IT tutorials
 
Applications Server
 

Installing Active Directory Domain Services (part 1) - Active Directory, Identity and Access

9/30/2011 6:06:00 PM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
Active Directory Domain Services (AD DS) provides the functionality of an identity and access (IDA) solution for enterprise networks. In this lesson, you learn about AD DS and other Active Directory roles supported by Windows Server 2008. You also explore Server Manager, the tool with which you can configure server roles, and the improved Active Directory Domain Services Installation Wizard. This lesson also reviews key concepts of IDA and Active Directory.

1. Active Directory, Identity and Access

Identity and access (IDA) infrastructure refers to the tools and core technologies used to integrate people, processes, and technology in an organization. An effective IDA infrastructure ensures that the right people have access to the right resources at the right time.

As previously mentioned, Active Directory provides the IDA solution for enterprise networks running Windows. AD DS is the core component of an Active Directory IDA infrastructure. AD DS collects and stores enterprise-wide IDA information in a database called the Active Directory data store. The data store contains all pertinent information on all objects that exist within the Active Directory infrastructure. In addition, AD DS acts as a communication and information hub for additional Active Directory services which, together, form a complete IDA infrastructure.

Active Directory stores information about users, groups, computers, and other identities. An identity is, in the broadest sense, a representation of an object that will perform actions on the enterprise network. For example, a user will open documents from a shared folder on a server. The document will be secured with permissions on an access control list (ACL). Access to the document is managed by the security subsystem of the server, which compares the identity of the user to the identities on the ACL to determine whether the user’s request for access will be granted or denied.

Computers, groups, services, and other objects also perform actions on the network, and they must be represented by identities. Among the information stored about an identity are properties that uniquely identify the object, such as a user name or a security identifier (SID), and the password for the identity. The identity store is, therefore, one component of an IDA infrastructure. The Active Directory data store, also known as the directory, is an identity store. The directory itself is hosted within a database that is stored on and managed by a domain controller—a server performing the AD DS role. If multiple domain controllers exist within an Active Directory infrastructure, they work together to maintain a copy of the data store on each domain controller. The information within this store allows Active Directory to perform the three main functions of an IDA infrastructure: authentication, access control, and auditing.

  • Authentication A user, computer, or other object must first verify its identity to the Active Directory infrastructure before being granted the ability to function as part of the Active Directory domain. This process of verification is typically through an exchange of protected or secret information such as a password or a digital certificate. After the authentication information has been submitted to the Active Directory and verified as valid, the user may proceed as a member of the domain and perform actions such as requesting access to shared files, submitting a print job to a printer, accessing and reading email, or any number of other actions within the domain.

    Kerberos Authentication in an Active Directory Domain

    In an Active Directory domain, the Kerberos protocol is used to authenticate identities. When a user or computer logs on to the domain, Kerberos authenticates its credentials and issues a package of information called a ticket granting ticket (TGT). Before the user performs a task such as connecting to a server to request a document, a Kerberos request is sent to a domain controller along with the TGT that identifies the authenticated user. The domain controller issues the user another package of information called a service ticket that identifies the authenticated user to the server. The user presents the service ticket to the server, which accepts the service ticket as proof that the user has been authenticated.

    These Kerberos transactions result in a single network logon. After the user or computer has initially logged on and has been granted a TGT, the user is authenticated within the entire domain and can be granted service tickets that identify the user to any service. All of this ticket activity is managed by the Kerberos clients and services built into Windows and remains transparent to the user.


  • Access control The IDA infrastructure is responsible for protecting information and resources by ensuring that access to resources is granted to only the identities that should have access. Access to important resources and confidential information must be managed according to the enterprise policies. Every single object (such as computers, folders, files, and printers) within Active Directory has an associated discretionary access control list (DACL). This list contains information regarding the identities that have been granted access to the object and the level of access granted. When a user whose identity has already been authenticated on the domain tries to access a resource, the resource’s DACL is checked to determine whether the user’s identity is on the list. If the identity exists on the list, the user is allowed to access the resource as specified by the access permissions on the DACL listed for that user.

  • Auditing Monitoring activities that occur within the IDA infrastructure is referred to as auditing. Auditing allows organizations to monitor events occurring within the IDA infrastructure, including the access of files and folders, where and when users are logging on, changes made to the IDA infrastructure, and general functionality of Active Directory itself. Auditing behavior is controlled by system access control lists (SACLs). Like the previously mentioned DACL, every object within the IDA infrastructure has an SACL attached to it. The SACL contains a list of identities whose activity on that resource will be audited, as well as the level of auditing that will occur for each identity.

AD DS is not the only component of IDA supported by Windows Server 2008. With the release of Windows Server 2008, Microsoft consolidated several previously separate components into an integrated IDA platform. Active Directory itself now includes five technologies, each of which is identified with a keyword that indicates the purpose of the technology, as shown in Figure 1.

Figure 1. Integration of the five Active Directory technologies


These five technologies comprise a complete IDA solution:

  • Active Directory Domain Services (Identity) AD DS, as described earlier, is designed to provide a central repository for identity management within an organization. AD DS provides authentication, authorization, and auditing services on a network and supports object management through Group Policy. AD DS also provides information management and sharing services, enabling users to find any component—file servers, printers, groups, and other users—by searching the directory. Because of this, AD DS is often referred to as a network operating system directory service. AD DS is the primary Active Directory technology and should be deployed in every network that runs Windows Server 2008 operating systems.


    Note:

    MORE INFO AD DS DESIGN

    For more details on planning the implementation of AD DS and information regarding AD DS design, see the AD DS Design Guide at http://technet.microsoft.com/en-us/library/cc754678(WS.10).aspx.


  • Active Directory Lightweight Directory Services (Applications) Essentially a stand-alone version of Active Directory, the Active Directory Lightweight Directory Services (AD LDS) role, formerly known as Active Directory Application Mode (ADAM), provides support for directory-enabled applications. AD LDS is really a subset of AD DS because both are based on the same core code. The AD LDS directory stores and replicates only application-related information. It is commonly used by applications that require a directory store but do not require the information to be replicated as widely as to all domain controllers. AD LDS also enables you to deploy a custom schema to support an application without modifying the schema of AD DS. The AD LDS role is truly lightweight and supports multiple data stores on a single system, so each application can be deployed with its own directory, schema, assigned Lightweight Directory Access Protocol (LDAP) and SSL ports, and application event log. AD LDS does not rely on AD DS, so it can be used in a stand-alone or workgroup environment. However, in domain environments, AD LDS can use AD DS for the authentication of Windows security principals (users, groups, and computers). AD LDS can also be used to provide authentication services in exposed networks such as extranets.

  • Active Directory Certificate Services (Trust) Organizations can use Active Directory Certificate Services (AD CS) to set up a certificate authority (CA) for issuing digital certificates as part of a public key infrastructure (PKI) that binds the identity of a person, device, or service to a corresponding private key. Certificates can be used to authenticate users and computers, provide web-based authentication, support smart card authentication, and support applications, including secure wireless networks, virtual private networks (VPNs), Internet Protocol security (IPSec), Encrypting File System (EFS), digital signatures, and more. AD CS provides an efficient and secure way to issue and manage certificates. You can use AD CS to provide these services to external communities. If you do so, AD CS should be linked with an external, renowned CA that will prove to others you are who you say you are. AD CS is designed to create trust in an untrustworthy world; as such, it must rely on proven processes to certify that each person or computer that obtains a certificate has been thoroughly verified and approved. In internal networks, AD CS can integrate with AD DS to provision users and computers automatically with certificates.

  • Active Directory Rights Management Services (Integrity) Although a server running Windows can prevent or allow access to a document based on the document’s DACL, there have been few ways to control what happens to the document and its content after a user has opened it. Active Directory Rights Management Services (AD RMS) is an information-protection technology that enables you to implement persistent usage policy templates that define allowed and disallowed use whether online or offline, inside or outside the firewall. For example, you could configure a template that allows users to read a document but not print or copy its contents. By doing so, you can ensure the integrity of the data you generate, protect intellectual property, and control who can do what with the documents your organization produces. AD RMS requires an Active Directory domain with domain controllers running Windows 2000 Server with Service Pack 3 (SP3) or later; IIS, a database server such as Microsoft SQL Server 2008; the AD RMS client (which can be downloaded from the Microsoft Download Center and is included by default in Windows Vista, Windows 7, and Windows Server 2008); and an RMS-enabled browser or application such as Microsoft Internet Explorer, Microsoft Office, Microsoft Word, Microsoft Outlook, or Microsoft PowerPoint. AD RMS can rely on AD CS to embed certificates within documents as well as in AD DS to manage access rights.

  • Active Directory Federation Services (Partnership) Active Directory Federation Services (AD FS) enables an organization to extend IDA across multiple platforms, including both Windows and non-Windows environments, and to project identity and access rights across security boundaries to trusted partners. In a federated environment, each organization maintains and manages its own identities, but each organization can also securely project and accept identities from other organizations. Users are authenticated in one network but can access resources in another—a process known as single sign-on (SSO). AD FS supports partnerships because it allows different organizations to share access to extranet applications while relying on their own internal AD DS structures to provide the actual authentication process. To do so, AD FS extends your internal AD DS structure to the external world through common Transmission Control Protocol/Internet Protocol (TCP/IP) ports such as 80 (HTTP) and 443 (Secure HTTP, or HTTPS). It normally resides in the perimeter network. AD FS can rely on AD CS to create trusted servers and on AD RMS to provide external protection for intellectual property.

Together, the Active Directory roles provide an integrated IDA solution. AD DS or AD LDS provides foundational directory services in both domain and stand-alone implementations. AD CS provides trusted credentials in the form of PKI digital certificates. AD RMS protects the integrity of information contained in documents. And AD FS supports partnerships by eliminating the need for federated environments to create multiple, separate identities for a single security principal.

2. Beyond Identity and Access

Active Directory delivers more than just an IDA solution, however. It also provides the mechanisms to support, manage, and configure resources in distributed network environments.

A set of rules, the schema, defines the classes of objects and attributes that can be contained in the directory. The fact that Active Directory has user objects that include a user name and password, for example, is because the schema defines the user object class, the two attributes, and the association between the object class and attributes.

Policy-based administration eases the management burden of even the largest, most complex networks by providing a single point at which to configure settings that are then deployed to multiple systems.

Replication services distribute directory data across a network. This includes both the data store itself as well as data required to implement policies and configuration, including logon scripts. There is even a separate partition of the data store named configuration that maintains information about network configuration, topology, and services.

Several components and technologies enable you to query Active Directory and locate objects in the data store. A partition of the data store called the global catalogpartial attribute set) contains information about every object in the directory. It is a type of index that can be used to locate objects in the directory. Programmatic interfaces such as Active Directory Services Interface (ADSI) and protocols such as LDAP can be used to read and manipulate the data store. (also known as the

The Active Directory data store can also be used to support applications and services not directly related to AD DS. Within the database, application partitions can store data to support applications that require replicated data. The domain name system (DNS) service on a server running Windows Server 2008 can store its information in a database called an Active Directory integrated zone, which is maintained as an application partition in AD DS and replicated using Active Directory replication services.

 
Others
 
- Microsoft Dynamic GP 2010 : Speeding up access to information with SmartList Favorites
- Microsoft Dynamic GP 2010 : Sorting data to get the information you want
- Understanding the Basics of Collaboration in SharePoint 2010 (part 2) - Editing Features in SharePoint 2010
- Understanding the Basics of Collaboration in SharePoint 2010 (part 1) - Using SharePoint Sites and Templates
- BizTalk 2009 : Getting Started with Pipeline Development (part 3) - Configuring Recoverable Interchanges & Using the Default Pipelines
- BizTalk 2009 : Getting Started with Pipeline Development (part 2) - Understanding Interchanges & Overview of Recoverable Interchange Handling
- BizTalk 2009 : Getting Started with Pipeline Development (part 1) - Pipeline Stages & Understanding Pipeline Execution
- Introduction to Exchange Server 2010 : Exchange Server 2010 server roles
- Introduction to Exchange Server 2010 : Exchange Server 2010 and Active Directory
- Introduction to Exchange Server 2010 : What is new in Exchange Server 2010?
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us