New Feature

Description

Deployment

Directory

Install Replica from Media

Enables faster creation of replica Domain Controllers (DCs) pre-existing domain. Instead of replicating a complete copy of the Active Directory databases over the network, this feature allows an administrator to source initial replication from files created when backing up an existing DC or Global Catalog server. The backup files, generated by any Active Directory-aware backup utility, can be transported to the candidate DC using media such as tape, CD, DVD, or file copy over a network.

Global Catalog replication tuning

Global Catalog (GC) replication tuning reduces excessive network traffic and significant delays due to replication and server operation when an administrative action results in an extension of the Partial Attribute Set (PAS). Previously, extending the PAS caused all GCs in the enterprise to reset their synchronization watermarks and initiate a full synchronization cycle for all their read-only replicas. With GC replication tuning the GC synchronization state is preserved rather than reset, minimizing the work generated as a result of a PAS extension by only transmitting attributes that were added.

Group Membership Replication Improvements

When a forest is advanced to Whistler Forest Native Mode group membership is changed to store and replicate values for individual members instead of treating the entire membership as a single unit. This results in lower network bandwidth and processor usage during replication and virtually eliminates the possibility of lost updates during simultaneous updates as described above.

Improved Inter-Site Replication Topology Generator

The Inter-Site Topology Generator (ISTG) has been updated to use improved algorithms and will scale to support forests with a greater number of sites than in Windows 2000. Because all Domain Controllers in the forest running the ISTG role must agree on the inter-site replication topology, the new algorithms are not activated until the forest has advanced to Whistler Forest Native Mode.

Active Directory Replication & Trust Monitoring

Allows administrators to monitor whether Domain Controllers are successfully replicating Active Directory information among themselves. Since many Windows 2000 components, such as Active Directory replication, rely on inter-domain trust, this feature also provides a method to monitor that trusts are functioning correctly.

Global Catalog not required for logon

Logon at branch offices no longer requires access to a Global Catalog (GC) server. Instead of contacting a GC each time a user logs on to a domain controller (DC), the DC caches the universal group membership of users who have previously logged on from this site or from off-site GC servers when the network was available. The net result is users are allowed to logon without the need for the domain controller to contact a global catalog server at logon time, which reduces the demand on slow or unreliable networks and provides the greatest value to companies with many branch offices.

Active Directory Users and Computers Snap-in: Editing Multiple User Objects

Provides the capability to select multiple user objects, and then bring up a set of property sheets that will allow the clearing or setting of object attributes across all the selected objects. Only specific property sheet and attributes will be available for this multi-object editing.

Active Directory Saved Queries

This feature allows queries against the Active Directory to be saved, reopened, refreshed, and e-mailed. Saved query results are exportable in extended Markup Language (XML). The query objects and results can be viewed and manipulated from within the Microsoft Management Console (MMC) interface by an administrator.

DCPromo Supporting DrDNS Functionality

DrDNS (pronounced “Doctor DNS”) is a new tool intended to simplify debugging of the Domain Name System (DNS). It provides diagnostics of the DNS configuration and explanation regarding modifications required prior to promoting a new Domain Controller (DC) or joining a computer to an Active Directory domain. It also finds what caused the failure to discover the existing DC during an attempt to join or promote a new DC in a new or existing forest and finds what caused a failure of the DC Locator DNS resource records registration.

Security

Credential Manager

The Credential Manager feature provides a secure store of user credentials, including passwords and X.509 certificates. This will provide a consistent single-sign on experience for users, including roaming users. For example, when a user accesses a line-of-business application within their company’s network – the first attempt to access this application requires authentication and the user is prompted to supply a credential. After the user provides this credential, it will be associated with the requesting application. In future access to this application, the saved credential will be re-used without prompting the user.

Cross Certification Enhancements

This feature enhances the Windows 2000 client cross certification feature by enabling the capability for department level and global level cross certifications. For example, WinLogon will now be able to query for cross certificates and download these into the “enterprise trust/enterprise store.” As a chain is built, all cross certificates will be downloaded.

Security Improvements for Local Area Networks

Support for both wired and wireless LANs based on the IEEE 802.11 specification is enabled by the use of public certificates deployed through auto-enrollment of smart cards. These improvements allow users in public places, such as malls or airports, to log onto the Internet using either a wireless or wired Ethernet LAN and be assured of secure access within the Extensible Authentication Protocol (EAP) operating environment.

Access Control List UI Improvements

This feature improves usability in access control lists (ACL) user interface (security properties page) with the following features.

* Identifies name of the parent object from which a permissions entry was inherited.

* Makes messages easier to understand throughout, especially for inheritance-related features.

* Adjusts button tags and placement to reflect Microsoft UI standards.

* Adjusts display elements to improve showing which settings apply to the whole object and which apply only to one user or group in the list.

* Includes the principal name in the “Permissions for” message to reduce ambiguity for the permissions list display box.

Internet Protocol Security Monitoring Improvements

This feature improves Internet Protocol Security monitoring capabilities. It does this through a Policy Agent Store (PAStore) which is a client entity of the Security Policy Database (SPD) that runs in the same process as SPD and is concerned in adding, updating, and manipulating the IPSec security information into the SPD, based on the IPSec policy applied to the machine.

An IPSec policy consists of a set of main mode policies, a set of quick mode policies, a set of main mode filters that are associated with the set of main mode policies, and a set of quick mode filters (both transport and tunnel mode) that are associated with the set of quick mode policies.

The IPSec policy applied to the computer can come from the directory storage if the machine is part of a domain, or it can come from the local storage if the computer is not part of any domain.

Networking & Communications

Domain Name System Client by Group Policy

The introduction of a group policy to configure DNS clients allows administrators to centralize configuration of DNS clients and will drastically simplify their configuration on the Microsoft Active Directory domain members by supporting configuration of parameters such as enabling and disabling dynamic registration of the DNS records by clients, devolution of the primary DNS suffix in a name resolution process and DNS suffix search lists.

Network and Dial-up Connection Group Policy

Administrators applying Group Policy can specify, for particular users, which components of Whistler networking functionality and user interface will be made available. This helps ensure a better experience for users and reduces support requests. Users out in the field have more flexibility in making network connections while at the same time can be prohibited from changing settings that may complicate their experience.

RADIUS Proxy

Allows the functionality of the Internet Authentication Service (IAS) for forward RADIUS authentication and accounting requests to another RADIUS server. This functionality includes:

* Flexible rule-based forwarding.

* Load balance and failover between multiple IAS/RADIUS server and load balancing RADIUS-EAP requests.

* Ability to force the client into a compulsory tunnel with or without user authentication.

* Selective forwarding of authentication and accounting requests to different RADIUS servers.

RADIUS Server

The Internet Authentication Server (IAS) is a RADIUS server that enables management of user authentication, authorization, and of users connecting to a dial-up, Virtual Private Network (VPN), firewalls and other connectivity technologies. In Whistler, it has been enhanced to allow authentication and authorization of users and computers connecting to Wireless and Ethernet LANs (IEEE 802.1X).

DHCP Backup and Restore

DHCP Backup and Restore eases the process of backing up and restoring the DHCP database for administrators by providing a DHCP snap-in to the Microsoft Management Console (MMC) that exposes two new menu items at the server: Backup and Restore. When an administrator chooses either of these menu items, a browser window appears to offer the selection of an existing or new backup location. The DHCP server must be a post-Windows 2000 server in order for this snap-in to be enabled.

File System & Storage

Snapshots

A snapshot of a storage volume is a point-in-time copy of the original entity. The snapshot is typically used by a backup application so that it can back up files that are made to appear static, even though they are really changing. With Whistler, the following snapshot components are being implemented:

* API that uses COM infrastructure for much of its registration and configuration needs.

* COM-based “coordinator” service that driver messages between parties involved in the snapshot process and also performs discovery of applications and snapshot providers.

* Storage filter driver that implements volume-based snapshots using a copy-on-write design.

* Interfaces to support ISV/IHV plug-ins of other snapshots.

* Interfaces for applications and stores to ensure these snapshots are of consistent state.

Backup Snapshot Integration

This feature adds improvements to the backup/restore accuracy, repeatability and reliability. Improvements include:

* Snapshot – captures an apparent image of a file.

* Even if an application or service does not opt to implement a snapshot writer, the data will be backed up.

* A snapshot occurs for volumes at a point in time, which eliminates issues caused by system change during a lengthy backup process.

Snapshot aware services notify the system at restore time in order to facilitate recovery steps following a restore of data.

Automated System Recovery (ASR)

The Automated System Recovery (ASR) feature provides the ability to save and restore applications. This feature also provides the Plug and Play mechanism required by ASR to back up and restore Plug and Play portions of the system registry. For instance, an IT administrator finds a server has had a hard disk failure and it has lost all configuration parameters and information. If ASR is applied, a backup of the server’s original data is restored after the hard disk is replaced and recognized.

Migration Tools

User State Migration Tool

The User State Migration Tool (USMT) aids deployments of Whistler as it provides a means for an IT administrator to capture and restore users’ settings, files and documents (that is the “state”). This helps reduce time for the user after the new operating system is deployed since the users do not have to reconfigure desktop settings for such things as E-mail server, proxy server, desktop color scheme, or desktop wallpaper. USMT is useful for a “wipe and load” and computer replacement deployment strategies. The command line tool is driven by INF files that can be customized. The default INF files migrate the majority of the shell settings, Internet and e-mail connectivity settings and common Office file types. Sources for the migration include Windows 95, Windows 98, Windows Millennium Edition, Windows NT 4.0, Windows 2000, and Whistler. Whistler is the only destination for the migration.

Performance & Reliability

Performance

IIS Capacity Planning Tool

Sometimes poorly written applications use massive amounts of system resources, such as memory and CPI time, during their execution and can stop a server from functioning. Using this tool, system administrators can assess the demand on various parts of the Web server and operating system, and then reallocate resources or plan for the addition of new ones, such as hardware, on an as needed basis.

Performance Monitor: Select Multiple Instance and Objects

The select multiple objects in PerfMon feature is an enhancement to the visualization/analysis of performance data using the Performance logs and alerts service. Using this feature, users will be able to select multiple log file data sources, specify the time intervals to view, and re-sample the data at different time intervals. For example, an IT administrator can analyze the CPU, memory and disk utilization of a group of servers by selecting the respective performance monitor log files, designating the specific timeframe and then view the reports.

Performance Monitor: Trending Analysis

Trending Analysis is a feature enhancement to the visualization/analysis performance and event tracing data of Performance Monitor. It will include the ability to view data from multiple log file data sources, specify the time intervals to view, and re-sample the data at different time intervals. For example, an IT administrator can analyze the CPU, memory and disk utilization of a group of servers by selecting the respective performance monitor log files, designating the specific timeframe and then view the reports.

Performance Tool Additions

New performance tools include:

* Disk I/O

* Memory management (i.e., working set management, page fault)

* Image load/unload

* Process/Thread activities (i.e., process/thread create, context switching)

* Registry

* Driver delays

* Pool allocations

* Heap allocations

* CPU sample profiling for user and kernel mode and across all processes

Reliability

Driver Verifier

Driver Verifier is a tool that can monitor one or more kernel-mode drivers to verify that they are not making illegal function calls or causing system corruption. Driver Verifier performs extensive tests and checks on the target drivers.

Device Driver Rollback Support

Device Driver Rollback Support allows a user to replace a device driver with a previously installed version. This is especially useful in situations where a new device driver is installed and results in system instability. Instead of having to uninstall the new driver and manually reload the previous driver, the user merely restores, or rolls back, the previous device driver and continues using the system.

Enhanced Last Known Good Configuration

When a user updates a driver, a copy of the original “good” files (the previous driver) will be saved in a special sub-directory. If the new driver does not work properly, the user can restore the driver to the previous driver as the last known good driver.

Online Crash Analysis

An administrators who runs into a Blue Screen of Death can optionally have the error automatically reported to Microsoft for analysis. By analyzing the submitted information, the Windows Online Crash Analysis team can categorize each event report by its signature and try to identify the source of the crash. The customer receives automatic notification of the analysis status and any changes made. As a result, the Online Crash Analysis team is able to provide resolutions, workarounds, and generally troubleshooting information for users.

Hot Plug PCI Support

Administrators can utilize Hot Plug PCI to replace, add, and remove devices without scheduling system down time. This helps to reduce engineering and support costs, as fewer issues would result from the changing out of hardware or recovery from down time. System hardware that supports the ACPI 1.0b specification can take advantage of this feature.

IIS Application Recycling

This feature supports the reliability and health of a server by enabling administrators to refresh their applications so as to prevent possible resource leaks that could lead to server lockups. Specifically, it enables administrators to isolate their application Internet Server Application Programming Interface (ISAPI) extensions from the server by using COM+ Object-Oriented Programming (OOP). These applications often see their performance degrade over time due to poor algorithms, memory leaks, etc. To address these issues, IIS Application Recycling enables process rotation by periodically refreshing an application to release resources. This works on both pooled and isolated out-of-process applications.

Manageability

Configure Your Server

At the conclusion of the Windows set-up process, the Configure Your Server wizard launches to assist administrators or basic users with the installation of optional components they selected during the initial system setup. Specific areas where this wizard provides help include the following:

* Set up the first server on a network by automatically configuring DHCP, DNS and Active Directory using default settings.

* Help users configure member servers on a network, pointing to the features they need to set up a file server, print server, Web and media server, application server, Remote Access Services (RAS) and routing, or Internet Protocol (IP) address management server.

* Assist in getting started with the Cluster Service for users who have the Advanced Server installed.

Terminal Services Enhancements

Terminal Services administration mode is now available in all versions of Whistler, except the consumer edition. Enhancements:

*Redirection extends Plug and Play capability to remote printing devices that are physically attached to a Terminal Server client computer.

* Automatic Detection/Installation of Windows Plug and Play Client Printers – which automatically installs a printer with the help of the Plug and Play subsystem on the server-side operating system.

* Ability of systems running Terminal Server to go into standby power states.

* Server load management – uses WMI to provide metrics to network or hardware load balancing services. These metrics provide information on server availability and load, including server up, server down, and number of additional sessions the server can support. The load balancer or router can then use this data to better control server use.

* Session load management provides a Session Directory facility to re-route disconnected users back to their session in progress. The Session Directory is a replaceable COM object.

* Remote Desktop Users group to grant remote access permissions – a built-in group that can be administered via policy. Placing a user or group into Remote Desktop Users gives that user the ability to remotely connect to a computer without requiring local login privileges.

Headless Remote Installation Services (RIS)

Headless RIS provides administrators with RIS support for server installations, more control over answer file processing during a RIS install, and access to network files from the recovery console. This feature is useful in the following three scenarios:

* An IT administrator who wants to wipe a server clean and re-install software. Using RIS to install the server software version makes this simple on a headless computer.

* An IT administrator wants to have slightly different answer files for installation on different machines while still installing the same software version.

* An IT administrator wants to transfer files between servers on a network from the recovery console. Network access removes the former restriction to have physical access to a machine to replace files. It also makes the recovery console more useful with headless servers.

Headless Server

Headless server support provides the ability to install and manage a computer without a VGA display, keyboard or mouse. Support for management controllers and management ports allow servers to be managed even during system start or when the system has crashed.

Emergency Management Service (EMS) Headless Support

EMS is the first headless implementation in Whistler. A dependency on local console hardware and the ability to run Attended in Text Mode Setup with Unattended GUI Mode Setup is removed. All communications with the remote headless server is via text mode.

Resultant Set of Policy (RSoP) Wizard and User Interface

Designed as an addition to Group Policy, RSoP addresses issues created when a policy is applied on multiple levels (i.e. site, domain, domain controller, and organizational unit) as the result can be unexpected and if an unintended policy has been set, it can be difficult to track down and change. This tool can be used to track existing policy and also to locate that policy in the hierarchy, easing troubleshooting and reparation.

The RSoP wizard (an MMC snap-in) has two modes:

Planning – designed to let admins run “What If’ scenarios on users with test group policies without actually implementing them.

Logging – for reviewing existing policy, RIS applications, and security.

Enterprise Group Policy Objects (GPO)

Extend the capabilities of Group Policy beyond including sites, domains and organizational units within a particular scope. Administrators can now apply a Group Policy to an entire organizational unit: in addition, they can select listed domains and show the Group Policy tab on the Properties page.

Group Policy WMI Filtering

An addition to the Group Policy infrastructure, which allows administrators to specify a WMI-based query to filter the effect of a Group Policy Object. This is implemented as a new tab on the GPO Properties page and includes support to allow the Resultant Set of Policies to display existing WMI filters as well as specify alternate WMI filters for planning purposes.

Additional WMI Providers

New WMI Providers, allowing for configuration and control of the following component areas:

* Account info

* Check disk

* Cooked performance counters

* ICMP

* Job Objects

* PnP events

* Quotas

* Session Status

Windows Update Components

Enable automatic updates of Windows to be installed on multiple concurrent users in multiple sessions, whereas before this was only possible for a single user and a single user session. This feature is used for the delivery of critical operating system updates, such as security fixes, patches, etc. Updates are downloaded to the user’s computer in the background. Includes; automatic detection of updates, downloads, installation, security, and user collision resolution.