You can create partitions (naming contexts) that can replicate to any domain controller in the forest. For more information on application partitions, refer to Chapter 4.

Concurrent LDAP binds, also known as fast binds, do not generate a Kerberos ticket and security token and are therefore much faster than simple LDAP binds.

This is a transitive trust that allows all the domains in two different forests to trust each other via a single trust defined between the two forest root domains. This requires the Windows Server 2003 forest functional level.

The rename procedure for domain controllers requires a single reboot. Previously, renaming a domain controller was not possible without first demoting the DC and then renaming and re-promoting it.

Domains can now be renamed, but not without significant impact to the user base (e.g., all member computers must be rebooted twice). For more information, check out the following whitepaper. This requires the Windows Server 2003 forest functional level.

There is now support for the standards-based implementation of dynamic auxiliary classes. Under Windows 2000, auxiliary classes are considered “static” because they are statically linked to structural classes in the schema. With dynamic auxiliary classes, you can link a dynamic auxiliary class when creating an object (or add it after the creation). The auxiliary class does not need to be defined in the schema as an auxiliary class for the object’s objectClass. This requires the Windows Server 2003 forest functional level.

Traditionally, objects are stored in Active Directory until they are explicitly deleted. With dynamic objects, you can create objects that have a time-to-live (TTL) value that dictates when they will be automatically deleted unless refreshed. Dynamic objects do not remain as tombstones when they are deleted due to expiration. This requires the Windows Server 2003 forest functional level.

This much-needed feature allows replica domain controllers to be promoted into the domain using a backup from another domain controller. This can greatly decrease the amount of time it takes to promote domain controllers in large domains.

A classic problem in a network environment is trying to determine the last time a user or computer logged on. The new lastLogonTimeStamp attribute is replicated, which means you can use a single query to find all users or computers that have not logged onto the network within a certain period of time. By default, this attribute is updated approximately every 10 days. This requires the domain to be operating at the Windows Server 2003 functional level. For more information on this attribute, visit http://blog.joeware.net/2007/05/01/864/.

The Active Directory Users and Computers (ADUC) tool has been enhanced to allow multiselection of objects; other tools such as repadmin and netdom also have new options.

A new set of command-line tools provides greater flexibility for managing Active Directory from a command line. These tools include dsadd, dsmod, dsrm, dsget, and dsquery.

Resultant Set of Policy (RSoP) has been built into ADUC and can be fully utilized with the Group Policy Management Console (GPMC). RSoP allows administrators to determine what settings of GPOs will be applied to end users and computers.

You can change user objects to inetOrgPerson objects and inetOrgPerson objects to user objects. This requires the Windows Server 2003 forest functional level.

With Windows 2000, only the Secure Sockets Layer (SSL) was supported to encrypt traffic over the wire. Transport Layer Security (TLS), the latest standards-based approach for encrypting LDAP traffic, is now also supported.

In Windows 2000, if users had access to create objects, they could create as many as they wanted, and there was no way to limit it. Quotas allow you to define how many objects a user or group of users can create. Quotas can also dictate how many objects of a certain objectClass can be created.

You can redirect the default locations to store new users and computers with the redirusr and redircmp commands, respectively.

You can mark attributes and classes as defunct and then redefine them in the schema in the event of a schema conflict, or if you simply want to hide unused classes and attributes. This requires the Windows Server 2003 forest functional level.

This feature eliminates the requirement to have a Global Catalog server present during login for universal group expansion. This feature is enabled at the site level and applies to any clients that log onto domain controllers in the site. Global catalogs are still needed for userPrincipalName authentications.

In addition to the OU, site, domain, and security group criteria that can be used to filter GPOs, you can now use Windows Management Instrumentation (WMI) information on a client’s machine to determine if a GPO should be applied. This functionality only works for Windows XP/2003 and newer clients.

These new WMI providers provide the ability to query and monitor the health of trusts and replication programmatically.

To enhance security, the Everyone security principal is no longer equivalent to all unauthenticated and authenticated users. Instead, it represents only authenticated users. To grant the equivalent of anonymous access in Windows Server 2003, the Anonymous Logon security principal must be added to the Pre-Windows 2000 Compatible Access group.

The DLT service can be the source of thousands, if not millions, of linkTrackOMTEntry objects that are nestled within the System container of a domain. By default, the DLT service is disabled on Windows Server 2003 domain controllers.

With Windows 2000, when you disabled the Global Catalog on a domain controller, the Global Catalog removal process could only remove 500 objects every 15 minutes. This has been changed so that the process is much quicker.

The previous default intrasite replication interval of 5 minutes was changed to 15 seconds. This requires the Windows Server 2003 forest functional level for any Domain Controllers upgraded from Windows 2000.

The algorithms used to generate the intersite connections have been greatly improved, to the point where the previous soft limit of 300 to 400 sites has been raised to support roughly 3,000 to 5,000 sites. This new replication mechanism requires Windows Server 2003 Interim mode or the Windows Server 2003 forest functional level.

Replication in Active Directory is done at the attribute level. That is, when an attribute is modified, the whole attribute is replicated. This was problematic for some attributes, such as the member attribute on group objects, which could only store roughly 5,000 members. LVR replication means that linked attributes, such as member, will only replicate the changes within the attribute and not the contents of the whole attribute whenever they are updated. This requires Windows Server 2003 Interim mode or the Windows Server 2003 forest functional level.

With Windows Server 2003, whenever an attribute is added to the partial attribute set (PAS), a full Global Catalog resynchronization is no longer performed as it was with Windows 2000. This was especially painful to administrators of large, globally dispersed Windows 2000 domains.

Instead of sending LDAP traffic, including usernames and passwords, over the wire in plain text with tools such as ADUC and ADSI Edit, the traffic is digitally signed and also encrypted.

Unique security descriptors are stored once no matter how many times they are used, as opposed to being stored separately for each instance. This feature can shrink your ntds.dit file by some 20%–40%.

Users who are not domain administrators can be securely delegated administrative control of RODCs without providing them access to the writable Active Directory (i.e., they cannot modify anything but the RODC).

Upgraded Group Policy template files can be stored once per domain in the Sysvol, thus greatly reducing the size of the Sysvol for many organizations.

Point-in-time snapshots of the Active Directory database can be taken as a basis for disaster recovery and other object restore and comparison operations.

Support has been added for new locator options, automatic configuration during install, background zone loading, and multicast DNS.

The Sysvol can now be replicated with the new DFS-R replication engine, which is much more reliable and scalable when compared to NTFRS.

Password and account lockout policies can now be defined on a per-user basis. For more information on fine-grained password policies, refer to Chapter 12.

This is a new type of DNS zone that can help pave the way to migrating away from WINS by resolving unqualified hostnames.

Group Policy Preferences allows you to control numerous settings and Windows features that were previously only accessible via scripts.

Windows Vista and Windows Server 2008 clients can store detailed last-logon success and failure information directly on user objects in the directory. This feature was implemented for Common Criteria compliance.

An additional well-known security principal representing the owner of an object is now available.

The displayName attribute is phonetically sortable on Japanese-locale domain controllers.

RODCs can host dynamic DNS zones and refer any updates to writable domain controllers.

RODCs do not allow local writes, and any compromise of these domain controllers will not replicate to writable domain controllers in the domain. They also do not store passwords and other secrets by default. This feature adds a great deal of security to domain controllers in locations with questionable physical security. For more information on RODCs, refer to Chapter 9.

Active Directory can be stopped to allow for certain offline operations to be performed without restarting the domain controller in Directory Services Repair Mode.

Domain controllers can now run on a version of the Windows Server 2008 operating system that is substantially lighter and thus more secure. Features such as the Explorer shell, Internet Explorer, and other items not essential to server operations have been removed from Server Core.

Group Policy templates on which administrators can base new policies can be defined.

Auditing of Active Directory access and changes as well as various other actions has been updated substantially.

Domain controller promotion can be broken up into a two-step process allowing delegation of the physical hands-on portion of promoting a domain controller to users other than domain administrators, such as local site support technicians.

Domain-based DFS roots can host more than 5,000 links and can also leverage access based enumeration.

The JET database engine that Active Directory uses is now capable of detecting single-bit errors and correcting them, and thus reducing incidences of database failure due to corruption.

The maximum key length supported by Kerberos for the Advanced Encryption Standard has been lengthened from 128 bits to 256 bits.

The Active Directory Administrative Center (ADAC) is Microsoft’s new GUI for managing Active Directory.

This is an additional protocol endpoint that now runs on domain controllers and AD LDS servers. All of the Active Directory PowerShell cmdlets call the web service in lieu of making direct LDAP or RPC calls. Despite its name, there is no relation to traditional web server technologies such as Internet Information Services (IIS).

With authentication mechanism assurance (AMA), administrators can define special SIDs that will be injected into a user’s security token if that user logs in with a particular type of smart card certificate.

Domain controllers can automatically search trusted forests for a Kerberos service principal name (SPN) when the SPN cannot be located in the domain controller’s forest.

Service accounts are an age-old security problem for Active Directory environments. Service account passwords are often rarely (if ever) changed and known by multiple people. Managed service accounts (MSAs) solve this problem by automatically rotating the account’s password on a regular basis.

This was the first iteration of the Active Directory module for Windows PowerShell. The module included cmdlets primarily for managing users, groups, and computers.

The Active Directory Recycle Bin (ADRB) enables administrators to recover deleted objects without resorting to backups and without losing any of the objects attributes. For more information on the ADRB, refer to Chapter 18.

This improvement to the replication topology generation processes in Active Directory ensures that incoming replication connections are load balanced across servers in a site.

Windows 7 clients can be joined to the domain without network connectivity by pre-staging computer account information in Active Directory.

Windows Server 2008 R2 DCs disable support for DES and 3DES encryption types by default. This can be reverted by explicitly enabling these encryption types via Group Policy.

Windows 8 and Windows Server 2012 installations can now be activated based on licensing data published to Active Directory. This obviates the key management servers (KMSs) that were previously required for activation in enterprise environments.

Windows Server 2012 domain controllers that are running on a virtual machine generation ID (VM Gen ID)–aware hypervisor can be duplicated by cloning the domain controller’s virtual hard disk files. For more information on domain controller cloning, refer to Chapter 9.

Dynamic Access Control (DAC) functionality in Active Directory extends the security token to include claims. These claims are based on attributes of the user object in Active Directory as well as of the workstation the user logs in from. Compound expressions to evaluate claims can be applied to Windows Server 2012 file and folder permissions in lieu of complex group memberships. For more information about DAC, refer to Chapter 16.

Domain controllers implement RFC 6113, also known as Kerberos armoring. This functionality enhances security by removing avenues for spoofing and dictionary attacks.

Managed service accounts (MSAs) have a significant limitation in that they cannot be used when the service must run across multiple servers. Group managed service accounts (gMSAs) solve this problem by enabling multiple servers to share an MSA and obtain the password when it changes.

The Group Policy Management Console (GPMC) can now report on the health of the Group Policy information stored in Active Directory and on your domain controllers.

The Active Directory Administrative Center GUI has been enhanced to include support for managing the Recycle Bin and fine-grained password policies. The UI is also substantially faster than in the Windows Server 2008 R2 release.

Kerberos constrained delegation (KCD) can now be performed across domain boundaries.

Indexing of Active Directory attributes can now be deferred until domain controllers are rebooted or indexing is explicitly requested. This resolves performance issues in large forests where indexing an attribute could cause a significant performance hit on all domain controllers as they created the index.

The classic dcpromo wizard and the adprep upgrade preparation utility have been retired in favor of an integrated deployment wizard in Server Manager that handles all facets of domain controller promotion and Active Directory upgrades. These steps can also be performed through new Windows PowerShell cmdlets.

KCD can now be configured on the service that is being delegated to rather than on the service performing delegation. These changes also remove the need for Domain Admin–level access in order to configure KCD.

Offline domain join has been enhanced to also include the prerequisites for a machine to connect to DirectAccess. This enables machines to be joined to the domain over the Internet.

The Active Directory module for Windows PowerShell has been enhanced to include cmdlets for managing replication and the domain controller lifecycle (promotion, demotion, etc.).

The size of the global RID pool has been doubled from approximately one billion RIDs to two billion RIDs. To prevent depletion of the RID pool without administrator knowledge, the system now logs events when 90 percent of the global RID pool is used. A soft block in issuing new RIDs is also put in place that the administrator must lift.

Windows Server 2012 domain controllers that are running on a VM Gen ID–aware hypervisor are aware of changes that might cause a rollback of the domain controller’s state. When these changes are detected, the domain controller implements safeguards to ensure that replication (and other functionality) is not impacted. For more information on this change, refer to Chapter 9.