Active Directory in Windows Server 2003 Service Pack 1
What functionality is changing in Windows Server 2003 Service Pack 1?
Directory service backup reminders
A new event message, event ID 2089, provides the backup status of each directory partition that a domain controller stores, including application directory partitions and Active Directory Application Mode (ADAM) partitions. If halfway through the backup latency interval (tombstone lifetime) a partition has not been backed up, this event is logged in the Directory Service event log and continues daily until the partition is backed up.
Added replication security and fewer replication errors
Replication metadata for domain controllers from which Active Directory has been removed is no longer retained by default, although a waiting period can be configured. This change improves replication security and eliminates replication error messages that are caused by failed attempts to replicate with decommissioned domain controllers. For more information about preserving replication metadata, see "How the Active Directory Replication Model Works" on the Microsoft Web site at
https://go.microsoft.com/fwlink/?LinkId=38334. ****
Install from Media improvement for installing DNS servers
Install from Media
improvements make it easier to create a new domain controller that is a DNS server by providing the new option to include application directory partitions in the backup media that is used to install the new domain controller. This option eliminates the requirement for replication of the DomainDNSZones and ForestDNSZones application directory partitions before the DNS server is operational. ****
Enhancements for replication and DNS testing
The Dcdiag.exe command-line tool, which is available in Windows Support Tools, provides new reporting on the overall health of replication with respect to Active Directory security. This test provides a summary of results along with detailed information for each domain controller that is tested and a diagnosis of any security errors. Dcdiag.exe also has new DNS tests for connectivity, service availability, forwarders and root hints, delegation, dynamic update, locator record registrations, external name resolution, and enterprise infrastructure. These tests can be performed on one domain controller or on all domain controllers in a forest. For more information about the changes to Dcdiag.exe, see the Dcdiag.exe section of this article.
Support for running domain controllers in virtual machines
On a single physical server that is running Windows Server 2003 and Microsoft Virtual Server 2005, you can install multiple Windows Server 2003 or Windows 2000 Server domain controllers in separate virtual machines. This platform is well suited for test environments. By using virtual machines, you can effectively host multiple domains, multiple domain controllers for the same domain, or even multiple forests on one physical server that is running a single operating system. Windows Server 2003 SP1 also provides protection against directory corruption that can result from improper backup and restoration of domain controller images. For more information about running domain controllers in virtual machines, see "Running Domain Controllers in Virtual Server 2005" on the Microsoft Web site at
https://go.microsoft.com/fwlink/?LinkId=38330. ****
Operations master health and status reporting
If an operation that requires a domain controller that holds an operations master role (also known as flexible single-master operations (FSMO)) cannot be performed, events are now logged in the Directory Service event log. Events identify role holders that do not exist, exist but are not available, or are available but have not replicated recently with the contacting domain controller. For more information about operations masters, see "How Operations Masters Work" on the Microsoft Web site at
https://go.microsoft.com/fwlink/?LinkId=38333. ****
Extended storage of deleted objects
The default period that a copy of a deleted object is retained in Active Directory, called the tombstone lifetime, is extended from 60 days to 180 days. Longer tombstone lifetime decreases the chance that a deleted object remains in the local directory of a disconnected domain controller beyond the time when the object is permanently deleted from online domain controllers. The tombstone lifetime is not changed automatically when you upgrade to Windows Server 2003 with SP1, but you can change the tombstone lifetime manually after the upgrade. New forests that are installed with Windows Server 2003 with SP1 have a default tombstone lifetime of 180 days. For more information about tombstone lifetime, see "How the Data Store Works" on the Microsoft Web site at
https://go.microsoft.com/fwlink/?LinkId=38339. ****
Improved domain controller name resolution
In response to Domain Name System (DNS) name resolution failures that may be encountered during location of replication partners and global catalog servers, domain controllers running Windows Server 2003 with SP1 request other variations of the server name that might be registered, which results in fewer failures due to DNS delays and misconfiguration. For more information about DNS name resolution, see "How DNS Support for Active Directory Works" on the Microsoft Web site at
https://go.microsoft.com/fwlink/?LinkId=38335. ****
Simplified process for server metadata removal
The Ntdsutil.exe command-line tool for managing the Active Directory database has new commands that make it easier to remove domain controller metadata. Preliminary steps, such as connecting to a server, domain, and site, are no longer required. You simply specify the server to remove. You can also specify the server on which to make the deletion. For more information about the changes to Ntdsutil.exe, see the Ntdsutil.exe section of this article.
Improved security to protect confidential attributes
To prevent Read access to confidential attributes, such as a Social Security number, while allowing Read access to other object attributes, you can designate specific attributes as confidential by setting a search flag on the respective attributeSchema object. By default, only domain administrators have Read access to confidential attributes, but this access can be delegated. For more information about access to attributes, see "How Security Descriptors and Access Control Lists Work" on the Microsoft Web site at
https://go.microsoft.com/fwlink/?LinkId=38338. ****
Retention of SID history on tombstones
The sIDHistory attribute has been added to the set of attributes that are retained on an object tombstone when the object is deleted. If a tombstoned object is reactivated (undeleted), the sIDHistory attribute is now restored with the object. For more information about tombstones, see "How the Data Store Works" on the Microsoft Web site at
https://go.microsoft.com/fwlink/?LinkId=38339. ****
Adprep.exe improvements for Windows 2000 Server upgrades
The Adprep.exe tool has been improved to reduce the impact of File Replication service (FRS) synchronization that results from updating SYSVOL files during upgrade. Adprep.exe is used to upgrade the Windows 2000 Server schema to the Windows Server 2003 schema and to update some forest- and domain-specific configuration, including SYSVOL, that is required for a Windows Server 2003 domain controller to be operational. The tool now allows performing SYSVOL operations in a separate step when preparing the domain for upgrade. A new switch,
/gpprep, has been added to accommodate the SYSVOL updates, which can be performed at a convenient time following the upgrade. The adprep /domainprep command, which formerly performed both directory and SYSVOL updates, now updates only the directory. Adprep.exe also now detects third-party schema extensions that block an upgrade, identifies the blocking extensions, and recommends fixes. Microsoft Exchange Server schema objects are also detected so that the Exchange Server schema can be prepared appropriately to accommodate InetOrgPerson naming. For more information about the changes to Adprep.exe, see the Adprep.exe section of this article.