Windows Small Business Server SBS 2003: A Clear and Concise Administrator's Reference and How-To

By Stephanie Knecht-Thurmann
  • Instant online access to over 7,500+ books and videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies
  1. Introduction to Small Business Server 2003

About this book

Microsoft Small Business Server 2003 is the fourth release of the all-in-one server solution from Microsoft. By combining all of the commonly used servers into a single package, Microsoft makes it easier and cheaper for small business and branch offices to run a fully featured network. The basic version of SBS contains a file server for shared and central document and data storage; Exchange email server; Sharepoint services for team collaboration; Internet Security Server for safe connections to the Internet. The Premium edition has the SQL Server 2000 database server installed.

Despite its name and pricing, SBS is actually a very powerful tool capable of supporting workgroups up to 75 users in a range of complex tasks. At the entry level it can be set up and configured to run a small office with a limited range of server requirements. At the advanced level it can delivery a complete range of services to up to 75 users.

This book is aimed at in-house administrators and IT specialists responsible for all aspects of network administration and support, working in offices and organisations for which the all-in-one SBS solution makes sense. It covers each of the services provided in the SBS package. For each server, the most common tasks are walked through step-by-step. Each step is carefully explained and clearly illustrated. The approach is logical and easy to follow.

Publication date:
August 2005


Chapter 1. Introduction to Small Business Server 2003

Small Business Server (SBS) 2003 is the successor to SBS 2000 and features vast improvements over its predecessor. This chapter gives you a brief overview of the areas of application, features, versions, requirements, and licensing issues related to Small Business Server 2003. You will also learn some basics about fundamental technologies supported by SBS 2003.


Area of Application of the Small Business Server

As the name suggests, SBS is meant for small- and medium-sized companies, where the maximum number of network clients does not exceed 75. For these companies SBS offers a range of specially optimized functions for collective access to the Internet, e-mail, and fax services, as well as file and printer sharing. The complete server solution of SBS 2003 combines all these services. The premium version of SBS additionally offers firewall and database server functionalities.

SBS 2003 does an even better job of providing a complete integrated solution for the infrastructure management of small and medium-sized companies than its predecessor. It covers the central requirements of companies such as e-mail exchange, secure Internet access, document management, collective work on documents, and database preparation as well as offering the advantages of Windows Server 2003 as the underlying operating system. The advantage of combining all these components into a single system is that it is not necessary to purchase a tool for any of these areas from a separate vendor. This means lower licensing costs and smaller investment in training for administering the system within the company.

Small- and medium-sized companies often do not have an adequate number of people for network maintenance at their disposal, and the time that these people can spend on this task is limited by their involvement in their primary activity. SBS 2003 can't really be administered by some hobby administrator after work, but the large number of administration wizards that have been provided make the job much easier.

The Expanding Middle Class

The middle class has expanded enormously from the end of the '90s until today. There was great willingness to invest in IT. The desktop and server market grew by eight to ten percent in this period, and broadband connections rose by almost 20%. At the same time data volumes also increased exceptionally. Whereas in 1999 the volume of e-mail was still 4 billion terabytes, by 2003 the figure had already reached 18 billion terabytes. Also, most companies now store their data in digital format.

Implementation Planning

If you are involved with the implementation of SBS 2003, you should give a thought to the extent to which such an implementation could encounter internal obstacles. These obstacles need not necessarily relate to company policy—they could also be based on objective constraints.

Decision Support: SBS 2003 or Windows Server 2003

Both SBS 2003 and Windows Server 2003 offer features that can fulfill the IT requirements of small and medium-sized companies. To help you choose between them some scenarios are presented below in which the deployment of one of the two products is advised. Keep the following points in mind when installing SBS 2003:

  • All SBS 2003 components are installed on a single server. This ensures that all components are integrated. The primary SBS can, however, be extended to other servers.

  • SBS 2003 represents the highest level of a new Active Directory. Therefore, a fresh implementation doesn't pose any problems. However, the SBS Active Directory does not support trust relationships with multiple domains. So, SBS 2003 can be used to implement only a single domain model.

Companies with One Head Office and up to 75 Employees

For a maximum of 75 employees, the standard version of SBS offers an all-in-one solution for Internet, e-mail, and fax services and intranet solutions with many features for teamwork. The premium version extends these capabilities to include Internet proxy and firewall functions, a database server, and extended functions for website creation and maintenance. If your company has more than 75 employees, you can either exchange individual products contained in SBS via the Migration Pack or purchase Windows Server 2003, which has no restrictions regarding the number of users.

Connecting a Branch to a Head Office

SBS 2003 can be used in this model if there is no integration with the Active Directory of the head office. Such integration cannot be guaranteed via SBS 2003 because the SBS domain must constitute the master domain in the Active Directory. If integration with the central Active Directory is required, you must use Windows Server 2003.

However, you can implement an SBS domain over two locations. The prerequisite for this is that one of the locations must have a Windows Server 2003 installation that mirrors the SBS. This ensures that registration can take place over the quick LAN connection at the location in situations where WAN connections are slow.

Dismantling an Existing Active Directory Environment

SBS 2003 cannot be implemented as a domain controller in an existing Active Directory environment because it must form the master domain. It is also not possible for SBS 2003 to have trust relationships with other domains. Windows Server 2003 on the other hand offers the possibility of extending an existing tree or forest in a flexible manner, adding additional domain controllers, or forming trust relationships with other Active Directory or NT 4.0 domains.

Extending an Existing Environment with Additional Servers

SBS 2003 must be the domain controller of the master domain. No further SBS 2003 machines can be added to this domain. It is however possible to add more Windows Server 2003 machines as additional domain controllers or member servers. If you wish to have more flexibility or plan to use a complex domain structure later, you should use Windows Server 2003 from the outset.

Setting up a Web Server for the Intranet/Internet

SBS 2003 includes a web server. This is Internet Information Server (IIS) 6.0. It has been improved greatly over IIS 5.0 and supports both ASP.NET and XML. In addition to this web server that all server versions of Windows have, there is also the special Windows 2003 Server web edition. This server is appropriate if you want to add just one web server. This edition can also be used to run an entire server farm.

Using a Terminal Server

SBS 2003 cannot itself be set up as a terminal server. However, any Windows Server 2000 or 2003 can be added to the SBS domain as a terminal server. SBS 2003 does, however, support the remote administration mode of the terminal server of Windows Server 2003. So, remote administration is guaranteed by a maximum of two simultaneous connections.


Features of Small Business Server 2003

In the following sections, we introduce you to the main features of SBS 2003. The biggest strengths of SBS 2003 are network security and remote access to the company network. You will also find information about features that have been improved in comparison with its predecessor SBS 2000.

Network, Internet, and E-Mail

SBS 2003 has all the features that small and medium-sized companies require for creating their presence on and accessing the Internet. These include Exchange and Outlook technologies for e-mail exchange, for example Outlook Web Access and Remote Workspace, a web server for Internet presence, a firewall function, the possibility of shared Internet access via broadband and PPPoE, security mechanisms for the local network, and productivity tools for team work. Each time that Internet and e-mail are configured, a VBS script is generated (config.vbs). With the help of this script, these settings can be relayed back to the computer later. It can also be used to configure other SBS 2003 clients.

The included SharePoint Services offer an already preconfigured website for comprehensive teamwork.

Exchange Server has an anti-spam function. Additionally, Outlook 2003 has other functions for filtering and blocking spam. For example, Exchange Server includes Microsoft Connector for POP3 mailboxes. This makes it possible to migrate existing e-mail accounts to Exchange and to download the e-mails of these accounts and make them available to the user under Outlook. For file attachments, a filter function has been provided.

SBS comes with a fix for the blaster worm. This fix is installed automatically. Any anti-virus software that is compatible with Exchange and Windows Server 2000 can be installed. The anti-virus software should, as far as possible, support a server-client configuration and not just be a client or desktop solution.

SBS 2003 can be configured like Windows Server 2003 for network services like DNS, DHCP, and WINS. The combination of Outlook/Exchange 2003 and Windows Server 2003 now also allows RPC over HTTP. This makes it possible to establish secure connections via the Internet to RPC server applications.


SBS 2003 has a number of wizards for configuring the necessary security settings. Security-wise, Windows Server 2003, on which SBS 2003 is based, is a vast improvement on Windows Server 2000. Attacks on the server could be reduced by 60%, while the availability of services has increased by 275%. The standard version already has a firewall; the premium version integrates Internet Security and Acceleration (ISA) Server 2000.

SBS also supports hardware firewalls. Almost all UPnP (Universal Plug and Play) devices are automatically recognized by the Internet Connection and e-mail Configuration wizards. If the firewall device is not UPnP-enabled, it will have to be configured manually. Even UpnP devices can be problematic if they are based on proprietary protocols.

The built-in function of the Volume Shadow Copy service makes it possible to have regular data backups. These are carried out quickly and securely.

Team Work

SBS 2003 offers a central repository for large volumes of data. This data can be easily processed, used collaboratively, and archived. SBS 2003 even offers secure storage for mission-critical data.

Based on Windows, SharePoint Services makes available a preconfigured website. Using this central website, employees can use documents, announcements, events, or links together. The Outlook 2003-Enhanced Outlook Web Access enables the joint use of data or calendar functions via the Internet.

Remote Access and Mobility

SBS 2003 data can be accessed remotely, irrespective of time, location, and device used. Access can be configured for private as well as public files. A user can have access to his or her desktop and e-mails. Access takes place via the new remote portal Remote Workspace. A data synchronization function is also included. The integration of mobile devices like Smartphones and PDAs is given great importance in SBS 2003. Mobile users can access e-mails, calendar, schedules, and tasks via Outlook Mobile Access (OMA).

For the administrator there is of course a Remote Administration module. In addition, functions for virtual private networks (VPNs) are also included.

Setup and Administration

The installation and configuration of SBS 2003 uses convenient wizards and needs little time investment. SBS 2003 is already pre-installed on many OEM platforms. The setup of SBS clients has also been simplified in comparison to SBS 2000 since activation is no longer done by diskette but conveniently over the Internet via Online License Activation. OEMs can pre-install the complete SBS with their own logos, service numbers, etc.

The network configuration of clients is now done conveniently via a website and not by diskette. Pre-configuration of client applications is also possible. In contrast to earlier versions, in which only one user could be registered at a time, you can now register several users in one step on the basis of user submissions.

Monitoring functions have been improved. Performance and usage reports can now be received and evaluated by e-mail. The quicker reaction time resulting from this minimizes SBS downtime.


Versions of Small Business Server

The Small Business Server 2003 is available in a standard version and a premium version. The following table lists the components contained in each of the two versions.


Standard Version

Premium Version

Windows Server 2003 (5 CAL)



Outlook 2003 (5 CAL)



Windows SharePoint Services



Exchange Server 2003



Shared Fax Services



ISA Server 2000 SP1



SQL Server 2000 SP3



Office Front Page 2003



The following table gives you a brief overview of the functions of various components and can help in choosing the right version:



Windows Server 2003

The standard version of SBS is based on this operating system. This makes it possible to set up the Active Directory Service, for example. Limitations are described in the paragraph following this table.

Exchange Server 2003 and Outlook 2003

E-mail and messaging server solution with features such as web access for remote access to mails and a calendar function that can be used jointly by a team.

SharePoint Services

Environment for teamwork and communication.

Shared Fax Services

Fax function that does not require a large number of telephone connections. Faxes can be received via printer, e-mail or SharePoint. Faxes can be sent directly from user desktops and can be delayed.

ISA Server 2000

Firewall service, routing, and NAT (Network Address Translation), secure Internet access for several users simultaneously.

SQL Server 2000

Powerful relational database for creating and implementing business applications.

Front Page 2003

Development environment for websites and SharePoint Services solutions

The Windows Server 2003 that comes with SBS 2003 is limited in the following ways as compared to the normal version of Windows Server 2003:

  • Within a domain there can be only one computer running Windows Server 2003 for Small Business Server.

  • It is not possible to remove the five operations master roles (FSMO, Flexible Single-Master Operation) from the SBS 2003 in the domain. You can add further domain controllers to the domain, but the five operations masters must remain on SBS 2003. Only the global catalogue (covered later in this chapter) can be executed on another domain controller to reduce the load on SBS 2003.

  • Within the Active Directory, SBS 2003 must constitute the root domain or the highest level of the Active Directory structure. It cannot have any subordinate domains. So, it is not possible to integrate SBS 2003 in a company network and run it within this network as a branch server.

  • The domain of Windows Server 2003 for Small Business Server cannot build a trust relationship with any other domain. So, it is not possible to access resources beyond the server.

  • Additional servers must have an access license (CAL, Client Access License) for Windows Small Business Server.

In every other respect, the server supplied with SBS 2003 is a standard Windows Server 2003.

All server components of SBS 2003 must be installed on one computer. It is not possible, for example, to install the SQL server of the premium version on another server. Only Front Page 2003 from the premium version can be installed on any client within the SBS network.

Apart from the version of Windows Server 2003 included in Small Business Server, there is also a "Windows Server 2003 for Small Business Server". This is the pure server solution as a trimmed down version of SBS 2003 and does not contain the functions of the SBS standard or premium version. This version is subject to the same limitations as the Windows Server 2003 of SBS.

Windows Server 2003 for Small Business Server is available for a price of about 550 USD. With this, you get five CALs for the server. Additionally up to ten more CALs can be purchased for about 90 USD each. If you need more than 15 CALs, you should fall back upon Windows Server 2003, because this model works out cheaper.

While the premium version has ISA Server 2000 SP1 as an integrated firewall solution, the standard version only includes Windows Server 2003's Internet-connection firewall. In addition, Microsoft SUS server (Software Update Services) can be integrated with Small Business Server. This component can be downloaded free of cost. The current version is SUS 1.0 with Service Pack 1. The integration of SUS in a Small Business Server network is explained in Chapter 9.


Hardware Requirements

The standard and premium versions of SBS 2003 differ in some respects with respect to their hardware requirements.

Requirements for the Standard Version

Given below is a list of the hardware specifications recommended by Microsoft for running the standard version of SBS 2003. In light of the hardware available today these requirements look modest. But remember that any savings you make on hardware will always be at the cost of performance.





300 MHz

550Mhz and above


256 MB

384 MB (Maximum 4 GB)

Disk capacity

4 GB

4 GB






SVGA (minimum 800 x 600 pixel)

Other components

Network card

Two network cards

For Internet access

Broadband or high-speed modem Internet connection. Additional connection costs may be incurred with the service provider.

Broadband or high-speed modem Internet connection. Additional connection costs may be incurred with the service provider.

For the network

Dedicated class-1 fax modem for the fax service

Dedicated class-1 fax modem for the fax service

For Outlook Mobile Access (OMA) Pocket PC Phone Edition 2003 or Smartphone 2003

Windows XP or Windows 2000 as the client operating system

Requirements for the Premium Version

Given below is a list of the hardware specifications recommended by Microsoft for running the premium version of SBS 2003.





300 MHz

550 MHz and above


256 MB

512 MB (Maximum 4 GB)

Disk capacity

5 GB, 2 GB for an installation SBS 2000

5 GB, 2 GB for an installation SBS 2000






SVGA (minimum 800 x 600 Pixel)

Other components

Network card

Two network cards

For Internet access

Broadband or high-speed modem Internet connection.

Additional connection costs may be incurred with the service provider.

Broadband or high-speed modem Internet connection

Additional connection costs may be incurred with the service provider.

For the network

Dedicated class-1 fax modem for the fax service

Dedicated class-1 fax modem for the fax service

For Outlook Mobile Access (OMA) Pocket PC Phone Edition 2003 or Smartphone 2003

Windows XP or Windows 2000 as the client operating system

Both versions support a maximum of two real physical CPUS or four virtual CPUs.


License Information and Costs

For running SBS, both a Windows Small Business Server 2003 license as well as a Windows Small Business Server 2003 CAL (Client Access License) are required. The first license permits the installation and use of SBS 2003; the second allows access to the server software on a per-user or per-computer basis. The CALs do not refer to simultaneous connections. The CALs of the standard and premium versions do not differ in price. A maximum of 75 licenses may be used in a SBS 2003 domain. The SBS package comes with five CALs.

A user CAL allows a specific user to access SBS 2003. The computer from which the user makes the connection (desktop, mobile device, etc.) is unimportant. On the other hand, a computer CAL is valid for only one computer. Any user can log on from this computer. You are free to decide whether you want to use the five included licenses per user or per computer. Automatic license monitoring is not a feature of SBS 2003.

The CAL is valid not just for the SBS itself but also for other Windows-based servers within the SBS domain. However, this does not apply to other Exchange Servers, SQL Servers, etc.

If you have acquired Software Assurance for the Small Business Server 2000 CALs, you can convert all these CALs to CALs for SBS 2003 free of cost. If this is not the case, you have to purchase new CALs.

If you have acquired Software Assurance for SBS 2000 as well as SBS 2000 CALs, you have a claim to SBS 2003 Premium.

If you have acquired Software Assurance for SBS 2003-CALs, you can exchange user-based CALs for computer-based CALs and vice versa free of cost at the time of renewing the Assurance.

In contrast to SBS 2000, the activation of CALs is no longer done by diskette, but with a special activation key over the Internet. Alternatively, you can use the wizard to add new SBS licenses and activate them by phone (local call charges). SBS 2003 Standard Version costs about $599 and SBS 2003 Premium Version about $1499. Detailed pricing information can be found at

Sometimes an existing SBS domain needs to be extended. For example, there may be more than 75 users in the domain or the server components of SBS may need to be distributed over several physical systems or higher functionality may be required, like that of an Exchange 2003 Enterprise Server. In such cases, the purchase of the Small Business Server 2003 Transition Pack is recommended. Further details about the contents and pricing of the Transition Pack can be found at the above link.


Active Directory as Base Technology for SBS 2003

The tips and instructions given here about Active Directory as the base technology of SBS 2003 are meant primarily for those users who have had little or no experience with Active Directory-based networks, e.g. users migrating from Windows NT 4.0 or Novell NetWare. A comprehensive treatment of this complex subject would be beyond the scope of this book.

Active Directory has been the integrated directory service solution for the central administration of network objects since Windows Server 2003. Under SBS 2003, you can administer all the network objects of the SBS 2003 network via the Active Directory.

Setting Up the Active Directory

The rest of this chapter introduces you to the Active Directory. To begin with, a brief description of Active Directory is given, and the mode of functioning of a directory service is explained in detail. The primary access protocol for Active Directory is LDAP (Lightweight Directory Access Protocol). At the end, a summary is presented of the core features of Active Directory that are new in relation to Windows NT.

With Active Directory in Windows 2000, Microsoft made its entry into the world of directory services. Novell Netware's Novell Directory Service (NDS) has been in the market longer. Active Directory is based on standard Internet technologies. It is fully integrated with the operating system of SBS 2003. With Active Directory, the domain model of Windows NT has been extended. The primary access protocol for Active Directory is LDAP (Lightweight Directory Access Protocol) Version 3.

How Does a Directory Service Work?

A directory service works in a manner analogous to a telephone directory. In a telephone directory, a telephone number is linked to each name entry. You can also find optional information such as the address of a subscriber there. In a directory service, network resource objects like users, printers, and databases are linked to items of information. This information includes the name of the object, the location, and many object-specific details. The more information you give about the characteristics of an object, the more quickly and precisely can it be found by network users later, even though entering details of objects in the database will naturally take time.

When the name of an object is known, all information pertaining to it can be directly obtained. This corresponds to looking up a known name in a standard telephone directory to find out the associated telephone number. This, however, does not exhaust the reference functions of the directory. Let us say you do not know the exact name of an object but have some information about it. Then you can search for all objects in the directory that meet these criteria. This process is analogous to looking up the Yellow Pages. In this case you then get a list of all the relevant names. The directory is, however, superior to the yellow pages to the extent that you can search the latter only based on predefined entries, whereas the directory allows you to define your own search criteria.

A directory service makes it possible to administer all network objects centrally. In Active Directory all information about users, servers, computers, printers, etc., can be maintained and administered at one place, and can be accessed by all users throughout the network. This greatly simplifies administering and finding network resources.

Objects in the Directory

The directory stores objects. An object is a stored piece of information linked to a network resource. The directory service makes these resources available to network users as well as applications. This network service is responsible for the identification of resources so that users can access them. Millions of objects can be stored in Active Directory. Each object has a unique identifier called the GUID (Globally Unique Identifier). The GUID is a value of length 128 bits. This value is assigned to each object when it is created.

There are two types of Active Directory objects: containers and non-containers . Non-containers are also called end nodes or leaves . A container holds further containers or end nodes; an end node cannot contain any further objects. An example of a container is an organizational unit. In this are computers, users, etc. Even computers are classified as end nodes, although theoretically they can also contain objects such as printers.

Directory and Directory Database

Even though the directory is often referred to as a database (or directory database), there are fundamental differences between these two terms. A directory offers functions that go way beyond what is offered by a traditional relational database.

A major difference consists in the fact that the information in a directory is more often consulted than changed. In a database, more and more updated data is written. In a directory, therefore the search and read functions are optimized rather than the write function. After all, read access is available to all users of the directory whereas write access is restricted to administrators. The data stored in the directory is relatively static because it is not subjected to frequent changes. Directory users can ask for the e-mail address of a specific user hundreds of times or even more often, while this address will, in all probability, not be changed by the administrator in the same period.

A second difference between directory and database lies in how the relevant component is accessed. A database is usually accessed by means of a standardized, complex SQL (Structured Query Language) query. With this, complex queries and updates of the database are possible, but this is unfortunately at the cost of the complexity and size of the application. Directories such as Active Directory use LDAP (Lightweight Directory Access Protocol) for access. This is a simple, optimized, and lean protocol. LDAP is described in detail later in the following section.

Client-Server Communication

The information in the directory is accessed via the client-server communication model. In this model, an application running on a client that needs information from the directory cannot directly access the directory on the server. An API (Application Programming Interface) is called, which in turn calls a new process, the Directory Client, which executes the request over the TCP/IP protocol. Direct access to the directory takes place using the Directory Server. The information is then sent back in reverse order via this mechanism.

A directory service is only one example of client-server communication. Other services are the printing service, the web service, etc. They can all coexist on one computer.


It should be possible for all directory users to find public information such as the e-mail address of a colleague, and for members of the personnel department to read information such as the complete private address of an employee; but only administrators should be able to change these entries. Access to objects is controlled via Access Control Lists (ACL). For each object, a list containing the access rights of specific users for that object is automatically generated.


Lightweight Directory Access Protocol (LDAP)

For communication between Active Directory clients and servers for network registration or locating resources, LDAP (Lightweight Directory Access Protocol) Version 3.0 is used as the standard access protocol. This section first gives you an overview of the development of LDAP. This is followed by an overview of the defined LDAP standards.

LDAP is a communication protocol that defines the transport and message format used by clients to access a directory working on the X.500 standard. The entire LDAP communication takes place over port 389. The LDAP protocol specifies how the directory server may be accessed, which directory actions are permitted, which published data may be used, and how secure access is to be executed. Administration, querying, and listing of objects takes place via LDAP.

An application may never directly access directory data—the access is controlled by an API that is called via a message. This LDAP API is initiated by an LDAP message. The LDAP client can directly access the directory on the LDAP server via TCP/IP.

LDAP has developed into an open industry standard. Products from different manufacturers and operating systems can communicate with each other via this protocol and, in a manner analogous to the HTTP standard of the Internet, support a global directory structure with the help of it.

LDAP Architecture

This section introduces you to the logical model of LDAP. As already mentioned, LDAP is the access protocol for X.500-based directory services. LDAP with active directory offers the following improvements over DAP and OSI:

  • LDAP uses TCP/IP and not the resource-intensive OSI protocol stack.

  • The functional model is simplified and seldom-used functions have been removed.

  • Normal character strings are used for representing data and not complicated syntaxes such as ASN.1 (Abstract Syntax Notation).

LDAP defines the message that is exchanged between an LDAP client an LDAP server. The client-side message describes the action to be carried out, such as searching or deleting, while the server-side message contains the resulting reply and the format of the data to be transported. Data transport always takes place over the TCP/IP protocol. For the design of Active Directory it is important to know how the directory is structured, which operations can be carried out, and which data is to be secured in transit.

All communication between an LDAP client and server has the same format. It can be divided into the following steps:

  1. The LDAP client makes the connection with the server. To do this it gives the IP address or the hostname of the server along with the TCP port (389). Authentication can take place in three ways: anonymous authentication with standard access rights, username and password authentication, or the connection can be encrypted.

  2. The client now accesses the directory data. This access can be either a write or read process. Search processes will be the most frequent. Users can employ Boolean operators to filter out the information they need.

  3. The connection to the server is closed once the executed action is over.

Since LDAP is based on the X.500 model, the data is stored accordingly as entries in the directory. Each directory entry describes a single object that has an unambiguous Distinguished Name (DN), which in turn consists of a series of Relative Distinguished Names (RDN). This chain of names is comparable to a directory path in Windows Explorer. These objects are arranged in a hierarchical tree structure based on the DNs of the objects. This structure is also called the Directory Information Tree (DIT).

Each entry consists of one or more entries. Each attribute consists of a type and a value.

In our example the attributes surname and e-mail address have been taken. The syntax of the attribute determines that the e-mail address is an alphanumeric string. An e-mail address can have letters, numbers or even special characters such as a hyphen (-).

Directory entries specify an object more precisely. At the same time, an object class describes an object. For example, the object class User is described by the attributes Surname and E-mail Address. Each object class has its own attributes and each attribute has its own value. For example, in a printer object you will not find the values Surname and E-mail Address. Instead it will have an attribute called Color Printer. All these object classes and their possible values are called the Active Directory Schema.

The actions that can be carried out on a directory entry are also determined over LDAP. These include adding, deleting, editing, and renaming entries, which require write access to the directory, as well as searching for and comparing an entry. These last two require only read access to the directory data.


Features of Active Directory

Active Directory offers the following solidly integrated yet flexibly configurable features that were not available in the Windows NT domain model:

  • Simplification of administration through centralization: Each domain can have several domain controllers of equal rank. This ensures that changes you make on one domain controller are automatically replicated in the others. An administrator can log on from any computer on the network and administer resources on other computers in the domain from there.

  • Delegation of specific administration operations from the central administrator to sub-admins: Permission is granted to a user from a higher level of authority to carry out a specific set of actions on a defined group of objects in an allocated section of the domain structure. This allows precise control over who can perform which action, without the need to assign higher privileges to the user.

  • Storage of objects in a structured hierarchy mirroring the organization of the company: For example, domains can be set up according to geographical or functional aspects; in organizational units, the physical structure of the company, e.g. distribution over floors, can be represented.

  • High availability of the data as well as load distribution through multimaster replication of the directory on all domain controllers: Through this, the directory is made available to a larger group of users. In the event of failure of a domain controller, a high degree of redundancy is available since the realization of Active Directory is no longer linked to one PDC but can take place on any Domain Controller.

  • Easier and quicker finding of resources in the network: for example, a network printer can be found even if the complete address is not known. Specifying just parts of the qualities known to you in the search is enough, for example, duplex—yes or no, and color—yes or no.

  • High scalability: The Active Directory database has a much higher capacity than the Windows NT user database. It is possible to first set up a small domain structure with maybe 200 objects, which can later be extended to millions of objects as the company grows.

  • Extensibility and individual adjustment of the Active Directory schema: Each object can have its own attributes added, which can be highly company-specific, e.g. an attribute for signing authority, etc.

  • Support of standards such LDAP, NSPI (Name Service Provider Interface), HTTP, and DNS: Active Directory supports Internet standards and builds on them. Support of the LDAP 3.0 and NSPI standards ensures collaboration with other directory services using these protocols. With DNS, the Internet naming concept has been integrated into Windows 2000. Windows 2000 even supports Dynamic DNS (DDNS). Using this, clients with IP addresses acquired over DHCP can register dynamically with the DNS server. In a pure Windows 2000 environment, the WINS name service can be replaced by DDNS if there are no legacy client-server applications that require the WINS service.

  • Improvement in security: In Active Directory precise access control can be defined not just at the object level but also at the object properties level. Domain-wide security guidelines can be defined for the user accounts using group Policies.


Operation and Description of Active Directory

After giving you an insight into the operation of the directory service and the advantages of Active Directory over Windows NT, we introduce here the essential components and keywords of Active Directory such as domains, structures, and replication.

Domains and Domain Controllers

In contrast to a workgroup, all accounts and resources are administered centrally in a domain. This means that with a single login into the domain a user has automatic access to all resources of the entire domain for which he or she has the appropriate rights. The log in takes place exclusively on the domain controller of the domain. This is where the central database, which contains entries about user accounts, rights, resources, etc., is located. A domain controller does not have a local security database. Up to two million objects can be stored in a single domain. In an SBS 2003 network, SBS 2003 is the domain controller.

A Windows Server 2003 domain can have several domain controllers with equal rights. However, SBS 2003 is restricted to being the only domain controller in an SBS 2003 domain. Domain controllers in a non-SBS 2003 domain automatically synchronize their databases with each other ensuring that updated data is always available to the network. This process is known as replication. With the installation and configuration of SBS 2003, the domain itself is set up anew.

In contrast to Windows Server 2003, you do not have to run the installation wizard for Active Directory here. Since the SBS 2003 domain can consist of only one domain that has just one domain controller with no trust relationships to other domains, the configuration of Active Directory is considerably simpler and takes place automatically in the background. A domain controller is responsible for the registration and authentication of users in its environment as well as for object searches carried out on the directory. It stores all the Active Directory data.

A domain does not have to be identical with the physical boundaries of a company location. It is possible for a domain to have objects from several physically separated domains.

Under Windows NT if no domain controller was available for a client, it could not access any network resources. This problem was recognized and addressed from Windows 2000 onwards. Clients running Windows 2000 or later automatically use login caching.

In login caching, every successful login to the domain is cached on the client. By default, ten entries can be stored on the client. This value can be changed in the security guidelines. If this client wants to log in to the domain again later and cannot connect to the domain controller, it can still do so. The settings pertaining to rights, group memberships, etc. are taken over from the client's cache based on the last successful login to the domain. Even if these entries have been changed on the domain controller in the meantime, these settings in the client's local cache are still valid. The cache is updated at the next successful connection to the domain.

An SBS 2003 domain can have the following types of domains: a domain controller, client computers, and optionally member servers that can act as file and print servers.

Trees and Forests

Structures are a hierarchical arrangement of several Windows 2000/2003 domains. As you have already learned, no structures can be built with SBS 2003, which can only form a single domain. Nonetheless, this topic is discussed here briefly.

There are higher-level domains and subordinate domains. Structures are of two types—trees and forests. Trees are often referred to as just structures.

In a tree, all domains are in a continuous DNS namespace. The name structure is hierarchical. Each domain has a unique domain name.

Within a tree, all domains use the same Active Directory schema, the same replication information, and the same global catalogue.

In a structure, a subordinate domain inherits the name of the higher-level domains. The relative name of the subordinate domains is placed in front of these. For example the domain inherits the name of the higher-level domain and the relative name vertrieb is put in front of it (see the following figure). This is called a continuous or coherent namespace.

A tree is at the same time also a complete forest.

A forest is a hierarchical arrangement of either just one tree or several separate, independent trees. Even a single domain such as without any subordinate domains forms a self-contained forest.

In all the domains of a forest the same Active Directory Schema, the same replication information and the same global catalogue are used. The namespace is coherent only within the trees. In the figure, the two structures and constitute separate trees within the forest. Only within the two structures is the namespace continuous. The first domain in a forest is also called the master domain of the forest—here

The installation wizard for Active Directory helps you determine at what level in the hierarchy the new domain should be placed. The following possibilities exist:

  • First domain in a forest, for example

  • First domain of a new tree, for example

  • Subordinate domain in an existing tree, i.e. all other domains subordinate to the two domains

After setting up the first domain controller of one of the above-mentioned domain types, you can install additional domain controllers for this domain.

Trust relationships are created automatically between all Windows 2000 domains within the forest. This holds only for Windows 2000 domains. If you are still using Windows NT domains in the forest, trust relationships to these will have to be configured manually. The automatic set up refers to trust relationships between higher-level and subordinate domains as well as to those between the master domain of the forest and the first domains of new trees.

The Global Catalogue

The global catalogue is responsible for object searches in the directory. It is created automatically on the first domain controller of the master domain of the forest. This special domain controller is therefore also called the catalogue server. In the SBS 2003 environment, the SBS 2003 machine also acts as the catalogue server.

Two separate copies of the object attributes are maintained in the global catalogue. The catalogue server gets on the one hand a complete copy of all the object attributes in the entire directory and, on the other hand, a partial copy consisting of only the object attributes found in the directories of individual domains of the forest. Although the partial copy contains all the objects, the number of attributes is limited. Search requests for objects in the directory are dealt with via this partial copy. It contains only those object attributes that come up most frequently in search requests—e.g. user names—or are required to find the full copy of the object. To ensure secure access to the objects in the global catalogue, these objects inherit the access rights of their source domains.

The distinguished name of an object is enough to find the path to the complete copy of this object. In many cases, however, the user does not know the complete distinguished name. The global catalogue makes it possible for the user to find the desired object even from a few known attributes. It is therefore not necessary for the user to know the precise location of the object within the forest.

It is therefore also important to specify as many characteristics as possible at the time of creating an object so as to be able to use the efficacy of the global catalogue optimally.

The use of the global catalogue greatly reduces network traffic. Since the catalogue contains information about all objects in all domains of the forest, the search request can be processed within the domain to which the user making the search request is logged on. So, there is no search, and therefore no network traffic, across domain boundaries.

The catalogue server plays an important role when users log on to the domain. It makes user account information available to the domain controller. When a client logs on, a list containing all the groups of which this client is a member is generated. However, this feature is used only in multi-domain environments in which the client can be a member of several groups in several domains. The global catalogue servers contain membership lists of all universal security groups. These lists are used when clients or servers need to verify membership in the security groups.

The catalogue server has to play one more role if you deploy Microsoft Exchange Server 2000 or 2003 in your environment. The catalogue servers are responsible for looking up address book entries and resolving e-mail addresses for Outlook clients from Outlook 98 SP2 onwards. Older e-mail clients use the Exchange Server itself for this purpose, which again requires access to a catalogue server.


Locations structure networks as much as domains do. Domains reflect the logical structure of a company while locations reflect its physical structure. Organizational units also contribute to the logical structuring of the network.

A location corresponds to a group of computers that belong to a specific IP subnet. These computers are taken to be well connected with each other. The computers at a location can also belong to different subnets. In this case, however, there must be a fast connection between them. This fast connection is required because within a location the replication as well as resource requests from Active Directory consume a not insignificant part of the network bandwidth. For this reason, it is makes more sense to configure several locations for a WAN. For the relationship between locations and domains, the following points hold: a domain can contain several locations (see the following figure) and the other way round a location can contain several domains. From this, it follows that there does not have to be any correspondence between location boundaries and the namespace of the domains. So, in an SBS 2003 environment you can configure several locations for the SBS domain.

In this model, a domain has several locations. Each of the three locations has its own subnet range. The computers in locations 1 and 2 have slow connections to the domain (dial-up or WAN). That is why a separate location was created for each of them. The third location comprises computers with a fast LAN connection to the domain. The computers in all the locations are members of the domain

In this example, there is only one subnet with a coherent 16-bit subnet. Computers that by their logical structure belong to the domain, are part of this location. The location says nothing about the logical affiliation of the computers.

If you open the Microsoft Management Console (MMC) ACTIVE DIRECTORY LOCATIONS AND SERVICES, you will find that it does not list computers belonging to a particular location. Searching a domain returns computers only in their logical structure. You will find individual computers only under their domains and organizational units. Under ACTIVE DIRECTORY LOCATIONS you will only find elements that are responsible for configuring the replication between the locations.

Organizational Units

Apart from domains, organizational units are the second way of grouping network resources. The members of organizational units are all members of the domain that contains the organizational unit(s). In contrast to a location, an organizational unit does not have its own domain controllers. Organizational units are used instead of the resource domains in the Windows NT domain models. In an organizational unit, objects are divided into groups. These groups reflect the company structure. An organizational unit can contain objects such as computers, contacts, groups, other organizational units, printers, users, and released files. The fact that organizational units have fewer objects makes it easier to administer and display them.

Administrative tasks can be delegated to an organizational unit. The rights that a user needs for carrying out his or her administrative tasks can be assigned either to a separate organizational unit or to a higher-level organizational unit, which then passes on these rights to the subordinate units. This makes it possible to distribute the administration of the domain among several administrators. In this way, you can perform special administrative tasks for the organizational unit. By default, there are no pre-configured organizational units in the MMC ACTIVE DIRECTORY USERS AND COMPUTERS. This would not make sense because it is precisely the individual characteristics of the administration units that should structure your company network.

The following figure gives an overview of the organizational units within a domain as well as the different object that an organizational unit can contain.

The figure shows a domain with four organizational units. The two organizational units Administration and Marketing are at a higher level; the organizational unit Administration contains the organizational units Personnel and Accounts as subordinate objects.

Each individual organizational unit has its own independent structure and resources. Objects that are present in an organizational unit do not have to occur in all organizational units of the domain, and conversely, all objects do not have to be bound to an organizational unit.

Active Directory Objects and Schema

All resources are stored as objects in Active Directory. Objects can be computers, accounts, printers, contacts, etc. Each object consists of a definite set of characteristics or attributes that are specific to this object. For example, a domain controller object has the following attributes under general characteristics: computer name, DNS name, function, and description. For Active Directory these characteristics serve as patterns for the objects. These patterns must be known to the directory service to store the objects.

The Active Directory Schema has a pre-given set of definitions for the objects and information in Active Directory. There are two types of definitions—attributes and classes. These are also known as schema objects or metadata. The Active Directory Schema is compulsorily the same for all domains within a forest. The information in the schema is replicated automatically.


An attribute is defined only once in a schema and can be used by any classes. So, for example, you will find the Description attribute in various objects such as computers, accounts, etc. In each of these classes, the attribute fulfils the general purpose of explaining the corresponding object more precisely, but the description of the special object is different in each class.


Classes determine the types of objects that can be created in Active Directory—computers, accounts, etc. Each class has a specific set of all possible attributes. When you create a new object, the attributes get the values that describe the object concretely. Classes are also called object classes.

Under Windows Server 2000 and 2003, you have the option of customizing the schema according to your individual requirements.

The Active Directory Schema is object-oriented. A set of object instances is stored in the directory. This is how Active Directory is different from other directory services in which the schema is stored as a text file that is read when the directory service is started. From the objects stored in Active Directory applications we can, for example, find out what objects and characteristics are available. The Active Directory Schema can be dynamically updated. For example, an application can add new classes and attributes to the schema and immediately use this newly added metadata. Creating or modifying the metadata stored in the directory suffices to change the schema. Like all other objects in Active Directory, the metadata is also protected by Access Control Lists (ACLs). This ensures that only authorized users can change the schema.

Group Policies

Group Policies are the central component of Active Directory for the effective management of rights. Group Policies are an extension of the System Policies under Windows NT.

Group Policies can be applied at the level of locations, domains, and organizational units. A group policy object gives the user a collection of company rules in relation to available resources, access rights, and configuration of these resources. The desktop settings of a user are configured using a group policy. For example, you can assign software or determine which items the user is allowed to see in the start menu. Under Windows NT, you had the System Policy for this purpose, even though its scope was not as wide. Group Policies are a part of IntelliMirror. IntelliMirror is the generic term for regulating client desktops under Windows 2000/XP. You can determine policies for each client based on its function, location, and group membership. The user receives the settings defined for him or her in the Group Policy irrespective of the computer from which he or she logs on. IntelliMirror covers the administration of user data and settings as well as assignment, and the installation and configuration of software. The administration and configuration of group policies is discussed in detail in the Chapter 8.


Replication means the exchange of directory information between several domain controllers. All domain controllers in a domain must have access to current directory information at all times. If you make changes on any domain controller in the domain, these changes must be accessible to the other domain controllers as quickly as possible. In replication, the changed directory information is sent from the one domain controller to all the others.

Features of ADSI

This chapter briefly shows you the important features of ADSI (Active Directory Services Interface). ADSI offers you an interface for your own applications in a number of operating systems for accessing various directory services.

  • ADSI gives you easy access to directory services via the Component Object Model (COM). The applications are not bound to any particular programming language and can be written in Visual Basic, C/C++, Java, etc.

  • ADSI is independent of the directory service. You can develop applications without having to know the various vendor-specific directory APIs. Even administrative applications are not bound to any fixed directory service.

  • You can use any automatable scripting language (VB Script, REXX, Perl, etc.) to develop applications for the directory service.

  • ADSI can be extended by directory service providers, software developers and administrators by the addition of new objects and functions. This is important if your directory has to meet very special requirements.

  • ADSI offers an OLE Database Interface so that even database programmers can quickly start working productively via this interface.

About the Author

  • Stephanie Knecht-Thurmann

    Stephanie Knecht-Thurmann was born in 1975 in Itzehoe. She graduated in 1994, and went on to study classical philology (Latin and Ancient Greek) and German at the Christian Albrechts University in Kiel. In 2001 she started working for a systems house in Hanover, where she was responsible for the technical documentation of complex IT systems for systems management in heterogeneous architectures. She earned various certifications, such as for Novadigm—RADIA. She also gained experience in the Microsoft Windows environment, especially Windows 2000 Server, Small Business Server, and their successors. Stephanie Knecht-Thurmann started on her own with Knecht Consult in 2002 in Barsinghausen. Since then she has been advising companies on deployment of Microsoft products in mission-critical areas (consultation for a newspaper publisher in Vancouver, Canada, and Internet-based projects for several companies in Tashkent, Uzbekistan). Apart from this, she has also been active in the publishing field with books in German on these subjects. In 2003 her book Active Directory was published by Addison-Wesley with great success; in 2004 the book Small Business Server 2003 appeared under the same label. Other publications are already in progress.

    Browse publications by this author
Book Title
Access this book, plus 7,500 other titles for FREE
Access now