Active Directory Domain Services (AD DS)

Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and other identities. An identity is representation of an entity that will perform actions on a server. A component of the IDA is the identity store that contains properties that uniquely identify the object such as: – User name – Security identifier (SID) – password – The Active Directory (AD) data store is an identity store. – The directory itself is hosted on and managed by a domain controller – a server performing the Activity Directory Domain Services (AD DS) role.

IDA responsibilities Authentication – AD uses Kerberos Authentication Access Control – Maintains an Access Control List (ACL) – Reflects a security policy composed of permissions that specify access levels for particular identities. Audit Trail – Allows monitoring of changes and activities within the IDA infrastructure

IDA Technologies supported by AD Identity Applications Trust Integrity Partnership

Identity Active Directory Domain Services (AC DC) – A central repository for identity management. – Provides authentication and authorization services through Group Policy. – Provides information management and sharing services enabling users to find any component by searching the directory.

Applications Application Directory Lightweight Directory Services (AD LDS) – Essentially a standalone version of AD – Stores and replicates only application related information. – Commonly used by applications that require a directory store but do not require information to be replicated as widely as to all domain controllers. – Allows you to deploy a custom schema to support an application without modifying the AD DS schema. – Formally know as Active Directory Application Mode (ADAM)

Trust Active Directory Certificate Services (AD CS) – Used to set up a certificate authority for issuing digital certificates as part of a public key infrastructure (PKI) that binds the identity of a person, device, or service to a corresponding private key. – If you use AD CS to provide these services to external communities then AD CS should be linked with an external renowned CA.

Integrity Active Directory Rights Management Services (AD RMS) An information-protection technology that enable you to implement persistent usage policy templates that define allowed and unauthorized used – e.g. you could configure a template that allows users to read a document but not to print or copy its contents.

Partnership Active Directory Federation Services (AD FS) – Enables an organization to extend IDA across multiple platforms including both Windows and non-Windows environments. – Projects identity and access rights across security boundaries to trusted partners. – Supports single sign-on (SSO)

Beyond IDA AD delivers more than IDA solutions AD provides the mechanisms to support, manage, and configure resources in a distributed network environment. – Schema – Policy-based administration – Replication services

Schema A set of rules that defines the classes of objects and attributes that can be contained in the directory. – e.g. the fact that AD has user objects that include a user name and password is because the schema defines the user object class that, the two attributes, and the association between the object class and attributes.

Policy-based administration Provides a single point at which to configure settings that are then deployed to multiple systems. Such policies include; – Group policy – Audit policies – Fine-grained password policies

Replication Services Distribute directory data across a network – This includes both the data store itself as well as data required to implement policies and configuration, including logon scripts.

Global Catalog Enables you to query AD and locate objects in the data store. Contains information about every object in the directory. Can be used by programmatic interfaces such as Active Directory Services Interface (ADSI) and Lightweight Directory Access Protocol (LDAP).

Components of an AD Infrastructure Activity Directory data store Domain controller Domain Forest Tree Functional level Organizational unit (OU) Sites

Active Directory Data Store AD DS stores its identities in the directory – a data store on domain controllers The directory is a single file named Ntds.dit that is located in the %SystemRoot%\Ntds folder on a domain controller The database is divided into several partitions, including the schema, configuration, global catalog, and the domain naming context.

Domain Controller (DC) The DCs are servers that perform the AD DC role. The DCs also run the Kerberos Key Distribution Center (KDC) service.

Domain Requires one or more DCs DCs replicate the domain’s partition of the data store so that any DC can authenticate any identity in the domain. Is a scope of administrative policies such as password complexity and account lockout policies.

Forest A collection of one or more AD domains. The first domain installed in a forest is called the forest root domain. A forest contains a single definition of network configuration and a single instance of the directory schema. A forest is a single instance of the directory – no data is replicated by AD outside the boundaries of the forest. A forest defies a security boundary.

Tree The DNS namespace of domains in a forest creates trees within the forest. If a domain is a subdomain of another domain, the two domains are considered a tree. The domains must constitute a contiguous portion of the DNS namespace. Trees are the result of the DNS names chosen for the domains in a forest.

Functional Level The functionality available in an AD domain or forest depends on its functional level. The three domain functional levels are: – Windows 2000 native – Windows Server 2003 – Windows Server 2008 The functional level determines the versions of Windows permitted on domain controllers.

Organization Units (OU) OUs provide a container for objects, and provide a scope with which to manage objects. OUs can have Group Policy Objects (GPOs) linked to them. GPOs can contain configuration settings that will then be applied automatically by users or computers in an OU.

Sites An AD site is an object that represents a portion of the enterprise within which network connectivity is good. A site creates a boundary of replication and service usage. DCs within a site replicate changes within seconds. Changes are replicated between sites on a controlled basis with the assumption that intersite connections are slow, expensive, or unreliable compared to the connections within a site. Clients will prefer to use distributed services provided by servers in their site or in the closest site.