Jesse Smith reviews two of the new features of Windows Server 2003 Active Directory 1.1: raising domain functional levels and using saved queries to simplify administrative tasks.
Domains and Objects in Windows Server 2003
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
honestly, i usually ignore the articles on the latest windows future features … but occasionally i do have a look to see what the windows-world is doing. and it confirms what i have always believed – they are very far behind. take this example. they make such a huge fuss and “New Feature” out of saved queries, cached authentication, etc ..
when i started out in computing 15 years ago, an old boss of mine, who i respect very much – a man of great achievements, told me that windows admins didn;t really understand computers or computing, wheareas a unix developer or admin should know. i guess he’s right again.
saved queries – what about saved shell scripts or custom code that you can keep or modify as you require? honestly i thought there was some magic in this windows featire – such as saved pre-optimisation. and there is no mention of that.
i currently work for a large pan-european business ISP. their externak customer facing systems are unix. email for example. their internal systems are MS based – excange for example. the customer facing systems are simple, well designed and have worked effectively for years. they are easily modifiable and maintainable. the MS systems fail regualrly, are not debuggable (not just because its closed source, but because the windows paradigms are so bloody imprenetrable – patronising), have extremely complex clustered and layers confgurations (clusters, layers, trees, domains, migration, my god! … all sponsored by external MS consultants).
all good sysamdins and it managers and developers will take these “features” witha pinch of salt.
i was in a cafe earlier working. with a friend using a windows xp laptop. the cafe has wireless. hisi lapop would not “go on the net”. seems his dhcp works fine. ip address was shown. strength was good often. mess with configs. mess with reboots. maybe it was dns? or “ipconfig /release” – but this didn’t seem to let the ip go. hassle hassle. my own non-MS laptop works fine “ifconfig down eth0; modprobe ipw2100; dhclient eth2;” and it always works… later in a non-wireless zone .. his lapop still showed the “Available Networks”, and indeed the same address assigned to the wireless interface. so tell me – how is it intelligent for windows XP to cache the IP config, not release and pretend the wireless esssid was still around when it evidently could not have been. the non-ms laptop of course had no trouble letting go of an IP when i told it to, not lying to me about available wireless networks and it releases dhcp when i tell it to.
i remain to be convinced that the windows platform is a good one for large scale computing.
Most of your points are dead-on. Anyone used to Solaris LDAP networks will likely find trying to manage large networks through the “Active Directory Users and Computers” snap-in rather cumbersome. And while OS X’s Open Directory is somewhat immature in panther, I have to say that I prefer OS X’s admin tools hands down to those of Windows.
Regardless, Active Directory can’t hold a candle to the power of Solaris networks and what they offer on the server side. One such example is Sieve, which allows mail filtering server side based on records in your account’s LDAP profile.
remain to be convinced that the windows platform is a good one for large scale computing.
Perhaps one advantage Windows has with Active Directory is highly granular distributed administration. It’s possible to delegate out administrative authority of the Active Directory tree at a highly granular level.
Of course, the primary advantage of Active Directory is that it brings Unix-like management to Windows networks. While these networks are inherently less reliable than their Unix counterparts, there’s really no way to argue against the software availability on Windows.
Now, if only it were possible to lower the functional level of a domain after raising it. If you want to add a Windows 2000 server to a forest at 2003 native functional level, your only option now is to reinstall the Windows 2000 system with Windows Server 2003 (or reinstall every other system in the 2003 forest)
when i started out in computing 15 years ago, an old boss of mine, who i respect very much – a man of great achievements, told me that windows admins didn;t really understand computers or computing, wheareas a unix developer or admin should know. i guess he’s right again.
If by computers you mean the actual hardware workings and by computing you mean using software. The only people I find that really seem to know the nutts and bolts are developers and I’ve seen good ones on every platform.
mess with configs. mess with reboots. maybe it was dns? or “ipconfig /release” – but this didn’t seem to let the ip go. hassle hassle. my own non-MS laptop works fine “ifconfig down eth0; modprobe ipw2100; dhclient eth2;” and it always works… later in a non-wireless zone .. his lapop still showed the “Available Networks”, and indeed the same address assigned to the wireless interface. so tell me – how is it intelligent for windows XP to cache the IP config, not release and pretend the wireless esssid was still around when it evidently could not have been.
A couple of things to try and *gasp* they aren’t very hard. from the command line type “ipconfig /flushdns” if you suspect its a dns issue. If that fails to do it go into the network config panel, right click on the network adapter you don’t need and hit “disable” – simple and effective.
Windows keeps track of networks you have connected with and it keeps profiles of them (in case you made custom setting changes for the network like a WEP config).
Had you paid attention you would have noticed that even though windows showed the wireless network there was no signal strength. If you saw signal strength then you got driver issues or the wireless nic is hosed dude. The only other thing it could be was an open wireless network nearby with the same SSID.
I do agree that until you understand HOW it does it, wireless networking with windows can be like a mild acid trip.
Wow, we don’t have to be so harsh, I use Windows, its nice. I tried Linux, its nice, on the surface.
How can we make Linux easier so that everybody can use it one day?
how can we make windows easier so that we can actually get work done with it one day?
it is often claimed that windows is easier – and linux/unix is harder. but this is not the view from those who actually work with comuter systems – from academic lectuers to developers, from network engineers to even hobbyists, that is what the first poster is also saying.
honestly, i usually ignore the articles on the latest windows future features … but occasionally i do have a look to see what the windows-world is doing. and it confirms what i have always believed – they are very far behind. take this example. they make such a huge fuss and “New Feature” out of saved queries, cached authentication, etc ..
Way to be informed. In fact, Windows is much farther ahead in the average corporate environment than any version of UNIX. You have windows clients that people will use and you have Active Directory that supports those clients. There is nothing better. Sorry.
Yay. We have NFS and NIS. What a Joke. Only now is Kerberos and OpenLDAP starting to work well together.
Wait, Active directory is LDAP and Kerberos. Far behind indeed.
when i started out in computing 15 years ago, an old boss of mine, who i respect very much – a man of great achievements, told me that windows admins didn;t really understand computers or computing, wheareas a unix developer or admin should know. i guess he’s right again.
No actually he’s not. I’ve seen stupid people on all platforms. I’ve also seen brilliant people on all platforms as well.
saved queries – what about saved shell scripts or custom code that you can keep or modify as you require? honestly i thought there was some magic in this windows featire – such as saved pre-optimisation. and there is no mention of that.
Six of one, half dozen of the other.
fyi, there are LDAP admin utilities that can be used from the command line. You may have overlooked ADSI as well. I suggest you read up on both of those before making assinine comments.
i currently work for a large pan-european business ISP. their externak customer facing systems are unix. email for example. their internal systems are MS based – excange for example. the customer facing systems are simple, well designed and have worked effectively for years. they are easily modifiable and maintainable. the MS systems fail regualrly, are not debuggable (not just because its closed source, but because the windows paradigms are so bloody imprenetrable – patronising), have extremely complex clustered and layers confgurations (clusters, layers, trees, domains, migration, my god! … all sponsored by external MS consultants).
Don’t let your irrational hatred of Microsoft get in the way there, buddy. Perhaps your UNIX systems do the job needed better than Microsoft products for your external customers. Obviously your UNIX systems don’t do so well internally, otherwise you would be using them. Have you taken a look at UNIX groupware lately? It’s a joke.
When you look at it and actually sit down to think about the Domain model in Active directory, it makes a hell of a lot of sense for managing users and computers. There are only 3 complaints I have about it.
1.) The clustering can use some improvement. Look at OpenVMS if you want a good model.
2.) You can’t remove schema objects from Active Directory, only disable them.
3.) You can’t add Access Control Entries for Organizational Units.
all good sysamdins and it managers and developers will take these “features” witha pinch of salt.
It’s fairly obvious that you are blinded by your irrational hatred for all things Microsoft.
i was in a cafe earlier working. with a friend using a windows xp laptop. the cafe has wireless. hisi lapop would not “go on the net”.
Sounds like a well-defined issue. @_@.
seems his dhcp works fine. ip address was shown. strength was good often. mess with configs. mess with reboots. maybe it was dns? or “ipconfig /release” – but this didn’t seem to let the ip go. hassle hassle. my own non-MS laptop works fine “ifconfig down eth0; modprobe ipw2100; dhclient eth2;” and it always works… later in a non-wireless zone .. his lapop still showed the “Available Networks”, and indeed the same address assigned to the wireless interface. so tell me – how is it intelligent for windows XP to cache the IP config, not release and pretend the wireless esssid was still around when it evidently could not have been. the non-ms laptop of course had no trouble letting go of an IP when i told it to, not lying to me about available wireless networks and it releases dhcp when i tell it to.
I would be careful not to confuse you own ineptness with a problem of the Operating system.
i remain to be convinced that the windows platform is a good one for large scale computing.
I remain to be convinced on your ability to support that assertion.
What you don’t seem to understand is that Windows is not UNIX. You can’t apply UNIX solutions to windows. It just doesn’t work that way.
Right now, UNIX has it’s place and Windows has it’s place and to compare either in the same realm is foolish.
Most of your points are dead-on. Anyone used to Solaris LDAP networks will likely find trying to manage large networks through the “Active Directory Users and Computers” snap-in rather cumbersome. And while OS X’s Open Directory is somewhat immature in panther, I have to say that I prefer OS X’s admin tools hands down to those of Windows.
Then don’t use ADU&C. Use the command line tools or write your own with ADSI.
Regardless, Active Directory can’t hold a candle to the power of Solaris networks and what they offer on the server side.
That’s funny. Save eDirectory, Active Directory is the Next best LDAP directory. If you factor in lack of Kerberos in anything else, nothing holds a candle to AD.
Microsoft does do things right when they are being threatened (i.e. Novell Netware).
One such example is Sieve, which allows mail filtering server side based on records in your account’s LDAP profile.
That’s not specific to anything. Cyrus-IMAP has timsieved and most other enterprise mail systems have sieve with lookups for LDAP. Or can be made to do that.
remain to be convinced that the windows platform is a good one for large scale computing.
Perhaps one advantage Windows has with Active Directory is highly granular distributed administration. It’s possible to delegate out administrative authority of the Active Directory tree at a highly granular level.
Yes, but it also makes it that much more complicated.
Of course, the primary advantage of Active Directory is that it brings Unix-like management to Windows networks. While these networks are inherently less reliable than their Unix counterparts, there’s really no way to argue against the software availability on Windows.
They aren’t inherently less reliable. They /are/ less reliable. However, I don’t see how it brings UNIX like management to Windows Networks, perhaps you could clarify?
Now, if only it were possible to lower the functional level of a domain after raising it. If you want to add a Windows 2000 server to a forest at 2003 native functional level, your only option now is to reinstall the Windows 2000 system with Windows Server 2003 (or reinstall every other system in the 2003 forest)
What sense would that make? If you go up a version and some features start getting used. You can’t just turn them off and expect everything to work correctly. That restriction is there for a reason. The documentation makes very sure that you know what you’re doing before changing that option.
Way to be informed. In fact, Windows is much farther ahead in the average corporate environment than any version of UNIX.
Including Solaris? Solaris had AD-like kerberized LDAP environments back in the days of NT4.0.
[quote]You have windows clients that people will use and you have Active Directory that supports those clients. There is nothing better. Sorry.
[quote]Yay. We have NFS and NIS.[/quote]
And kerberized LDAP environments which Microsoft copied when NDIS was failing? You’re mentioning two technologies invented in the ’80s, one of which Microsoft didn’t copy until several years later and is still arguably superior to SMB/CIFS in many ways (such as static mounts that dynamically retry on access failure). Solaris’s cachefs does what Microsoft has been trying to do with “Offline Files” years before Microsoft copied it, and poorly at that.
[quote]What a Joke. Only now is Kerberos and OpenLDAP starting to work well together.[/quote]
So you start by talking about “any version of UNIX” (implying commercial UNIX as opposed to open source alternatives) then talk about OpenLDAP, an open source implementation of a technology that Sun largely pioneered.
[quote]Wait, Active directory is LDAP and Kerberos. Far behind indeed.[/quote]
Yes, Microsoft copied (and modified to be proprietary) two open standards pioneered in the *IX world.
I see no definitive arguments of what makes Active Directory superior to Unix environments, namely the Sun Directory Server and Solaris LDAP environments of which you seem to be thorougly unaware. Solaris has been providing AD-like environments since a half decade before Microsoft even introduced AD, in a method substantially more streamlined than the ridiculous number of legacy groupings provided by Active Directory, which has three types of groups (Global, Domain Local, Universal) which merely provide access controls that should be configurable properties of a single type of groups. This style of structuring (Microsoft expect you, for example, to use a chain of Global, Universal, and Domain Local groups) makes Active Directory rather messy. The locations of various objects within the tree is also somewhat non-sensical and messy.
The granular administrative delegation which I was lauding before is, unfortunately, a side effect of the complexity of managing messy AD trees (and I’m yet to see a large one that isn’t an incomprehensible mess). Because it becomes so difficult to manage AD trees, administration needs to be farmed out to a number of “monkey” admins in large enterprises as the administrative tasks which could be accomplished by a handful of skilled Solaris admins in a large enterprise environment overwhelm Windows administrators to the point that the micromanagement must be delegated. Certainly this would be a nice feature to have in Solaris environments, but in AD it’s a necessity due to the difficulty of large-scale enterprise management, which I would say is an inherent symptom of the overenginering that went into AD.
To incinuate that Microsoft did anything but copy Unix LDAP environments when the made AD, most notably when compared to Solaris LDAP environments, is simply naive…
Yikes, looks like we both fail at formatting our replies, or perhaps the comments system here should support a few more UBB tags and have a better preview feature.
Then don’t use ADU&C. Use the command line tools or write your own with ADSI.
Not to beat a dead horse, but the CLI environment in Windows is a bit, shall we say, inelegant? And using the CLI tools certainly wouldn’t be an improvement over mmc snap-ins for the majority of tasks. However, there are simply better tools available for other platforms, most notably OS X’s which provide the full power of the CLI environment in their GUI tools.
That’s funny. Save eDirectory, Active Directory is the Next best LDAP directory.
Interesting opinion. I will continue to hold that the Sun Directory Server, nearly a half decade more mature than AD, is superior.
If you factor in lack of Kerberos in anything else, nothing holds a candle to AD.
Psst, Sun had complete Kerberos integration when NT4.0 was stuck with NTLM.
That’s not specific to anything. Cyrus-IMAP has timsieved and most other enterprise mail systems have sieve with lookups for LDAP. Or can be made to do that.
And as for the Windows environments which you’re touting as completely superior to anything in the Unix world? How do I make Exchange filter my mail with rules in my LDAP profile?
What sense would that make? If you go up a version and some features start getting used. You can’t just turn them off and expect everything to work correctly.
Correct, any functionality configured to take advantage of new features would be lost, however what are you expected to do when you want to combine a Windows 2000 AD tree with a 2003 AD tree? Your only option is to dole out tens of thousands of dollars to upgrade all the Windows 2000 servers to Windows Server 2003. Some of us would like an alternative that doesn’t cost tens of thousands of dollars.
Including Solaris? Solaris had AD-like kerberized LDAP environments back in the days of NT4.0.
AFAIK, you still had to create the user account in both places.
And kerberized LDAP environments which Microsoft copied when NDIS was failing?
NDS Is not kerberized.
You’re mentioning two technologies invented in the ’80s, one of which Microsoft didn’t copy until several years later and is still arguably superior to SMB/CIFS in many ways (such as static mounts that dynamically retry on access failure).
Windows does that with remote shares. Samba is the one that won’t do it as far as I know. Hell, Samba can’t even resolve DFS links either.
Solaris’s cachefs does what Microsoft has been trying to do with “Offline Files” years before Microsoft copied it, and poorly at that.
Everyone copies everyone. I’d not worry about it.
So you start by talking about “any version of UNIX” (implying commercial UNIX as opposed to open source alternatives) then talk about OpenLDAP, an open source implementation of a technology that Sun largely pioneered.
No. LDAP was developed at the University of Michigan and later licensed by sun in 1997 to create it’s Directory Server.
Yes, Microsoft copied (and modified to be proprietary) two open standards pioneered in the *IX world.
Kerberos and LDAP that are in Active directory are not incompatible with the spec. The part people seem to be up in arms about is the Kerberos ticket storing group memberships. What people fail to realize is that field was designated vendor specific.
I see no definitive arguments of what makes Active Directory superior to Unix environments, namely the Sun Directory Server and Solaris LDAP environments of which you seem to be thorougly unaware.
I am not wholly unaware. I just haven’t done much work with Solaris at all. I sit mostly on OpenVMS, Windows, and Tru64 all day.
Solaris has been providing AD-like environments since a half decade before Microsoft even introduced AD, in a method substantially more streamlined than the ridiculous number of legacy groupings provided by Active Directory, which has three types of groups (Global, Domain Local, Universal) which merely provide access controls that should be configurable properties of a single type of groups.
Each group serves a specific purpose and if you want to get down to the actual attributes, each group type is only an attribute called groupType which is a bitstring.
I guess you mean that you should be able to set each groups visibility properties and group constituent types? Maybe, but the way Replication and trusts work, that’d be very difficult to implement with not a whole lot of benefit.
This style of structuring (Microsoft expect you, for example, to use a chain of Global, Universal, and Domain Local groups) makes Active Directory rather messy. The locations of various objects within the tree is also somewhat non-sensical and messy.
I can see why you’d think it’s messy, but it makes sense when you have large amounts of resources, groups, users, and domains.
In a well-designed domain (perfect world), you should have no need for Universal groups at all.
The granular administrative delegation which I was lauding before is, unfortunately, a side effect of the complexity of managing messy AD trees (and I’m yet to see a large one that isn’t an incomprehensible mess).
They’re usually built up at different times by different skill levels of administrators which causes this mess. Nothing inherent to AD itself.
Because it becomes so difficult to manage AD trees, administration needs to be farmed out to a number of “monkey” admins in large enterprises as the administrative tasks which could be accomplished by a handful of skilled Solaris admins in a large enterprise environment overwhelm Windows administrators to the point that the micromanagement must be delegated.
I don’t buy this. A handful of skilled administrators could run their domain just as well as a handful of Solaris admins. I bet if the Solaris admins aren’t as skilled, you’d have to farm out the duties to monkey admins. Wait, could you even do this?
Certainly this would be a nice feature to have in Solaris environments, but in AD it’s a necessity due to the difficulty of large-scale enterprise management, which I would say is an inherent symptom of the overenginering that went into AD.
I wouldn’t say it’s a necessity. The market is currently flooded with retards that think they know what they’re doing, but it doesn’t reflect on the ability of AD itself.
To incinuate that Microsoft did anything but copy Unix LDAP environments when the made AD, most notably when compared to Solaris LDAP environments, is simply naive…
AD is a copy of NDS. I can’t even find the release date of Netware 4 (when they used LDAP instead of the Bindery) but it looks to be well before sun licensed the LDAP code. Please correct me if I’m wrong, I’m willing to be incorrect.
“Way to be informed. In fact, Windows is much farther ahead in the average corporate environment than any version of UNIX”
They’ve more or less the same issues IMHO. It’s just a matter of design, and NT don’t seems too different from modern Unixes at the end of the day (filesystems, processes/threads, multiuser, services on top of a TCP/IP stack). Well-designed operative systems like plan9 look much better than both alternatives for networks.
Thay have saved queries now. Honestly it is 2004 should this be exiting?
That was a pretty good debate about Win2k3 and Solaris, and it made me think aoub the deal MS and Sun made months back. I think since the topic has moved in this direction that in return for MS’s sharing of Win2k3 bits with Sun, Sun also is cross-licensing/sharing it’s Solaris bits. I’m sure MS knows what parts it needs in order to make Win2k an even better Server platform in the future and is using this deal to bring over the parts which Solaris is better in on the network to Windows, and this in the end is better for everyone in my opinion.
Sun wants it’s OS/networks to work better with Windows networks and MS wants whatever will help it’s Server OS work better. It’s a classic business deal and helps both out.
In time both will probably be good in whatever open standerds they both support, leaving the competition to fall on which ever is more reliable, cost effective, easier to deploy and whatever propriatery technologys they develope which are closed off.
In the end any good sysadmin can make any OS do what they want if they just know how to do it right.