1. Active Directory Application Mode: Introduction And Usage Scenarios

2. Agenda Need for ADAM Need for ADAM Usage scenarios Usage scenarios Architecture Architecture Tech drilldown Tech drilldown Summary Summary

3. Active Directory, Circa 1997 “Enterprise directory” + “NOS directory” “Enterprise directory” + “NOS directory”  Repository of consolidated information  Centralized management, provisioning  Single-sign-on  Data re-used by many applications Active Directory Portalapplication Whitepages/GAL Generic app using single- sign-on HR/ERPapplication Automated provisioning LDAP,Kerberos Centralizedmanagement LDAP,Kerberos Policy-based admin, single-sign-on, for Windows-based resources

4. Where We Are Today Directories deployed per-app; little re-use Directories deployed per-app; little re-use Provisioning, sync are ad-hoc Provisioning, sync are ad-hoc Active Directory Portalapplication Whitepages GenericLDAP-basedapp HR/ERPapp LDAP Policy and SSO for Windows LDAP Genericdump (Non-existent) Ad-hocsync iPlanet eDirectory Outlook/Exchange LDAP iPlanet MAPI Database Centralizedmanagement

5. The Solution Integrated product suite for full range of usage scenarios Integrated product suite for full range of usage scenarios DS-enabledapp HR/ERPapp Centralizedidentitymanagement Database MIIS 2003 Metadirectory App DS ADAM UDDI Web Service DS Infrastructure Directory ActiveDirectory DS-enabledapp App DS ADAM DS-enabledapp Third-party DS access sync

6. Agenda Need for ADAM Need for ADAM Usage scenarios Usage scenarios 1. App-specific local directory DEMO DEMO 2. Developer prototyping DS-enabled app 3. Supporting legacy applications Architecture Architecture Tech drilldown Tech drilldown Summary Summary

7. ADAM Usage Scenarios 1. App-specific local directory Example: Web portal with personalization Example: Web portal with personalization  Store personalization info in ADAM  Use AD for authentication ADAM Infrastructure Active Directory Webportal Store/retrievedata Client Authentication Server

8. Demo Install ADAM Install ADAM Extend schema Extend schema Import data Import data Take well-behaved LDAP app and retarget to ADAM Take well-behaved LDAP app and retarget to ADAM Retrieve data imported Retrieve data imported Easy to install, configure and use Easy to install, configure and use

9. Store app data without extending infrastructure directory Store app data without extending infrastructure directory App data keyed off identifier from infra directory App data keyed off identifier from infra directory AD/AM Infrastructure Directory Webportal Store/retrievedata Client Server Data specific to portal app Data shared by multiple apps User (right) and “shadow” (left) ADAM Usage Scenarios App-specific local directory – factoring identity

10. MIIS 2003 optional, for provisioning MIIS 2003 optional, for provisioning  Provision objects in ADAM as objects added/removed from infrastructure AD  Publish select data from ADAM objects into infrastructure AD  Create aggregate view of object in AD/AM Abstract infrastructure environment (domains, forests) from developer Abstract infrastructure environment (domains, forests) from developer AD/AM Infrastructure Directory Webportal Store/retrievedata Client Server MIIS 2003 (optional) ADAM Usage Scenarios App-specific local directory – arbitrary catalog

11. Can be used before Infrastructure AD deployed Can be used before Infrastructure AD deployed  Just need Windows ® security infrastructure  Can be NT 4.0 domains, or local security database on a workgroup machine Peace of mind for app developer Peace of mind for app developer  App deployment not blocked Windows NT 4.0 domains MUDMUDMUD RDRDRDRDRD ADAM Webportal LDAP Client(Authentication) Server ADAM Usage Scenarios App-specific local directory – domain independent

12. ADAM Usage Scenarios Developer Prototyping DEA Very low barrier to entry Very low barrier to entry  Install ADAM on Windows XP ®  No server or domain controller required  No OS reinstall required to wipe schema  Multiple instances means easy to follow different design paths while prototyping When done experimenting, app easily ported to Active Directory ™ When done experimenting, app easily ported to Active Directory ™  Port to domain partition/global catalog  Port to application partition (WS2003)  … or just leave it as an ADAM app

13. ADAM Usage Scenarios Supporting legacy applications MIIS 2003 can transform data in representation expected by legacy app MIIS 2003 can transform data in representation expected by legacy app Examples Examples  O=, C= naming  Specific OU structure expected by app MIIS 2003 (transformdata) ADAM Infrastructure Active Directory Store/retrievedata AuthN Legacy LDAP app

14. What ADAM Is Not Not usable by Exchange 2000 Not usable by Exchange 2000  Exchange requires security principals  Exchange requires MAPI protocol support  Factoring application data and infrastructure data is part of philosophy for next generation Not a Windows logon server Not a Windows logon server  Not a KDC (although can Kerberos authenticate if pass creds of AD-based user) AD/AM does not diminish the need for NOS Active directory! AD/AM does not diminish the need for NOS Active directory!

15. When To Use ADAM Database versus Directory Database versus Directory  Highly volatile, transactional data -> Database  Store once and retrieve many times ->Directory AD versus ADAM AD versus ADAM  AD – for identity management, security enabled apps (Exchange) AD App partitions versus ADAM AD App partitions versus ADAM  Globally interesting data versus local data  Central Management versus autonomy App forest versus ADAM App forest versus ADAM  Users need network presence, constrained delegation – App forest  Simple authentication support – ADAM

16. Agenda Need for ADAM Need for ADAM Usage scenarios Usage scenarios Architecture Architecture  Components  Capabilities  Platforms support Tech drilldown Tech drilldown Summary Summary

17. Architecture Same code as Active Directory in WS2003 – just a new mode Same code as Active Directory in WS2003 – just a new mode Programming model, admin tools virtually identical to Infrastructure AD – familiarity means skill sets easily transferable Programming model, admin tools virtually identical to Infrastructure AD – familiarity means skill sets easily transferable Infrastructure Active Directory Active Directory in Application Mode LSASS DSA LDAP SAM MAPIREPL KDC Lanman DNS FRS dependencies ADAM DSA LDAP REPL (traditional AD minus infrastructure mgmt)

18. Just A New Mode ! Same programming model as AD Same programming model as AD Replication and Administration model similar to AD Replication and Administration model similar to AD Same store as in AD – same storage management too Same store as in AD – same storage management too  DIT file and Log file layout is same Same as WS2003 AD in every other way except Same as WS2003 AD in every other way except  No locator via DNS SRV records – instead uses Service Connection Points  No MAPI protocol support

19. New Capabilities Simple install and setup Simple install and setup  No DCPROMO  Wizard with defaults, just “Next” through  Does not turn machine into DC Restart or reinstall without reboot Restart or reinstall without reboot Multiple instances on single machine Multiple instances on single machine Each instance with own schema Each instance with own schema X.500-style O=, C= naming X.500-style O=, C= naming

20. Platforms Support Windows Server 2003 Windows Server 2003  Standard, Enterprise and Datacenter Windows XP Windows XP  Professional 32-bit and 64-bit support 32-bit and 64-bit support

21. Agenda Need for ADAM Need for ADAM Usage scenarios Usage scenarios Architecture Architecture Tech drilldown Tech drilldown  New concepts  Default configuration  Security  Replication  Administration experience Summary Summary

22. New Concepts Instance Instance  Identified by name and ports  Name ties the files, service, registry and ports together  Ports: configurable LDAP and SSL port  Event log  One per instance for application data; uses the shared security log for security logging Configuration set Configuration set  collection of instances that replicate with one another – they share Configuration and schema partitions

23. Default Configuration Schema, partitions and rootDSE Fully extensible schema Fully extensible schema  Default schema much smaller (~30 objects and <200 attributes)  Ships LDIF files to extend schema for  RFC compliance, e.g., InetOrgPerson support  Auxiliary classes, schema activation and deactivation same as AD Configuration and schema partitions only Configuration and schema partitions only  App partitions created via setup or later  Any object class and naming scheme rootDSE changes rootDSE changes  Domain attributes pruned, tokenGroups added supportedCapabilities supportedCapabilities  New OID for ADAM: 1.2.840.113556.1.4.1851

24. Security Authentication Windows security principals Windows security principals  SASL binds; simple binds through proxy  Authentication: get token on bind from Windows and augmented with ADAM groups the Windows principal (SID) is a member of, in all NCs ADAM security principals ADAM security principals  Users and groups  Built-in groups (administrators, readers, users)  Scope limited to application partition  ADAM users: any class, have SID, Simple Bind only, account and password policy Windows principal needed to be admin in config container Windows principal needed to be admin in config container

25. Security Bind proxy to Windows principals Scenario benefits from consolidation of identities – only windows identity is used; ADAM DN is just a manifestation of Windows identity Scenario benefits from consolidation of identities – only windows identity is used; ADAM DN is just a manifestation of Windows identity AD/AM InfrastructureDirectory Webportal 1. Pass flat string Client Server Bind calls redirected 2. Get DN 3. Bind as DN, pwd 4. Access object data

26. Security Bind proxy to Windows principals Proxy object in ADAM Proxy object in ADAM  local manifestation of Windows object  augmented with app-specific local data Redirect bind calls to Windows Redirect bind calls to Windows  Single password experience by consolidating identity in AD - password not stored in ADAM  Decommissioning is automatic No changes needed to the app No changes needed to the app Abstract infrastructure environment from developer (domains, forests) Abstract infrastructure environment from developer (domains, forests) Works with any trusted domains and forests Works with any trusted domains and forests

27. Security Authorization Default ACLs made simple Default ACLs made simple Authorization for ADAM objects same as AD Authorization for ADAM objects same as AD  ACLs have SIDs from ADAM or Windows  Tokens matched against ACLs to grant or deny access Applications can implement their own authorization scheme, same as with AD Applications can implement their own authorization scheme, same as with AD

28. Replication Multi master replication Multi master replication  Same as AD  Fully functional, updateable replicas Concept of sites, KCC same as AD Concept of sites, KCC same as AD Schedules can be set independent of other instances Schedules can be set independent of other instances  Set replication schedules in ADSIEdit  Repadmin tool available Replicas can host any subset of application partitions Replicas can host any subset of application partitions Can replicate between instances regardless of domain/workgroup or trusts Can replicate between instances regardless of domain/workgroup or trusts

29. Administration Experience Tools Administration model similar to AD - familiar tools to do familiar tasks Administration model similar to AD - familiar tools to do familiar tasks GUI tools GUI tools  LDP  ADSIEdit - new functionality to manage replication schedules  Schema Manager Snap-in Command Line tools - Ntdsutil, LDIFDE, Dcdiag, Dsacls, Repadmin equivalents Command Line tools - Ntdsutil, LDIFDE, Dcdiag, Dsacls, Repadmin equivalents Backup and restore through ntbackup Backup and restore through ntbackup  Snapshot writer based backups  System state backup not needed – store only  Auth Restore, Create replica from media available

30. Administration Experience Centralized management Easy to setup and manage “ADAM Farms” centrally much like SQL Server Easy to setup and manage “ADAM Farms” centrally much like SQL Server  Installation, configuration geared for this  Server consolidation  multiple instances and multiple partitions support Control services centrally through SMS Control services centrally through SMS Controlled deployment Controlled deployment  ADAM registers SCP in AD (optional)  DNS for load balancing with referrals  Group policy controlled  service accounts, bind options can be controlled

31. Agenda Need for ADAM Need for ADAM Usage Scenarios Usage Scenarios Architecture Architecture Tech Drilldown Tech Drilldown Summary Summary

32. ADAM As App Directory Dedicated store for app data Dedicated store for app data Standalone or replicated Standalone or replicated Independent of domain setup Independent of domain setup Local control and autonomy Local control and autonomy Schema and naming flexibility Schema and naming flexibility Everyone can have many! Everyone can have many!

33. Benefits Summary Ease of deployment Ease of deployment  Install, reinstall, remove .NET Server and XP Pro platforms Reduced infrastructure costs Reduced infrastructure costs  Single directory technology  Same admin model Increased security Increased security  Integration with Windows principals Increased flexibility Increased flexibility  Install anywhere without affecting AD Reliability and scalability Reliability and scalability  Same as AD

34. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.