As you'll discover throughout this chapter, Windows Server 2003 is somewhat like a bride at a wedding, wearing something old, something new, something borrowed, and something blue.
First, let's examine the old. Some functionality in Windows Server 2003 remains unchanged from NT Server 4 and Windows 2000 Server. For example, the Control Panel still exists, albeit with fewer applets on display than NT Server 4's control panel because some functionality formerly in the Control Panel has moved elsewhere in Windows Server 2003. After you find the new homes for this functionality, you'll see that a number of other functions are performed exactly as in NT Server 4. For example, you no longer access the Open Database Connectivity (ODBC) interface through the Control Panel. Instead, you start the applet through the Administrative Tools menu. For all this change, however, the ODBC interface itself is exactly the same in Windows 2003 as in Windows NT. In addition, you still manage the Windows Server 2003 desktop environment in pretty much the same way as with NT Server 4. More on this comes in the 'What Hasn't Changed in Windows Server 2003?' section later in this chapter.
Very little in Windows Server 2003 is really new. What is new is the code that implements this massive operating system, and the mixture of old and borrowed functionality to create an exciting operating system with much greater capability and capacity than Windows NT Server and important improvements over Windows 2000 Server.
Microsoft borrowed heavily from Unix and from itself in creating Windows 2000 Server, and these changes are carried over into Windows Server 2003. From Unix came such things as the integration of the DNS into the Windows Server 2003 operating system. From the Unix world (if not exactly from Unix), Microsoft borrowed the Kerberos authentication system to beef up Windows Server security. From Banyan's Vines and Novell's NetWare−as well as one of my favorite products, Exchange Server 5.5−Microsoft borrowed the components upon which it built the very core of Windows Server 2003, Active Directory. If you know Exchange 5.5's directory service, you'll find that Windows Server 2003's Active Directory offers few
surprises. Given this borrowing, you shouldn't be surprised to learn that certain queries against Active Directory are done using the LDAP protocol, which was used to query the Exchange 5.5 directory service. Also borrowed from Exchange 5.5 are sites and folder replication. Sites enable you to effectively link network segments over high− or low−bandwidth networks. Folder replication, in league with site links, lets users locally access network− based files, no matter how low the bandwidth is connecting their network to the rest of the network.
Finally comes something blue. I'm glad this one comes last because I have sort of a lame joke to tell here. It goes like this: As you know, Windows Server 2000/2003 are based on NT Server, and NT Server is based on OS/2 (remember that one?). OS/2 was developed jointly by Microsoft and IBM and then was taken over by IBM. Of course, IBM has long been referred to as−drum roll−Big Blue. Yeah, I know.
All joking aside, despite being based mostly in old and borrowed technologies, Windows Server 2003 is a very different beast than Windows NT Server. Let's take a look at some of Windows Server 2003's features. Then we'll spend a little time on what hasn't changed since Windows NT Server 4.
Active Directory and Security
I could write a whole book on Windows 2003 Active Directory and security. I'll discuss them in much more detail in Chapter 3, 'Two Key Architectural Components of Windows Server 2003'; Chapter 6, 'Upgrading to Windows Server 2003 and Exchange Server 2003'; Chapter 7, 'Installing Windows Server 2003 as a Domain Controller'; Chapter 8, 'Installing Exchange Server 2003'; Chapter 11, 'Managing Exchange Users,
Distribution Groups, and Contacts'; Chapter 16, 'Advanced Exchange Server Administration and Management'; and Chapter 18, 'Exchange Server System Security.' For now, let me give you a quick overview.
Active Directory is a grand repository for information about such entities as users, domains, computers, domain controllers, shared resources (such as files and printers), and security. Active Directory lets you log into very large domains and use resources across the domain with ease. All objects in Active Directory are protected by a security system based on Kerberos, an industry−standard secret− key encryption network authentication protocol developed at the Massachusetts Institute of Technology. (For more on Kerberos, see http://web.mit.edu/kerberos/www.) Windows Server 2003 controls who can see each object in Active Directory, what attributes each user can see, and what actions a user can perform on an object. The Windows 2003 permissions model is richer and more complex under the hood than NT's, but it's quite easy to manage at the user interface level. Windows 2003 group policies are also a significant improvement over NT 4's policies: For example, they enable you to set a range of policies for users and computers, determine what software can be installed on a computer, and tie the application of specific policies to Windows 2003 security groups. Figure 2.2 shows the Properties dialog box for my Windows 2003 user account with the three major tools (Microsoft Management Console snap−ins) for Active Directory management: Active Directory Users and Computers, Active Directory Domains and Trusts, and Active Directory Sites and Services.
Figure 2.2: The three major tools for managing Windows Server 2003 Active Directory plus the Properties dialog box for a Windows 2003 user
What's neat about the Windows 2003 User Properties dialog box is that it brings together functionality in the Windows NT 4 User Manager for Domains (the Account, Profile, and Terminal Services tabs, for example) and the Exchange 5.5 Administrator (the Exchange General and E−mail Addresses tabs, for example). In fact, if you know Exchange 5.5, a lot of what you see in Active Directory should be quite familiar. The Properties dialog box in Figure 2.2 has a lot of the qualities of the Exchange 5.5 recipient mailbox Properties dialog box (see Figure 2.3).
Figure 2.3: Similarities exist between the Properties dialog box for a Windows 2003 user account and the Exchange 5.5 Mailbox Properties dialog box.
Exchange 5.5 users will also find the Active Directory Sites and Services snap−in familiar−at least the Sites part. Sites were used in Exchange 5.5 to integrate networks connected by slower non− LAN networking technologies into the overall Exchange environment. They ensure that continuous, high−speed connections aren't required for networks in the same organization to remain connected. Well, Microsoft has moved this sites technology from Exchange to Windows Server 2003. Microsoft implemented sites in Windows Server 2003 to make it possible to build large, single− domain Windows networks even if some segments of those networks were connected by relatively slow wide−area links. Servers can share Active Directory information
we'll revisit many times in this book.
Note All of this Windows Server 2003 site stuff doesn't let Exchange Server 2003 managers off the hook. They'll still need to set up routing groups, the equivalent of Exchange 5.5 sites, and implement Exchange Server 2003 connectors between routing groups.
Let's take a quick look at Active Directory from the user's point of view. Figure 2.4 illustrates the process of browsing available resources using Windows 2003's Add Printer and Find People tools. I can look for a networked printer using the traditional network browsing technique or I can find a printer in Active Directory. I can also search for a user in Active Directory. Double−clicking the user's name brings up a dialog box with a good deal of additional Active Directory information about the person.
Figure 2.4: End users can find resources and people in Active Directory. Windows Server 2003: E−Mail Not Included
With one exception, e−mail services are not built into the Windows Server 2003 product line. The e−mail− related stuff that we just looked at in Active Directory doesn't exist until you install Exchange Server 2003 in a Windows 2003 domain. Unlike the Unix operating system, which comes with a working, if primitive, electronic messaging capability, Windows Server 2003 is almost mail−less without Exchange 2003. Well, maybe that's a bit of an overstatement. Although SMTP mail send and receive services do come with Windows 2003, standard Exchange mailbox services and POP3 and IMAP4 messaging servers are available only after Exchange 2003 is installed in a domain. Why does Windows 2003 have basic SMTP services? Windows 2003 uses SMTP for a good deal of its own systems−level communications.
How about third−party alternatives to Exchange Server 2003 for Windows Server 2003? There appear to be no technical barriers to third parties building their own fully functional messaging systems for Windows Server 2003 that use Windows Server 2003's basic SMTP services.
Internet Protocols
Windows 2000 Server introduced new functionality for the DNS and it gave a key role to the LDAP protocol. These changes remain in Windows Server 2003. Old Exchange Server 5.5 hands should know both of these intimately. Just as the concepts behind Active Directory were borrowed from Exchange 5.5, Microsoft also borrowed heavily from its implementation of LDAP in Exchange Server 5.5.
Domain Name System
NT 4 could get along quite well without DNS. You installed DNS mainly to locally support Internet name resolution−the conversion of external computer names to IP addresses, and vice versa. Although you could use DNS for local name resolution, it was usually done using NetBEUI or the Windows Internet Name Service (WINS), which resolves Microsoft NetBIOS workstation names to IP addresses.
Windows Server 2003 Active Directory can't run without DNS. As do Unix systems, Windows Server 2003 uses DNS to resolve internal as well as external computer names to IP addresses, and vice versa. Windows Server 2003 supports native NetBEUI networking, but mainly for migration from NT 4 to Windows 2003. WINS is still supported on Windows Server 2003, but only for legacy NT and other operating systems. The goal in a pure Windows Server 2003 network is for all name resolution services to be done by DNS. Put in other terms, to find the IP address of a computer on a Windows Server 2003 network, a computer should query a Windows Server 2003 running DNS.
These concepts are pretty easy to understand. However, you might scratch your head more than once trying to figure out why a Windows Server 2003 computer can't talk to an NT 4 computer on your network. The reason is very likely that you never installed NetBEUI on the Windows Server 2003. How do I know this? I've just about scratched off all the hair on the left side of my head.
A great feature of Windows Server 2003 DNS is that it can run in dynamic mode. In this mode, you can use the Dynamic Host Configuration Protocol (DHCP) to assign IP addresses to computers on your network and still have the more or less randomly assigned address correctly associated with the appropriate workstation name in the DNS.
Lightweight Directory Access Protocol
The LDAP was used in Exchange 5.5 to access information in the Exchange directory. That's also exactly what it's used for in Windows Server 2003, except that the target is Active Directory, not the
no−longer−existent Exchange directory. Security willing, you can still search for e−mail addresses using an LDAP−compliant client. But, with Windows Server 2003/Exchange Server 2003, you're searching Windows Server 2003's Active Directory, not the Exchange directory. In fact, the search for Barry Gerber that I did in Figure 2.4 (shown earlier) used LDAP.
Note LDAP names use the X.500 format. The native Exchange Server address of a mailbox, for example, is in X.500 format (c = US; a = ; p = bgerber; o = LA; s = Gerber; g = Barry). Active Directory also supports Internet RFC 822 names ([email protected]), HTTP (Web) URL names (http://bgerber.com), and Microsoft UNC names (\server1\share1). Of course, LDAP is used only to access LDAP names. Other technologies are used to access RFC 882, HTTP, and UNC names.
What Happened to Those Backup Domain Controllers?
Within a Windows NT Server 4 domain, you could have one primary and one or more secondary domain controllers. Domain controllers were the founts of network resource and security knowledge in NT 4 networks. If a primary domain controller crashed, the remaining secondary controllers held an election, and one of them became the primary domain controller. That has all changed in Windows Server 2003. All domain controllers in a Windows Server 2003 network are primary, to use an NT 4 term. Under almost all circumstances, you and Windows Server 2003 don't need to worry about failed controllers, or how and if a backup controller gets quickly and properly promoted to primary controller status. Everybody's equal.
Simple Mail Transport Protocol and Network News Transport Protocol
Two key Internet protocols that were once the exclusive province of Exchange 5.5−SMTP and NNTP−are now supported right inside Windows 2003. SMTP is used to replicate information across Windows 2003 sites. NNTP support is finally where it belongs: in the operating system. That doesn't mean that Exchange Server 2003 makes no use of these protocols, however. SMTP supports everything from Internet messaging to cross−server public folder replication in Exchange 2003, and NNTP is still supported through Exchange public folders.
Now let's look at some of the aspects of Windows Server 2003 that haven't changed all that much from Windows NT Server 4.
Note One more thing before we move on: New to Windows Server 2003 is support for a fairly wide range of peripheral devices never supported by NT Server 4. Essentially, this includes pretty much the full range of devices supported by Windows XP, including support for DVD ROM and Universal Serial Bus (USB) devices. I love it; I'm running a USB video camera on one of my Windows 2003 Advanced Server computers. Like Windows 2000, Windows 2003 also supports auto−discovery and installation of new devices. This little feature has saved me hours of finding and manually installing drivers for new printers and such.