When we’re talking about Windows Server 2003, one of the first points that frequently needs to be clarified is the difference between the Windows Server 2003 operating system and the Windows .NET Framework. These two terms are frequently (and improperly) used interchangeably; however, they are completely different.

The Windows .NET Framework was announced first, formally during the summer of 2001, in reference to a completely new application development environment by Microsoft. When we refer to Windows Server 2003, it is an actual network operating system product in which software is installed on a server and applications are executed. Windows Server 2003 is a part of the Windows .NET Framework.

The Windows .NET Framework is the application development environment in which a common language runtime, framework classes, and an application development process are defined. Until the introduction of the Windows .NET Framework, some organizations developed applications using Visual Basic; some organizations, using Visual C; some organizations, using Active Server Pages technology for a Web server; and some organizations, using an Open Database Connectivity (ODBC) front-end application to Microsoft SQL or Microsoft Access.

Now with the Windows .NET Framework, a default programming model called ASP.NET is defined. ASP.NET makes building real-world Web applications much easier. It has a series of built-in framework classes that allow a developer to call a built-in application function instead of having to code the function line by line. This capability greatly minimizes the amount of programming necessary to create a Web application similar to those created in the past.

ASP.NET does not require any single application development tool; in fact, it supports dozens of standard programming languages available today, such as VBScript, JScript, Visual Basic .NET, C#, Visual Basic, and the like.

Other significant improvements in ASP.NET include a dynamic code compilation that automatically detects changes and compiles the code so that it is ready to run at any time. The Windows .NET Framework is a distributed application environment allowing for code to be distributed across multiple systems within a Web farm.

In addition, to deploy a Windows .NET Framework application for access within an organization or to the general public, all the developer needs to do is copy the files to a Windows .NET Framework server. There is no need to run regsrv32 to register components on the server because configuration settings are stored in an XML data file within the application.

For organizations looking to develop Web-based applications, the Windows .NET Framework greatly simplifies application development. The Windows .NET Framework has created a powerful development environment that has a series of built-in routines that decrease application coding time and effort, while providing the support for existing standards for application programming languages.

As server add-ons are created for a Windows Server 2003 environment, such as Outlook Web Access for Exchange 2003 and SharePoint 2003, or even add-on tools like the Directory Services Mark-up Language (DSML), the .NET Framework is leveraged more and more in developing core applications and Feature Packs.

Whereas the Windows .NET Framework is the set of tools and technologies used for application development, the Windows Server 2003 product is a full network operating system. As a traditional network operating system, Windows Server 2003 can serve in the following roles:

This book focuses on the Windows Server 2003 operating system and the planning, migration, security, administration, and support of the operating system. Windows Server 2003 is also the base network operating system on top of which all future Windows server applications will be built.

One of the major additions to the network operating system role introduced with the release of the Windows 2000 operating system was the Active Directory. Active Directory is more than a simple list of users and passwords for authentication into a network, but rather a directory that extends to other business applications. When fully leveraged, an organization can have its Human Resources (HR) department add an employee to the organization’s HR software. The HR software automatically creates a user in the Active Directory, generating a network logon, an email account, a voicemail account, and remote access capabilities, and then links pager and mobile phone information to the employee. Likewise, if an employee is terminated, a single change in the HR software can issue automated commands to disable the individual’s network, email, remote logon, and other network functions.

Windows Server 2003 extends the capabilities of the Active Directory by creating better management tools, provides for more robust directory replication across a global enterprise, and allows for better scalability and redundancy to improve directory operations. Windows Server 2003 effectively adds in more reliability, faster performance, and better management tools to a system that can be leveraged as a true enterprise directory provisioning, resource tracking, and resource management tool. Because of the importance of the Active Directory to the Windows Server 2003 operating system, plus the breadth of capabilities that Active Directory can facilitate, five chapters in Part II of this book are dedicated to Active Directory.

Windows Server 2003 comes with several programs and utilities to provide robust networking capabilities. In addition to the basic file and print capabilities covered earlier in this chapter, Windows Server 2003 can provide name resolution for the network and enable high availability through clustering and fault tolerance, mobile communications for dial-up and virtual private network connections, Web services functions, and dozens of other application server functions.

When planning the implementation of Windows Server 2003, a network architect needs to consider which of the server services are desired, how they will be combined on servers, and how they will be made redundant across multiple servers for business continuity failover. For a small organization, the choice to combine several server functions to a single system or to just a few systems is one of economics. However, an organization might distribute server services to multiple servers to improve performance (covered in Chapter 35, “Capacity Analysis and Performance Optimization”), distribute administration (covered in Chapter 19, “Windows Server 2003 Administration”), create redundancy (covered in Chapter 33, “Recovering from a Disaster”), enable security (covered in Chapter 12), or to service users across a diverse geographic area (covered in Chapter 5, “Designing a Windows Server 2003 Active Directory”).

Some of the built-in application server functions in Windows Server 2003 include the following:

These plus several other functions provide robust networking services that help organizations leverage the Windows Server 2003 technologies into solutions that solve business needs.

In addition to the built-in server application functions such as DNS, DHCP, Global Catalog, Terminal Services, and the like noted in the preceding section, Windows Server 2003 also provides the basis from which add-in applications can be purchased and implemented on the Windows servers. Some of these add-in applications come from Microsoft, such as the Windows Server 2003 versions of the Microsoft Exchange messaging system or Microsoft SQL database system. Other add-ins to Windows Server 2003 are furnished by companies that provide human resource management applications; accounting software; document management tools; fax or voicemail add-ins; or other business, industry, or user productivity capabilities.

In earlier Windows server operating systems, the core operating system provided simple logon and network connectivity functions; however, with Windows Server 2003, the operating system includes many core capabilities built into the Windows Server 2003 operating environment. With integrated fault tolerance, data recovery, server security, remote access connectivity, Web access technologies, and similar capabilities, organizations creating add-ins to Windows Server 2003 can focus on business functions and capabilities, not on core infrastructure reliability, security, and mobile access functionality. This offloading of the requirement of third-party add-in organizations to implement basic networking technologies into their applications allows these developers to focus on improving the business productivity and functionality of their applications. Additionally, consolidating information routing, security, remote management, and the like into the core operating system provides a common method of communication, authentication, and access to users without having to load up special drivers, add-ins, or tools to support each and every new application.

Much of the shift from application-focused infrastructure components to core operating system-focused functionality was built into Windows 2000. There were many challenges when Windows 2000 was first released because of this shift in product functionality; however, after being on the market for more than three years, Windows 2000 add-ins and now Windows Server 2003 add-ins have had several revisions to work through system functionality and component reliability between application and operating system. Fortunately, Windows Server 2003 uses the same application/operating system technology used in Windows 2000, so applications written for Windows 2000 typically need just a simple Service Pack update to be able to run on Windows Server 2003.

Many organizations want to add in a specific Windows Server 2003 function such as Windows Server 2003 Terminal Services, Windows Server 2003 Remote Access Services, Windows Server 2003 Media Services, or the like. Such functions can be added on Windows Server 2003 member servers in existing Windows NT4 or Windows 2000 networking environments. This allows an organization to get Windows Server 2003 application capabilities fairly quickly and easily without having to do a full migration to Windows Server 2003. In many cases, a Windows Server 2003 member server can simply be added to an existing network without ever affecting the existing network. This addition provides extremely low network impact but enables an organization to prototype and test the new technology, pilot it for a handful of users, and slowly roll out the technology to the client base as part of a regular system replacement or upgrade process.

Some organizations have replaced all their member servers to Windows Server 2003 systems over a period of weeks or months as a preparatory step to eventually migrate to a Windows Server 2003 Active Directory structure.

For organizations that have already migrated to Windows 2000 and the Active Directory environment, migrating to Windows Server 2003 for Active Directory functionality can provide access to several additional capabilities that require a Windows network to be running on Windows Server 2003. Some of the Windows Server 2003 technologies that require implementation of the Windows Server 2003 Active Directory include RIS for Servers, Windows Server 2003 group policy enhancements, and the full Windows Server 2003 Distributed File System.

Fortunately, organizations that have already implemented Windows 2000 or have already migrated from Windows NT4 to Windows 2000 have completed the hard part of their migration process. Effectively, Windows Server 2003 uses the same Active Directory organizational structure that was created with Windows 2000, so forests, domain trees, domains, organizational users, sites, groups, and users all transfer directly into Windows Server 2003. If the organizational structure in Windows 2000 met the needs of the organization, the migration to Windows Server 2003 is predominantly just the insertion of a Windows Server 2003 global catalog server into the existing Windows 2000 Active Directory domain to perform a global catalog update from Windows 2000 Active Directory to Windows 2003 Active Directory.

Unlike the migration process from Windows NT4 to Windows 2000, in which an organization was unable to migrate a Windows NT4 backup domain controller (BDC) to a Windows 2000 domain controller (DC), Windows Server 2003 enables an organization to migrate its Windows 2000 DCs to Windows Server 2003 DCs, thus allowing an interim mode for partial (slower) migration to Windows Server 2003.

Of course, planning, system backup, and prototype testing—covered in Chapter 17, “Migrating from Windows 2000 to Windows Server 2003”—help minimize migration risks and errors and lead to a more successful migration process. However, the migration process from Windows 2000 to Windows Server 2003 is a relatively easy migration path for organizations to follow.

Many organizations choose to make changes in their Active Directory structure when they migrate from Windows 2000 to Windows Server 2003, such as changing simple domain structure or possibly even doing a complete domain rename. Windows Server 2003 provides several tools, covered in Chapter 17, that help organizations make changes to their Active Directory during their migration process. Many of these processes can be completed before migrating to Windows Server 2003, but many of them can be completed after migrating to Windows Server 2003 as well. And several of these processes are best completed during the migration of Windows Server 2003. Therefore, it is important to plan any changes and review Chapter 17 before starting a migration.

Organizations that still have Windows NT4 in their networking environments must decide whether to migrate from Windows NT4 to Windows 2000, or to migrate directly from Windows NT4 to Windows Server 2003. Some of the deciding factors are determining what Windows Server 2003 features and functions they want and the cost and effort to migrate. As noted earlier in the section “When Is the Right Time to Migrate?”, organizations do not necessarily have to migrate completely to Windows Server 2003 to get its functionality. They can choose to migrate just a couple of member servers from Windows NT4 to Windows Server 2003 without having to migrate the whole Active Directory domain structure. This can be a first step in getting Windows Server 2003 technology into their network.

If an organization has already begun its migration to Windows 2000, it might choose to shift to an implementation of future global catalog servers as Windows 2003 systems. A huge benefit of a shift from Windows 2000 Active Directory to Windows 2003 Active Directory is the ability to easily intermix global catalog servers. New global catalog servers can be Windows 2003 systems, and existing Windows 2000 global catalog servers can remain until such time as it is convenient to upgrade those servers to Windows 2003. Of course, an organization can choose to migrate completely from Windows NT4 to Windows Server 2003, and because the forest, domain, site, and other structural functions of Windows 2000 and Windows Server 2003 are identical, any planning done for a migration to Windows 2000 can be applied to an organization’s decision to migrate from Windows NT4 to Windows Server 2003.

The planning, design, prototype, and migration steps to assist an organization in its migration from a Windows NT4 to a Windows Server 2003 environment are covered in Chapter 16, “Migrating from NT4 to Windows Server 2003.”

The Windows Server 2003 Web edition is a one- to two-processor Web front-end server version of the operating system focused on application server needs that are dedicated to Web services needs. Many organizations are setting up simple Web servers as front ends to database servers, messaging servers, or data application server systems. Windows Server 2003 Web edition can be used as a simple Web server to host application development environments or can be integrated as part of a more sophisticated Web farm and Web Services environment that scales to multiple load-balanced systems. The Windows Server 2003 operating system has significant improvements in scalability over previous versions of the Windows operating system, and an organization can license multiple Web services systems at a lower cost per server to provide the scalability and redundancy desired in large Web farm environments.

Windows Server 2003 Web edition supports up to 2GB of RAM for front-end Web cache capabilities.

The Windows Server 2003 Standard edition is the most common “file server” version of the operating system. The Standard edition supports up to four processors per server, has full support for file and print services functions, can act as a multiprocessor Web server, supports Terminal Services, provides Media Services, can be set up as a utility server, and can support up to 4GB of RAM.

The Standard edition is a good version of the operating system to support domain controllers, utility servers (such as DNS, DHCP, bridgehead servers), file servers, and print server services. Many small and medium-size organizations find the capabilities of the Standard edition sufficient for most network services, and even large organizations use the Standard edition for utility servers or as the primary server in a remote office. Effectively, any environment in which a system with one to four processors is sufficient can meet the needs of the server functions. See Chapter 35 for capacity analysis and server scalability recommendations for a Windows Server 2003 system.

The Windows Server 2003 Enterprise edition is focused on server systems that require up to eight processors and/or up to 8-node clustering for large scale-up server configurations. With support for up to 32GB of RAM as well as a 64-bit Itanium version available, the Enterprise edition is the appropriate version of operating system for high availability and high processing demands of core application servers such as SQL Servers or large e-commerce back-end transaction systems.

For organizations leveraging the capabilities of Windows Server 2003 for Thin Client Terminal Services that require access to large sets of RAM and multiple processors, the Enterprise edition can handle hundreds of users on a single server. Terminal Services are covered in more detail in Chapter 27.

The Enterprise edition, with support for up to 8-node clustering, can provide organizations with the nonstop networking demands of true 24×7, 99.999% uptime capabilities required in high-availability environments. Windows Server 2003 Enterprise edition supports a wide variety of regularly available server systems, thus allowing an organization its choice of hardware vendor systems to host its Windows Server 2003 application needs.

A handful of services that are available on the Enterprise edition of Windows Server 2003 but not on the Standard edition include the capability to support the Microsoft Identity and Integration Server synchronization, Windows Terminal Server session directory, Windows remote storage functionality, and Windows System Resource Manager. If this functionality is required, the Enterprise Edition needs to be selected as the server option.

Windows Server 2003 Datacenter edition is a proprietary hardware version of the operating system that supports from 8 to 64 processors and up to 8-node clustering. The Datacenter edition is focused on organizations that need scale-up server technology to support a large centralized data warehouse on one or limited numbers of server clusters.

As noted in Chapter 35 on performance and capacity analysis, an organization can scale-out or scale-up its server applications. Scale-out refers to an application that performs better when it is distributed across multiple servers, whereas scale-up refers to an application that performs better when more processors are added to a single system. Typical scale-out applications include Web server services, electronic messaging systems, and file and print servers. In those cases, organizations are better off distributing the application server functions to multiple Windows Server 2003 systems. However, applications that scale-up, such as e-commerce or data warehousing applications, benefit from having all the data and processing on a single server cluster. For these applications, Windows Server 2003 Datacenter edition provides better centralized scaled performance as well as the added benefit of fault tolerance and failover capabilities.

With the Datacenter edition’s support for up to 8-node clustering, an organization can share the processing power of 8×64 processors per server to gain transactions per second that exceed the capabilities of many mainframe and mini-computer technology systems.

In addition to scale-up capabilities of clustering, an organization can create failover between clustered systems to achieve 99.999% uptime levels.

In 2005, Microsoft shipped an x64-bit edition of the Windows 2003 operating system to support 64-bit processors. The x64-bit version of Windows 2003 provides support for more memory access and faster server performance that ultimately increases the scalability capabilities of the Windows networking environment.

The first thing you notice when Windows Server 2003 boots up is the new Windows XP–like graphical user interface (GUI). This is obviously a simple cosmetic change to standardize the current look and feel of the Windows operating systems. Just like with Windows XP, a user can switch the new Windows GUI to look like the classic mode, and because most administrators have worked with Windows NT and Windows 2000 for a long time, they tend to switch off the XP GUI and configure the system to look like the classic version. It makes no difference whether the new GUI or the classic GUI is enabled; all the features and functions of the Windows Server 2003 operating system are the same in either mode.

Windows Server 2003 has added several new capabilities that simplify tasks. These capabilities could appear to be simply cosmetic changes; however, they actually provide significant benefits for administrative management. Some of the improvements include drag-and-drop capabilities in the administrative tools and built-in configuration and management wizards.

Significantly more than just cosmetic updates are the security enhancements added to Windows Server 2003. During the middle of the development of the Windows Server 2003 product, Microsoft launched its Trustworthy Computing Initiative, which stipulated that all products and solutions from Microsoft meet very stringent requirements for security. So, although Windows Server 2003 was slated to have several new security enhancements, Trustworthy Computing created an environment in which the Windows Server 2003 product would be the most secured Windows operating system shipped to date.

Part IV of this book is focused on security in various different core areas. Chapter 12 addresses server-level security, which, from a Windows Server 2003 perspective, addresses some of the new defaults where most services are disabled on installation and must be enabled for access. Although this change might seem trivial in Windows operating system development, it provides a relatively secured server directly from initial installation. In previous versions of the Windows operating system, going through all the unneeded features of Windows and disabling the functionality to lock down a server system could easily take an hour. The server defaults as well as the functional or operational differences are also noted in Chapter 12.

A network end user would likely never notice many new features added to Windows Server 2003, and in many cases a network administrator would not even be aware that the technologies were updated and improved. These technologies help the network operate more efficiently and effectively, so a user might experience faster network performance. However, even if the network was able to respond twice as fast, a process that used to take three seconds to complete and now takes less than two seconds to complete is not something a user would particularly notice. The key benefit typically comes in the area of overall network bandwidth demand improvements, or for very large organizations, the performance improvements require the organization to add additional servers, processors, and site connections to scale an enterprise with systems.

The release of Windows Server 2003 introduced several industry standards built into the Windows operating system. These changes continue a trend of the Windows operating system supporting industry standards rather than proprietary Microsoft standards. Some of the key standards built into Windows Server 2003 include IPv6, XML Web services, and IETF security standards.

New to Windows Server 2003 is the ability for administrators to delete Active Directory schema objects. With the introduction of the Windows 2000 Active Directory, organizations could extend the schema and make changes to the directory. However, although the schema could be extended, there were no provisions to delete objects created in the schema.

With Windows Server 2003, a schema administrator now can choose and delete Active Directory schema objects. This deletion capability now enables an organization to make changes to the schema without fear of creating schema changes that cannot be deleted in the future.

In the Windows 2003 R2 update, Microsoft added a new component called File Server Resource Manager, or FSRM. FSRM provides an improved method of managing files stored on servers through the implementation of quota management and automatic data management. FSRM not only allows an organization to set quotas on the amount of disk space a user can use to store files, but it also enables the administrators of the network to specifically allow or limit the storage of certain file types on a server.

As an example, an organization can elect to provide all users the ability to save up to 100 megabytes of files on the main fileserver. In addition, the organization can set a policy that prevents users from storing MP3 audio files or MPG movie files on the network. FSRM can be extended even further by allowing some users more storage privileges and some users fewer storage privileges. This granular approach to storage and data management allows the administrators of the organization to better define acceptable storage and use rights to shared network resources, as well as log, track, and manage the storage of information on servers throughout the environment.

FSRM is covered in Chapter 19.

Another addition to Windows 2003 added with the Windows 2003 R2 update is the Print Management Console component, or PMC. PMC enables the administrators of the network to track, manage, and administer printers throughout the forest from a single view interface. Before PMC, the administrators had to manage printers by print queue servers. By querying a specific print queue server, the administrator was able to see all the printers connected to that print queue server. If the organization had dozens of print queue servers, the administrator would literally have to connect individually to each print queue server to query the server about the printers it was managing. This made the scalability of managing printers very difficult.

PMC combines all the printers and print queues in the forest into a single interface. From a single view, the administrators can view printers throughout the enterprise, determine which printers are not working, and address enterprisewide the management and maintenance of the printers.

PMC is covered in Chapter 19.

A significant addition to Windows Server 2003 is the Volume Shadow Copy function. Volume Shadow Copy takes a snapshot of a network volume and places the copy onto a different volume on the network. After a mirrored snapshot is taken, at any time, files from the read-only shadow can be accessed without complications typical of network volumes that are in use. Volume Shadow Copy will no doubt have a variety of third-party add-ins that support access to the read-only shadow copy of information. Two of the major initial capabilities include online backup of open files and user-level retrieval of file copies. Both of these capabilities are covered in more detail in Chapter 30.

Organizations that built global catalog servers across a fairly distributed WAN infrastructure with Windows 2000 found it very challenging because of the time required to replicate an initial global catalog over a WAN. Windows Server 2003 enables the organization to export the global catalog to a file that can be burned to CD-ROM and later used to build a global catalog server remotely.

When a remote administrator needs to build a global catalog server and runs the DCPromo utility, the administrator is given the option of building the initial global catalog from media. At that time, the CD with the global catalog file can be inserted and the initial catalog information installed. Replication to the network will occur, but only for changes made to the global catalog since the CD was created.

This process is covered in detail in Chapter 3, and is commonly used as a method of creating global catalog servers when a global catalog needs to be created across a WAN.

Windows Server 2003 provides better remote user security with IPSec NAT Traversal (NAT-T). Internet Protocol Security provides an end-to-end encryption of information for server-to-server or for client-to-server secured communications. Unfortunately, with IPSec, the source and destination servers must have public Internet addresses where Network Address Translation (NAT) is not used. For site-to-site communications, an organization typically can create public IP addresses to servers on each end of the site-to-site connection. However, mobile users who may connect at hotels, airports, or other temporary locations are rarely assigned public IP addresses; thus, IPSec has not been very functional for mobile users wanting to securely access their networks running Windows 2000.

Windows Server 2003 provides IPSec NAT Traversal that enables IPSec servers and clients to traverse Network Address Translation network segments. With IPSec NAT Traversal, an organization can increase the remote-to-server security and provide secured mobile communications much better than it has ever been able to do before.

IPSec NAT Traversal is covered in Chapter 26, “Server-to-Client Remote and Mobile Access.”

Windows Server 2003 has a much improved Distributed File System than what was available in Windows 2000, and has been further advanced with the Windows 2003 R2 update. In most organizations, files are distributed across multiple servers throughout the enterprise. Users access file shares that are geographically distributed but also can access file shares sitting on several servers in a site within the organization. In many organizations, when file shares were originally created years ago, server performance, server disk capacity, and the workgroup nature of file and print server distribution created environments in which those organizations had a file share for every department and every site. Thus, files are typically distributed throughout an entire organization across multiple servers.

Windows Server 2003 Distributed File System (DFS) and Windows Server 2003 Distributed File System Replication (DFSR) in Windows 2003 R2 enables an organization to combine file shares to fewer servers and create a file directory tree not based on a server-by-server or share-by-share basis, but rather an enterprisewide directory tree. This allows an organization to have a single directory spanning files from multiple servers throughout the enterprise.

Because the DFSR directory is a logical directory that spans the entire organization with links back to physical data, the actual physical data can be moved without having to make changes to the way the users see the logical DFS directory. This enables an organization to add or delete servers, or move and consolidate information however it works best within the organization.

DFSR is a significant function that benefits user access to information, and Chapter 30 of this book is dedicated to DFSR and the best practices around planning and implementing DFSR in an organization.

In addition to having DFSR provide better manageability to data than ever before, DFSR also provides redundancy and fault tolerance on file data. A built-in DFSR technology called DFS replicas enables an organization to create redundancy and business continuity to its DFSR data. DFSR redundancy and fault tolerance are covered in Chapter 30.

Many organizations take for granted reliable printer operations and management, and because of the reliability of printing in previous versions of the Windows operating system, print queue redundancy might not be high on an organization’s priority list. Windows Server 2003 helps an organization plan again for the potential of print queue failure and provides redundancy to printer queues.

This function allows an organization to set up failover and enables print queues to be stored on multiple servers, thus providing failover in the event of a print queue server failure. Print queue fault tolerance is covered in Chapter 3.

An update to Terminal Services in Windows Server 2003 is the ability for a remote client to access local hard drives as well as redirect the audio from a centralized Terminal server to a remote system. In the past, these capabilities required a relatively expensive add-in from Citrix Systems. Now that these capabilities are built into the core Windows Server 2003 Terminal Services, an organization can choose whether it wants to or needs to purchase the add-in.

With Windows Server 2003 Terminal Services, when a remote user logs on to a centralized Terminal server, the user now can work on either the default time zone on the server or choose the local time zone. This capability is important for organizations that have centralized servers used by employees across the country or around the world.

Earlier versions of Windows had support for only one time zone: the time zone of the Terminal server system. This meant that if the Terminal server was in California and a user from Georgia logged on to the Terminal server, all the individual’s email messages or time stamps on file access were based on the Pacific time zone. With local time zone support in Windows Server 2003, now the remote user in Georgia can specify in her remote client access software to use the local time zone. Now when emails are sent, or when files are saved, the time stamp on the communications will be based on the Eastern time zone, where the user resides.

Windows Server 2003 supports all time zones and can have users from all time zones accessing the server at the same time.

Windows Server 2003 has added a new feature that enables remote users to specify the type of remote connection they have. Rather than having just a single server to remote client session configuration, remote users can specify that they are attaching to the Terminal server over a very slow modem connection, from a mid-speed broadband connection, from a very high-speed LAN connection, or from a customized configuration.

When a user specifies a slow modem connection session, the Terminal server system automatically optimizes server-to-client communications by not running functions that take up session performance such as complicated user backgrounds on a screen desktop. It also optimizes mouse and keyboard controls and disables Windows themes and unnecessary screen animation to provide more communication bandwidth to remote application access functions.

When a user specifies a mid-speed broadband or a LAN connection, more of the features are enabled so that backgrounds, themes, animation, and menu variations are transferred just as if the user were sitting at a desktop at the office.

This minor user-defined optimization enables remote users to improve their session connection and thus their user experience based on the speed of their connection.

New to Windows Server 2003 is a technology called Session Directory that allows remote users to reconnect to the exact same session that they were running before a temporary Internet, dial-up, or WAN connection failure caused a disconnection. This automatic reconnection has always worked fine if the organization has only one Terminal server; however, when an organization had multiple Terminal servers, there was no way for the remote client session to know which of the potential 32 servers to reconnect the user to.

Session Directory now runs on a separate system and keeps track of all user-connected sessions. When a user attempts to log on to one of the servers in a Terminal server load-balanced environment, Session Directory checks whether the user had previously connected to a session that might still be active. If it finds an active session, it reconnects the user to that session, thus restoring the user to exactly the place he left off before being terminated.

Session reconnection requires the Terminal server policy to keep sessions active for a period of time after unexpected disconnection. Best practices allow a remote user up to 10 minutes to reconnect to a dropped connection to re-establish his session right where he left off. However, after 10 minutes, a dropped connection is flushed from the Terminal server to free up server memory, processing capacity, and a remote session software license with the assumption that the remote user might not have been disconnected accidentally, but rather that the user just forgot to log out of the system when he was done. Session reconnection provides a variety of features and options that are addressed in detail in Chapter 27.

Automatic Server Recovery (ASR) is a system recovery utility built into Windows Server 2003 that allows a server administrator to rebuild a failed server without having to reinstall the operating system or even conduct basic server system configuration steps. ASR effectively takes a snapshot of a server, including the operating system, specific system configuration parameters, and even hard drive stripe set information so that if a server fails, as long as the replacement server has the exact same system configuration, ASR can be used to reinstall the system back to the state it was in before the failure.

When restoring data, ASR does a track-by-track restoration of information, so hard drives do not need to be formatted or restriped. Before ASR, at a minimum, an administrator had to install hardware components, restripe hard drives, and load the Windows operating system. With ASR, all an administrator needs to do is plug in hard drives to a server, boot to the Windows Server 2003 installation CD, and choose to do a system recovery. ASR is covered in more detail in Chapter 33.

New to Windows Server 2003 is a server tool called Remote Installation Services for Servers, or RIS for Servers. RIS for Servers allows an organization to create images of server configurations that can then be pushed up to a RIS server that can later be used to re-image a new system. RIS was standard with Windows 2000, but it supports only the re-imaging of desktop systems.

RIS for Servers can be used a couple of different ways. One way organizations have leveraged RIS for Servers has been to create a brand-new clean server image with all of a company’s core utilities installed. Every time the organization needs to install a new server, rather than starting from scratch with an installation CD, the organization can use the template RIS server installation. The image could include Service Packs, patches, updates, or other standard setup utilities.

RIS for Servers can also be used as a functional disaster recovery tool. After a server is configured as an application server with the appropriate program files and parameters configured, such as Exchange, SQL, Terminal Services, or the like, an organization can then run the RIPrep utility to back up the application server image to a RIS server. In the event of a system failure, the organization can recover the server image right from the state of the system before system failure.

RIS for Servers is a versatile tool that helps organizations quickly build new servers or recover from application server failures. Besides being covered in Chapter 33 on disaster recovery, RIS for Servers is also covered in detail in Chapter 3 on new system installation.

To facilitate the management of a failed server, Windows Server 2003 includes an Out-of-Band Management function that provides for a modem or null modem cable connection to an RS-232 serial port on a Windows Server 2003 for command-line management of the server. As an example, when previous versions of the Windows operating system failed, commonly known as blue-screened, an administrator needed to actually work from the console of the server. Normal remote administration tools like Terminal Services do not work when a server is in a system fault state.

Out-of-Band Management allows an administrator to log on to the system, conduct an image dump, or reboot a server. The administrator also can boot a server in safe mode and remotely modify system parameters before rebooting the system to full operation mode.

One of the new directory services in Windows 2003 R2 is Active Directory Federation Services (ADFS). ADFS provides a way for an organization to effectively join multiple Active Directories into a common, shared authentication and resource sharing environment. Rather than creating a blind trust between the directories of two or more organizations, an organization can build a federated directory between the two organizations that specifically identifies which users can share which resources in the other environment.

This resource sharing is managed through encrypted security tokens with granular security authentication and rights management, where the administrator of one environment can pick the users and choose which resources in another environment those users may access. As an example, one organization may choose a group of eight users who can access a portal in another organization. Rather than adding the eight users to the other organization or creating a blind trust between the two organizations, a federation between the two directories can be created that identifies the eight users in one forest and the portal in the other forest, and provides access rights for the users to the portal on an isolated basis.

Because the federation is managed, administrators can log and track resource access and information sharing. This can help auditors and security management teams understand who had access to which resources for reporting purposes. ADFS is commonly used when there are two organizations with completely separate directories already in existence, or for an organization that needs to clearly maintain two or more directories for information distribution.

Active Directory in Application Mode (ADAM) enables organizations to set up a separate subforest for application schema information while still accessing the main Active Directory for resource sharing. Unlike ADFS, which assumes an organization wants or needs two or more completely independent directories, ADAM assumes that the organization really needs only one directory to manage and administer, but wants to partition the directory in a manner that clearly denotes a separation of individuals and resources within the organization.

ADAM eliminates the need for organizations to set up completely separate forests for external contractors or vendors, for application development testing, or for adding external contractors and users to the Active Directory, which creates a security concern as non-employees are added into the main organizational directory.

Instead, an organization can set up ADAM where an external user can log on to the network, read and write application directory information in the ADAM directory, and access shared resources with Active Directory users, but can do so from a completely separate directory. Organizations that must demonstrate separation between employees and non-employees for regulatory compliance purposes and for separation of security events and services can show that ADAM is managed and maintained separately from core internal Active Directory employees.

Identity Management for Unix (IdMU) is a Windows 2003 R2 service that provides integration between Windows Active Directory and Unix-based Network Information System (NIS). Rather than having a user log on to Active Directory and then have separate security rights and access resources on Unix systems managed by NIS, IdMU provides an integration between the two directories. Users in Active Directory can be directly assigned rights and privileges to Unix-based resources, and passwords can be automatically synchronized between Active Directory user and NIS user accounts.

This consolidation of resource security and account management functions enhances an organization’s capability to centralize and standardize on access rights, password management, and user privileges.

IdMU is discussed in Chapter 8.

One Feature Pack that every organization should download and use is the Group Policy Management Console (GPMC) tool. With group policies being one of the most important administration, security, and management functions in Active Directory, the GPMC provides a better administrator interface and better functionality for Windows Server 2003 policy management. GPMC enables administrators to more easily create and manage group policies. Rather than having to go through a series of individual policies, administrators can create definition groups that allow the specification of settings allowing specific actions for users and computers.

Additionally, GPMC provides definition groups for specifying common system updates, specific application installation, user profile management, and desktop lockdown. GPMC is covered in detail in Chapter 21, “Windows Server 2003 Group Policies.”

Another significant Feature Pack update is the Software Update Service (SUS), which helps organizations perform routine patch management on Windows 2000 and 2003 servers, as well as Windows 2000 and XP workstations. With previous versions of the Windows operating system, an administrator had to check the Microsoft Windows downloads Web site, scan for updates, download the updates, and then apply them on each server in the network. Software Update Service enables network administrators to automatically scan and download updates and patches to a centralized server, and then configure a group policy to automatically distribute the update to servers throughout the organization.

Software Update Service minimizes the effort needed from IT administrators to keep their servers updated with necessary updates and patches. Anything that simplifies the update process provides an organization with a better chance of protecting its servers from known bugs or security flaws. The Microsoft Software Update Service is covered in detail in Chapter 22.

The Identity and Integration Feature Pack (IIFP) provides directory synchronization between two Active Directory forests. For organizations that want to share directory information, such as a company with two forests, each with their own Exchange 2003 Org structure, IIFP synchronizes usernames and distribution list information between the forests so that email can flow back and forth between the organizations. IIFP can work between Active Directory 2000 forests, between Active Directory 2003 forests, and between an Active Directory 2000 and an Active Directory 2003 forest. It will also synchronize between Active Directory and ADAM, allowing the flow of objects and attributes to and from the application directory. IIFP is covered in detail in Chapter 8, “Integrating AD with Novell, Unix, and NT4 Directories.”

The Directory Services Markup Language (DSML) allows Active Directory access using SOAP integrated into Web services. This provides organizations with the capability to extend access to Active Directory from XML-based Web pages. This has been commonly used for directory lookup or for distributed Web-based administration and management. DSML is covered in Chapter 23.

For administrators who provide remote control support to servers or desktop systems, rather than launching the Remote Desktop Connection tool to perform remote administration, an administrator already in the Active Directory Users and Computers MMC tool can simply right-click on a computer account and have remote access to the remote system. The Remote Control add-on for Active Directory Users and Computers minimizes the number of separate tools that need to be loaded and used by administrators, and simplifies the task of remembering server and system names when the resources are all listed and organized within the Active Directory Users and Computers MMC tool. The Remote Control Add-on for Active Directory Users and Computers is covered in Chapter 28, “Windows Server 2003 Administration Tools for Desktops.”

Microsoft is also including significant tool updates such as Service Packs on the Feature Pack download page. One of the major updates for a Windows Server 2003 tool is version 5.03 for Services for NetWare (SfN). SfN provides integration between Windows 2003 and a Novell NetWare environment. The Service Pack rolls up the latest patches and utility updates into a single update. SfN is covered in Chapter 8.

A significant update provided free to all Windows 2003 licensed organizations is the Windows SharePoint Services Feature Pack, which is covered extensively in Chapter 36, “Windows SharePoint Services.” Windows SharePoint Services (WSS) is a document-storage management add-on that provides organizations with the capability to better manage, organize, and share documents, as well as provide teams of users the ability to collaborate on information. Many believe that WSS could have been sold as a completely separate product, but Microsoft chose to include it as a free download to Windows 2003, and with Windows Server 2003 R2 the files for SharePoint Services are automatically copied onto the server as part of the R2 update.

Windows SharePoint Services sets the framework from which the SharePoint Portal Server 2003 (SPS) is built. SPS leverages the core functionality of WSS and extends the capability into enterprise environments. WSS is the basis of document-sharing and communications for organizations in the evolution of file and information communications.

Windows Rights Management Services (RMS) is available for download on the Feature Pack page and provides organizations the tools to improve the security of files, documents, and communication between users. RMS sets the framework for secured information sharing down to the file and message level, and eliminates the need for different encryption and document-change control tools for email, documents, and other network communication media. Windows Rights Management is covered in Chapter 15, “Security Policies and Security Tools.”

Windows System Resource Manager (WSRM) was one of the first Feature Packs released by Microsoft, and has been made available for download to help organizations better manage server resources. Rather than letting applications grab as much memory as they want, or allowing applications to trigger high bandwidth demands on servers without administrative control, WSRM gives administrators a tool to throttle system resource demand.

As an example, if an accounting department prints a very large report every quarter, rather than having the report processing take up 90% of the server utilization for 10 minutes while the report takes the next three hours to print, WSRM can be activated to throttle server utilization to possibly 15%, so that the processing of the report and the printing of the report take three hours to complete without creating spiked demands on the server. Other uses of WSRM include the capability to throttle terminal server sessions so that a single terminal server user does not take up all the RAM and CPU available on a server—their memory and server utilization is controlled. This can permit more users to access the terminal server with only moderate performance impact, rather than one user taking up all the server performance and affecting all the users on the system. WSRM is covered in detail in Chapter 27.

The Active Directory Migration Tool came with Windows 2000 as a version 1.0 release, and has undergone major renovations since then. ADMT v2.0, which is freely downloadable from the Windows Server 2003 Tools site, enables an organization to migrate user accounts, computer accounts, access control lists (ACLs), and trusts from NT4 or Windows 2000 to a Windows Server 2003 domain. Unlike previous versions of ADMT that migrated user objects but did not migrate passwords, ADMT v2.0 can migrate passwords from the source to destination domain.

Additionally, ADMT v2.0 can migrate objects between Active Directory forests, more commonly called the cross-forest migration of objects. This capability now allows an organization to set up a brand-new Active Directory forest and migrate objects to the new forest. This can be done when an organization wants to migrate all objects from an old forest to a new forest, or when an organization has a department, subsidiary, or remote location that accidentally created its own Active Directory forest and now wants to blend it into the main organization’s forest. ADMT v2.0 provides a variety of migration options for organizations, and is covered in detail in Chapter 17.

When migrating from Windows 2000 to Windows Server 2003, many organizations choose to change their domain names in the process. When Windows 2000 first shipped, performing a domain rename was not possible, so this capability has been long awaited by organizations that might have set a domain name that they no longer want (such as a domain named after a television series or for a specific site that does not exist anymore), or whose name changed after a merger or acquisition. Windows Server 2003 enables an organization to rename a domain—both the NetBIOS name, as well as the fully qualified DNS domain name.

Although domain renaming is possible, it is not a simple task because a domain rename affects all domain controllers, servers, and systems attached to the domain. Effectively, every single system on the network will need to be reconfigured and rebooted. Although the domain rename tool helps to automate this process, certain systems might not successfully reconnect to the new domain and administrator intervention is required. If an organization has hundreds or thousands of systems connected to a domain, the need to clearly validate the requirement to change a domain name must be considered. The domain rename utility is covered in detail in Chapter 17.

Another pair of Windows 2003 tool downloads are the Application Compatibility Analyzer and the Windows Application Compatibility Toolkit. These tools help organizations test applications to confirm compatibility with Windows Server 2003, and to isolate problems with compatibility to either work around the problem or to decide that the application needs to be replaced. These application compatibility tools are covered in Chapter 18, “Compatibility Testing.”

Microsoft provides a pair of log-parsing tools on the Windows 2003 Tools download page. The tools allow an administrator to quickly search for patterns and data in the log files of multiple servers, without having to open and search each server’s log files individually. The log-parsing tools also provide extensive reporting tools, as well as the capability to export data from the log files into a SQL database.

Although Microsoft has an extensive log-tracking, management, and reporting tool that it sells as a separate program called Microsoft Operations Manager, the Log Parser tools are free and provide basic functionality for log file administration. The Log Parser tools are covered in Chapter 22.

Although Microsoft Operations Manager (MOM) is a separate Microsoft program that can be purchased to manage and administer Windows servers, the downloadable components on the Windows Server 2003 tools page are the add-on components for MOM for Windows 2003 systems. There are several downloads on the Windows Server 2003 tools page. One download is the Base Management Pack, which has the core monitoring tools for Active Directory, Internet Information Service, Windows networking, and file replication services. Another download is the Microsoft Operations Manager Resource Kit, which has tools that extend the capabilities of MOM including a Server Status Monitor tool (SSM) that enables an organization using MOM to monitor the simple up or down status of a group of servers.

Other MOM tools include the MIIS 2003 Management Pack and the MIIS 2003 Resource Kit, which provide functionality for managing directory replication and integration between Active Directory and other MIIS-managed directories. The Microsoft Operations Manager tools are covered in Chapter 25, “Integrating MOM with Windows Server 2003.”

Another significant series of tools available for download include file replication management tools such as sonar.exe and frsdiag.exe, which are tools that help administrators validate the replication between servers. Something that was found to be significant in the ongoing administration and management of Windows is the ability for administrators to ensure that all the global catalog servers and file replication servers are communicating properly. If a global catalog server is not replicating properly on the network, any users that access the global catalog server might not receive the latest group policies, or have the proper security or administrative policies applied.

By using the file replication management tools from the Windows 2003 Tools page, administrators can validate that replication is occurring as expected, or the administrator can manually force a replication from within the tools. File replication management tools are covered in Chapter 30 as well as in Chapter 21.

In addition to Feature Packs and downloadable Windows 2003 Tools that greatly enhance the administration and management of a Windows 2003 network, administrators should understand how the various Windows 2003 Resource Kit tools can provide significant support in daily tasks. Unlike some resource kits from Microsoft that used to require the purchase of the tools, the Windows 2003 Resource Kit tools are freely downloadable from the Windows 2003 Tools page to all licensed Windows 2003 organizations.

This second edition of Windows Server 2003 Unleashed has taken the most significant Windows 2003 Resource Kit tools and noted how the tools are best used in leveraging tasks and functions in a Windows 2003 environment. As an example, one of the tools, like the Remote Access Quarantine client covered in Chapter 26, is a free tool that isolates VPN clients and only allows the remote access users access to the network when their system is cleared for appropriate patch updates and virus scans. For a free downloadable tool, an organization can set up a sophisticated system for scanning and validating that a remote laptop or desktop is clean and can access network resources.

Additional Resource Kit tools include Group Policy monitoring and Group Policy editing tools that provide command-line tools for managing Group Policies. Rather than always launching the GPO Edit MMC utility, many tasks can be done from a command-line, making the scripting and batch processing of policy tasks a simpler process. The Group Policy Resource Kit-related tools are covered in Chapter 21.

Several maintenance tools included in the Windows Server 2003 Resource Kit provide replication checks, link checks, clear the memory on servers, provide SMTP DNS diagnostics, check for memory leaks on servers, look for page faults on servers, and the like, and are covered in Chapter 34, “Logging and Debugging.” The tools are typically poorly documented in the Microsoft Resource Kit document; however, the tools are highlighted throughout this book to add better automation to mundane processes, as well as provide the needed administrative support to scripted tasks.