Directory is available to you.
The following list summarizes the Active Directory features that are available by default on any running Windows Server 2003.
- Multiple selection of user objects.
Modify common of multiple user at one time.
- Drag-and-drop functionality. Move Active Directory objects from container to container by dragging one or more objects to a desired location in the . You can also add objects to lists by dragging one or more objects (including other group objects) to the target group.
- Efficient search capabilities. Search functionality is object-oriented and provides an efficient search that minimizes network traffic associated with objects. For more information, see Finding directory information.
- Saved queries. Save commonly used search parameters for reuse in . For more information, see Using saved queries.
- Active Directory command-line tools. Run new directory service commands for administration scenarios. For more information, see Managing Active Directory from the command line.
- InetOrgPerson class. The inetOrgPerson class has been added to the base schema as a and can be used in the same manner as the user class. The userPassword attribute can also be used to set the account password. For more information, see User and computer accounts.
- Application directory partitions. Configure the scope for application-specific data among domain controllers. For example, you can control the scope of data stored in Active Directory so that only specific domain controllers in the participate in DNS zone replication. For more information, see Application directory partitions.
- Ability to add additional domain controllers using backup media. Reduce the time it takes to add an additional domain controller in an existing domain by using media. For more information, see Using the Active Directory Installation Wizard.
- Universal group membership caching. Prevent the need to locate a across a WAN when logging on by storing membership information on an domain controller. For more information, see Global catalogs and sites.
- Secure LDAP traffic. Active Directory administrative tools sign and encrypt all LDAP traffic by default. Signing LDAP traffic guarantees that the packaged data comes from a known source and that it has not been tampered with. For more information, see Connecting to domain controller running Windows 2000.
- Different location option for user and computer accounts. You can now redirect the default location for user accounts and computer accounts created by the following earlier application programming interfaces (APIs): NetUserAdd, NetGroupAdd, and NetJoinDomain. You can redirect the locations from the Users and Computers containers to organizational units where group policies can be applied.
- Active Directory quotas. Quotas can be specified in Active Directory to control the number of objects a user, group, or computer can own in a given directory partition. Domain Administrators and Enterprise Administrators are exempt from quotas.
New domain- and forest-wide Active Directory features
New domain- or forest-wide Active Directory features can be enabled only when all domain controllers in a domain or forest are running Windows Server 2003 and the or has been set to Windows Server 2003. For more information about domain and forest functionality settings, see
Domain and forest functionality.
The following list summarizes the domain- and forest-wide Active Directory features that can be enabled when either a domain or forest functional level has been raised to Windows Server 2003.
- Domain controller rename tool. Rename domain controllers without first demoting them. For more information, see Renaming domain controllers.
- Domain rename. Rename any Windows Server 2003 domain. You can change the or DNS name of any , , or forest root domain. For more information, see Renaming domains.
- Forest trusts. Create a forest trust to extend two-way transitivity beyond the scope of a single forest to a second forest. For more information, see Forest trusts.
- Forest restructuring. Move existing domains to other locations in the domain hierarchy. For more information, see Renaming domains.
- Defunct schema objects. Deactivate unnecessary classes or attributes from the schema. For more information, see Deactivating a class or attribute.
- Dynamic auxiliary classes. Provides support for dynamically linking auxiliary classes to individual objects, and not just to entire classes of objects. In addition, auxiliary classes that have been attached to an object instance can subsequently be removed from the instance.
- Global catalog replication improvements. Preserves the synchronization state of the global catalog when an administrative action results in an extension of the partial attribute set. This minimizes the replication traffic as a result of a partial attribute set extension by only transmitting attributes that were added. For more information, see Global catalog replication.
- Replication enhancements. Linked value replication allows individual group members to be replicated across the network instead of treating the entire group membership as a single unit of replication. For more information about linked value replication, see How replication works. In addition, new spanning tree algorithms make replication more efficient, as well as more scalable across a larger number of domains and sites in both Windows 2000 and Windows Server 2003 forests. For more information, see Replication overview.
- User access control to resources between domains or forests. Block users in a domain or forest from accessing resources in another domain or forest, and then allow selective access by setting the Allow to authenticate on a local resource for the user or group object. For more information, see Accessing resources across domains or Accessing resources across forests.
