Understanding Active Directory

Understanding Active Directory
1 minute Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning , Microsoft

Course Topics Understanding Active Directory
01 | Introduction to Active Directory 02 | Active Directory Domain Services (DS) 03 | Active Directory Certificate Services (CS) 04 | Active Directory Federation Services (FS) 05 | Active Directory Rights Management Services (RMS) 06 | Active Directory Lightweight Directory Services (LDS) 1 minute

Introduction to Active Directory

What is Active Directory
Domain Services Internal Accounts Authorization Authentication What is Active Directory? A collection of services (Server Roles and Features) used to manage identity and access for and to resources on a network Federation Services Network Access for External Resources Certificate Services Identity Non-Repudiation Active Directory Identity Access Centralized Management 2 minutes Active Directory is a collection of services (Server Roles and Features) used to manage identity and access for and to resources on a network. Rights Management Services Content Security and Control Lightweight Directory Services Application Templates

Active Directory Roles
AD Domain Services (AD DS) Users, Computers, Policies AD Certificate Services (AD CS) Service, Client, Server and User identification AD Federation Services (AD FS) Resource access across traditional boundaries AD Rights Management Services (AD RMS) Maintain security of data AD Lightweight Directory Services (AD LDS) 2 minutes In the next few slides you will cover each of these Windows Roles with a summary of what each is and what each does.

What is AD DS? What is Active Directory Domain Services?
Windows Server Mgmt Profile Network Info Printers Shares What is Active Directory Domain Services? A directory service is both the directory information source and the service that makes the information available and usable A phone book… Windows User Account Information Privileges Profiles Policies Windows Client Mgmt Profile Network Info Policies Active Directory Domain Services Manageability Security Interoperability Servers Mailbox Information Address Book Network Devices Config QoS Policy Security Policy 5 Minutes Use the phone book Applications Server Config SSO App-Specific Directory Info

What does AD DS do? Scalable, secure, and manageable infrastructure for user and resource management stores and manages information about network resources provides support for directory-enabled applications such as Microsoft® Exchange Server allows for centralized management

What is AD CS? AD CS is the Microsoft implementation of Public Key Infrastructure (PKI) PKI is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates Certificate Signing Request Enrollment 3 Certificate Repository Certification Revocation Repository 2 x.509 Certificate Chain Certificate Retrieval 4 End-Entities (users or computers) 1 Revocation Request Certificate Revocation List CRL Retrieval 5 End-entity - the end-user consumers of PKI services. This could be a person, or a computer. Certificate Authority (CA) – Trusted party responsible for the management of digital certificates. The CA is the center of the PKI trust model. A CA is responsible for issuing signed digital certificates, maintaining a certificate repository, and managing revoked certificates and the public list of those certificates, the certificate revocation list (CRL). Certificate Signing Request (CSR) - a document generated by an end-entity used to enroll for a certificate. The request contains information about the user such as distinguished name and public key (signature). Public Digital Certificate and Certificate Path - a digital certificate is the public component in PKI. A public certificate represents the credentials for a given end-entity by connecting an entity to a specific public key. The end-entity represented holds the private key that corresponds to that certificate. Certificates can be used for a number of security measures such as digital signatures to verify the origin, integrity of information, and non-repudiation. Certificate Revocation List (CRL) - a list of revoked certificates. This list is checked during certificate verification by a certificate holder to verify the revocation status for a given certificate. Online Certificate Status Protocol (OCSP) is a CRL alternative that can be used to retrieve revocation and status information for a certificate as well.

What does AD CS do? AD CS provides customizable services for issuing and managing digital certificates Certification Authorities CA Web Enrollment Online Responders Network Device Enrollment Service (NDES) Certificate Enrollment Web Service Certificate Enrollment Policy Web Service By using Server Manager, you can install the following components of AD CS: Certification authorities (CAs) CAs issue certificates to users, computers, and services, and manage certificate validity CA Web enrollment Web enrollment allows users to connect to a CA by means of a Web browser in order to request certificates and retrieve certificate revocation lists (CRLs) Online Responder The Online Responder service sends a signed response containing requested certificate status information to clients Network Device Enrollment Service The Network Device Enrollment Service allows network devices to obtain certificates when they don’t have domain accounts Certificate Enrollment Web Service The Certificate Enrollment Web Service allows for certificate enrollment by users and computers using SSL to enables policy-based certificate enrollment for disconnected or non-domain-joined computers and users Certificate Enrollment Policy Web Service Delivers certificate enrollment policy information to computers and users to enable the Certificate Enrollment Web Service

What is AD FS? A software component that facilitates the cross- organizational access of systems and applications Web Server Resource Federation Server Account Partner Organization Resource Partner Organization Account Federation Server AD DS Federation Trust

What does AD FS do? The AD FS server role provides simplified, secured identity federation and Web single sign-on (SSO) capabilities. enables the creation of trust relationships between two organizations provides access to applications between organizations provides Single Sign-on (SSO) between two different directories for Web-based applications AD FS simplifies end-user access to systems and applications by using a claims-based access authorization mechanism to maintain application security. You can deploy AD FS to: Provide your employees or customers with seamless access to Web-based resources in any federation partner organization on the Internet without requiring employees or customers to log on more than once Retain complete control over your employee or customer identities without using other sign-on providers (Windows Live ID, Liberty Alliance, and others) Provide your employees or customers with a Web-based, SSO experience when they need remote access to internally hosted Web sites or services Provide your employees or customers with a Web-based, SSO experience when they access cross-organizational Web sites or services from within the firewalls of your network Identity Federation allows for separate authentication domains or realms to be able to share resources without having to provide complete access to each of the authentication domains. In the real world everyone has a number of usernames and passwords that they must remember, even in the same organizations or within partner organizations. Identity federation allows for different authentication domains/realms to provide single sign-on (SSO) services. This can be done without creating a full Active Directory trust between the organizations.

What is AD RMS? RMS Server Information Author Recipient Active Directory Rights Management Services (AD RMS) is an information protection technology that works with applications to safeguard digital information

What does AD RMS do? Allows individuals and administrators to specify access permissions to documents, workbooks, and presentations prevent sensitive information from being printed, forwarded, or copied by unauthorized people access and usage restrictions are enforced no matter where the information is located A rights-management solution protects information stored in documents, messages, and Web sites from unauthorized viewing, modification, or use. Features typically include: Protecting sensitive information from being accessed or shared with unauthorized users by preventing users from forwarding or copying content Ensuring that data content is protected and tamper-resistant using encryption and digital signatures Controlling when data will expire based on time requirements, even when that information is sent over the Internet to other individuals - ensuring that the most current information is used

What is AD LDS? AD LDS is a hierarchical file-based directory store
Windows User Account Information Privileges Profiles Policies Network Devices Config QoS Policy Security Policy AD LDS is a hierarchical file-based directory store AD LDS is both the directory information source and the service that makes the information available and usable Active Directory LDS Manageability Security Interoperability The image here was also used in the slide regarding AD DS. It was left in place here intentionally to demonstrate the similarities between AD DS and AD LDS. Servers Mailbox Information Address Book Applications Server Config SSO App-Specific Directory Info

What does AD LDS do? Lightweight Directory Access Protocol (LDAP)
Directory service that provides flexible support for directory-enabled applications, without the dependencies and domain-related restrictions of AD DS provide directory services for directory-enabled applications without incurring the overhead of domains and forests no requirement for a single schema throughout a forest Active Directory Lightweight Directory Services (AD LDS) provides a Lightweight Directory Access Protocol (LDAP) compliant directory and associated services. It is used to provide authentication and directory services for custom written, third-party and other enterprise applications.

Active Directory Domain Services
(AD DS)

Module Overview Overview of AD DS AD DS Physical Components
AD DS Logical Components

Lesson 1: Overview of AD DS
Protocol What is Authentication? What is Authorization? Why Deploy AD DS? Centralized Network Management Requirements for Installing AD DS Overview of AD DS and DNS Overview of AD DS Components

Protocol Lightweight Directory Access Protocol (LDAP) X.500 Standard
Based on TCP/IP A method for accessing, searching, and modifying a directory service A client-server model

What is Authentication?
Module 2: Introduction to Active Directory® Domain Services Course 6424A What is Authentication? Authentication is the process of verifying a user’s identity on a network A passport is a good analogy for authentication. It is a means by which a user can verify they are who they say they are. The most common way for users to authenticate is by providing a user name and password. However, some computer systems also support authentication based on smart cards, one-time passwords, or biometric information, such as fingerprint scans. Authentication includes two components: Interactive logon: grants access to the local computer Network authentication: grants access to network resources

Module 2: Introduction to Active Directory® Domain Services
Course 6424A What is Authorization? Authorization is a process of verifying that an authenticated user has permission to perform an action Security principals are issued security identifiers (SIDs) when the account is created User accounts are issued security tokens during authentication that include the user’s SID and all related group SIDs Some of the types of attributes that might be contained in the security token are user group, ownership, and admin privileges. The security identifier (SID) attribute is unique for each user or security group, and is the primary means by which the security principal is identified when trying to access network resources. Authorization happens frequently and unobtrusively whenever users request services, like opening their home folder, reading/writing files, or when requesting access to an AD DS aware application. The user only sees the result of the authorization--they are granted or denied access. An access control list (ACL) is a list of access control entries (ACE). Each ACE in an ACL identifies a security principal and the access rights allowed, denied, or audited for that principal. The security descriptor for a securable object can contain two types of ACLs: a DACL and a SACL. A discretionary access control list (DACL) identifies the security principals that are allowed or denied access to an object. When a person or process tries to access an object, the system checks the ACEs in the object's DACL to determine whether to grant access to it. If the object does not have a DACL, the system grants full access to everyone. If the object's DACL has no ACEs, the system denies all attempts to access the object because the DACL does not allow any access rights. A system access control list (SACL) enables administrators to log attempts to access a secured object. Each ACE specifies the types of access attempts by a specified principal that cause the system to generate a record in the security event log. An ACE in a SACL can generate audit records when an access attempt fails, when it succeeds, or both. Shared resources on a network include access control lists (ACL) that define who can access the resource The security token is compared against the Discretionary Access Control List (DACL) on the resource and access is granted or denied

Course 6424A Why Deploy AD DS? AD DS provides a centralized system for managing users, computers, and other resources on a network AD DS features include: Centralized directory Single sign-on access Integrated security Scalability Common management interface

Centralized Network Management
Module 2: Introduction to Active Directory® Domain Services Course 6424A Centralized Network Management AD DS centralizes network management by providing: Single location and set of tools for managing user and group accounts Single location for assigning access to shared network resources Directory service for AD DS enabled applications Options for configuring security policies that apply to all users and computers Group policies to manage user desktops and security settings

Course 6424A Requirements for Installing AD DS Object Description TCP/IP Configure appropriate TCP/IP and DNS server addresses. Credentials To install a new AD DS forest, you need to be local Administrator on the server. To install an additional domain controller in an existing domain, you need to be a member of the Domain Admins group. Domain Name System )DNS) Infrastructure Verify that a DNS infrastructure is in place. When you install AD DS, you can include DNS server installation, if it is needed. When you create a new domain, a DNS delegation is created automatically during the installation process. Creating a DNS delegation requires credentials that have permissions to update the parent DNS zones.

Overview of AD DS and DNS
Module 2: Introduction to Active Directory® Domain Services Course 6424A Overview of AD DS and DNS AD DS requires a DNS infrastructure DNS AD DS domain names must be DNS domain names DNS Domain Name AD DS domain controller records must be registered in DNS to enable other domain controllers and client computers to locate the domain controllers DNS zones can be stored in AD DS as Active Directory integrated zones DNS Zone

Course 6424A Component Overview AD DS is composed of both physical and logical components Physical components Data store: Stores the AD DS information. This is a file on each domain controller. Domain Controller Server and read-only domain controller (RODC): Contains a copy of AD DS database. Global catalog servers: Host the global catalog, which is a partial, read-only copy of all the domain naming contexts in the forest. A global catalog speeds up searches for objects that might be attached to other domain controllers in the forest. Logical components Partitions: Various partitions exist in AD DS: domain directory, configuration directory, schema directory, global catalog, application directory. Schema: Defines the list of attributes which all objects in the AD DS can have. Domains: logical, administrative boundary for users and computers Domain Trees: Collection of domain controllers that share a common root domain. Forests: Collections of domains that share a common AD DS. Sites: Collections of users, groups, computers as defined by their physical locations. Useful in planning administrative tasks such as replication of the AD DS. OUs: Organizes the elements found at a give site or domain for the purposes of securing them more selectively. Physical Components Logical Components Data store Domain controllers Global catalog server Read-Only Domain Controller (RODC) Partitions Schema Domains Domain trees Forests Sites Organizational units (OUs)

Lesson 2: Overview of AD DS Physical Components
Module 2: Introduction to Active Directory® Domain Services Course 6424A Lesson 2: Overview of AD DS Physical Components Domain Controllers Global Catalog Servers Data Store Replication Sites

Course 6424A Domain Controllers A domain controller is a server with the AD DS server role installed that has specifically been promoted to a domain controller Each domain controller holds a copy of the directory store, and updates can be made to the AD DS data on all domain controllers except for RODCs. Have multiple domain controllers in each domain. This provides load balancing, but more importantly, it also provides recoverability if a server failure occurs. All domain controllers engage in authentication and authorization, thus making it a redundant system with fewer fail-points. Domain controllers: Host a copy of the AD DS directory store Provide authentication and authorization services Replicate updates to other domain controllers in the domain and forest Allow administrative access to manage user accounts and network resources Windows Server 2008 and later supports RODCs

Global Catalog Servers
Module 2: Introduction to Active Directory® Domain Services Course 6424A Global Catalog Servers Global catalog servers are domain controllers that also store a copy of the global catalog The global catalog partition is like other partitions in AD DS, but unlike other partitions, administrators cannot enter information directly into this partition. The global catalog builds and updates its content based on values of a schema attribute (isMemberOfPartialAttributeSet), thus deciding when to replicate that attribute of an AD DS object in the global catalog. Note that the alternative to having a searchable global catalog would be much more traffic over the entire organization’s network. The global catalog: Contains a copy of all AD DS objects in a forest that includes only some of the attributes for each object in the forest Improves efficiency of object searches by avoiding unnecessary referrals to domain controllers Required for users to log on to a domain

What is the AD DS Data Store?
Module 2: Introduction to Active Directory® Domain Services Course 6424A What is the AD DS Data Store? The AD DS data store contains the database files and processes that store and manage directory information for users, services, and applications The NTDS.DIT file is a database with usually 3 or more tables. The name and purpose of the important tables are the following: 1. datatable - used to store the objects accessible in Active Directory 2. link_table - used to provide references to objects (introduced with Server 2003) 3. sd_table - used to store the security descriptors The database engine for NTDS.DIT is the Extensible Storage Engine (ESE or JET Blue) and is a proprietary Microsoft database engine. This engine is also used in Microsoft Exchange, however, the pagesizes are different between the two databases. It is 8192 bytes in the NTDS.DIT database and 4096 bytes in Exchange. The AD DS database cannot be directly accessed by any applications. All access to the database is managed by the domain controller. 64-bit hardware can provide a significant performance boost for domain controllers because of the increase in addressable memory space. The AD DS data store: Consists of the Ntds.dit file Is stored by default in the %SystemRoot%\NTDS folder on all domain controllers Is accessible only through the domain controller processes and protocols

What is AD DS Replication?
Module 2: Introduction to Active Directory® Domain Services Course 6424A What is AD DS Replication? AD DS replication copies all updates of the AD DS database to all other domain controllers in a domain or forest If directory information did not replicate regularly: logons would fail at domains other than where the user account was created locations and names of domain controllers might not be current, causing services contained on them to become unavailable Advantages of multi-master replication include: the elimination of single point of failure faster replication as each domain controller can be involved with replicating data Domain controllers in the same site replicate their data, typically within 15 seconds after a change, completing replication with all members in a properly configured tree in about 45 seconds. When you create multiple sites, you can configure a replication schedule between the sites. AD DS replication: Ensures that all domain controllers have the same information Uses a multimaster replication model Can be managed by creating AD DS sites The AD DS replication topology is created automatically as new domain controllers are added to the domain

Course 6424A What are Sites? An AD DS site is used to represent a network segment where all domain controllers are connected by a fast and reliable network connection Sites are: Sites are often defined after an analysis of network bandwidth capacity. The primary reason for creating sites is to control network traffic across wide area network (WAN) links. By creating sites, you can minimize replication traffic across the WAN link because you can schedule the replication. You also control client logon traffic and provide a better client logon experience because client computers will always connect to a domain controller in their own site first. Associated with IP subnets Used to manage replication traffic Used to manage client logon traffic Used by site aware applications such as Distributed File Systems (DFS) or Exchange Server Used to assign group policy objects to all users and computers in a company location

Lesson 3: Overview of AD DS Logical Components
Module 2: Introduction to Active Directory® Domain Services Course 6424A Lesson 3: Overview of AD DS Logical Components AD DS Schema The Basics Trusts AD DS Objects Demo: Installation and Management

Course 6424A What is the AD DS Schema? The AD DS Schema: Defines every type of object that can be stored in the directory Enforces rules regarding object creation and configuration One of the easiest ways to describe the schema is to say that it is a set of rules that define what you can do in AD DS. ADSIEdit and the Schema Management Console are tools you can use to manage the schema. You must register the Schema snap-in by using the regsvr32 schmmgmt.dll command before creating the custom MMC. Object Types Function Examples Class Object What objects can be created in the directory User Computer Attribute Object Information that can be attached to an object Display name

Course 6424A The Basics: Domains Contoso.com Domains are used to group and manage objects in an organization Domains: An administrative boundary for applying policies to groups of objects A replication boundary for replicating data between domain controllers An authentication and authorization boundary that provides a way to limit the scope of access to resources

Course 6424A The Basics: Trees A domain tree is a hierarchy of domains in AD DS contoso.com emea.contoso.com na.contoso.com All domains in the tree: Share a contiguous namespace with the parent domain Can have additional child domains By default create a two-way transitive trust with other domains

Course 6424A The Basics: Forests A forest is a collection of one or more domain trees Forests: Share a common schema Share a common configuration partition Share a common global catalog to enable searching Enable trusts between all domains in the forest Share the Enterprise Admins and Schema Admins groups

The Basics: Organizational Units (OUs)
Module 2: Introduction to Active Directory® Domain Services Course 6424A The Basics: Organizational Units (OUs) OUs are Active Directory containers that can contain users, groups, computers, and other OUs OUs can be used to create both a hierarchical and logical representation of a company. OUs can also be used to delegate certain administrative rights. For example, a junior network administrator may be given permission to administer user accounts in an OU that contains all accounts for a branch office location. OUs are used to: Represent your organization hierarchically and logically Manage a collection of objects in a consistent way Delegate permissions to administer groups of objects Apply policies

Course 6424A Trusts Trusts provide a mechanism for users to gain access to resources in another domain Types of Trusts Description Diagram Directional The trust direction flows from trusting domain to the trusted domain Transitive The trust relationship is extended beyond a two-domain trust to include other trusted domains The trusted domain as the domain where the accounts are, and the trusting domain as where the shared resources are. Domains can allow access to shared resources outside of their boundaries by using a trust. You can use a one-way trust to optimize performance between domains. Mention that forest trusts allow users to access resources in any domain in the other forest, as well as logon to any domain in the forest using a same VPN. Realm trusts enable trusts between Windows Server 2003 and Windows Server 2008 domains and directory-service implementations on other platforms by their shared use of open standard security system Kerberos version 5 protocol. Access TRUST Trust & Access All domains in a forest trust all other domains in the forest Trusts can extend outside the forest

Course 6424A AD DS Objects Object Description User Enables network resource access for a user InetOrgPerson Similar to a user account Used for compatibility with other directory services Contacts Used primarily to assign addresses to external users Does not enable network access Groups Used to simplify the administration of access control Computers Enables authentication and auditing of computer access to resources Printers Used to simplify the process of locating and connecting to printers Shared folders Enables users to search for shared folders based on properties

Active Directory Certificate Services
(AD CS)

Module Overview What is AD CS? What does AD CS do/provide?

Lesson 1: Overview of Active Directory Certificate Services
Module 4:Introduction to Active Directory® Certificate Services Course 6424A Lesson 1: Overview of Active Directory Certificate Services What Is a Certification Authority? How CA Hierarchies Work Options for Implementing CAs Options for Integrating AD CS and AD DS Demonstration: Tools for Managing AD CS

What Is a Certification Authority?
Module 4:Introduction to Active Directory® Certificate Services Course 6424A What Is a Certification Authority? A Certification Authority (CA) is an entity entrusted to issue certificates to: Individuals Computers Organizations Services A CA is authorized to issue certificates for individuals, computers, and organizations. What are these certificates used for? These certificates can be used to authenticate that these objects are indeed what they claim whether it be a user, computer, organization, or service. For example, when you travel, you must provide some sort of certificate to authenticate that you are who you say you are. These forms of identification have to come from an authority, such as the U.S. Department of State. This authority performs a background check first to make sure that you are, in fact, who you are claiming to be, before issuing you a passport. If the passport service were to get a reputation of issuing passports to people who are not truthful, it would reduce the effectiveness of the issued passports, as they may not be trusted. A Certification Authority is responsible for generating a certificate for a requestor, much like the U.S. Department of State is responsible for issuing passports to U.S. citizens. The requestor then can use this certificate to identify itself with other services. The CA’s reputation is at stake when it issues certificates to requestors, and it is responsible for making sure the requestor, and the holder of the certificate that it issues, are valid. These certificates verify the identity and other attributes of the certificate subject to other entities

How CA Hierarchies Work
Module 4:Introduction to Active Directory® Certificate Services Course 6424A How CA Hierarchies Work CA hierarchies include a root CA and one or more levels of subordinate CAs Reasons for deploying more than a single server CA hierarchy: Next discuss each of the reasons on the slide and how a multiple server hierarchy can address these problems. Root CA with multiple subordinates, different policies assigned to each subordinate. Usage. Certificates may be issued for a number of purposes, such as secure and network authentication. The issuing policy for these uses may be distinct, and separation provides a basis for administering these polices. Root CA with multiple subordinates, different corporate groups controlling each subordinate and different policies attached to each. Organizational divisions. There may be different policies for issuing certificates, depending upon an entity’s role in the organization. Again, you can create subordinate CAs to separate and administer these policies. Root CA with multiple subordinates, each subordinate in a different geographic area. Geographic divisions. Organizations may have entities at multiple physical sites. Network connectivity between these sites may require individual subordinate CAs for many or all sites. Root CA with multiple subordinates with multiple subordinates with the same policies on each so that they can be load balanced Load balancing. If your PKI will be used to issue and manage a large number of certificates, having only one CA can result in considerable network load for it. Using multiple subordinate CAs to issue the same kind of certificates divides the network load between them. Root CA with multiple subordinates having the same policies on each so that one can be taken offline for maintenance or so that certificates can still be generated. High availability. Multiple CAs increase the possibility that your network will always have operational CAs available to respond to user requests. You may choose to employ special-purpose cryptographic hardware, or operate it in a physically secure area or offline. These may be unacceptable for subordinate CAs, due to cost or usability considerations. If you have a hierarchy, you have the ability to “turn off” a specific portion of the CA hierarchy without affecting established trust relationships. For example, you easily can shut down and revoke an issuing CA certificate that is associated with a specific business unit, without affecting other parts of the organization. Usage Organizational divisions Geographic divisions Load balancing High availability Restrict administrative access

Options for Implementing Certification Authorities
Module 4:Introduction to Active Directory® Certificate Services Course 6424A Options for Implementing Certification Authorities When implementing a CA solution, you can: Use an internal private CA Organizations can either request a certificate from an external public CA or deploy their own CAs within the organization. A third-party certificate authority can generate certificates for all devices or for a CA in your organization. If a certificate is generated for a CA in your environment, that CA then can generate certificates. There are benefits and disadvantages of each option. Using a third-party to issue certificates: Generates certificates that can cost more, especially for an organization with a larger number of certificates. Generates certificates that may take more time to handle, since the third-party needs to receive the needed information from the company in order to generate the certificate. Generates certificates (if a trusted third-party) that are trusted by more clients, not just clients in the domain. Using an internal CA to issue certificates: Generates certificates that are trusted only by domain members by default. Generates certificates that nondomain members would need to import the root CA manually. Generates certificates that are easy and flexible for administration because the company controls them. The concept of trusted and untrusted CAs Trusted Certification Authority. A root CA that has a valid certificate in the Trusted Certificate Authorities store of the client. A trusted CA can generate valid certificates or have subordinate CAs do so. Many computers and devices have a standard set of third-party CAs that are trusted. In a Active Directory Domain Services (AD DS) environment, the enterprise CA also would be trusted. Untrusted Certification Authority. A root CA that does not have a valid certificate in the Trusted Certificate Authorities store of the client. An untrusted CA cannot generate valid certificates. Use an external public CA Internal CAs are less expensive and provide more administrative options, but the issued certificates are not trusted by external clients

Module 4:Introduction to Active Directory® Certificate Services
Course 6424A Options for Integrating AD CS and AD DS Enterprise Stand-Alone Can use without AD DS X Uses Group Policy for Trusted Root propagation Publishes certificates and CRL to AD DS Can enforce credential checks during enrollment Can have subject name generated automatically from logon credentials Can use certificate templates Can be used to generate smart card Windows domain authentication certificates Can use certificate auto-enrollment More detail for these line items are available in the Active Directory Certificate Services Help file. When would you use a stand-alone CA? If AD DS is not being used, when the CA is being used for other things such as SSL certificates.

Course 6424A Lesson 2: Understanding Active Directory Certificate Services Certificates What Are Digital Certificates? How Public Keys and Private Keys Work What Are Certificate Templates?

What Are Digital Certificates?
Module 4:Introduction to Active Directory® Certificate Services Course 6424A What Are Digital Certificates? A certificate is a digital file with two parts Base certificate information Public Key To expand on the passport analogy from earlier in this course a certificate can also be used as a key for “locking” and “unlocking” data. The certificate that is shared with the public contains the basic certificate information—to whom it was issued, how long it is valid, what CA issued the certificate, what the certificate can be used for, and of course the public key. The private key should be stored securely, and only the certificate’s owner should be able to access it. Define Public Key Encryption. The private key is not shared with anyone. Security processes should be followed to secure a private key properly so that no one else can use it. The public key is available for those who need to communicate with the private key’s holder. Public keys are distributed to all clients who request the key Private keys are stored only on the computer from which the certificate was requested

Course 6424A How Public Keys and Private Keys Work Plaintext Plaintext Private and public keys are mathematical inverses of each other: If one is used to encrypt, the other must be used to decrypt. SSL (Encrypted) Encrypt Decrypt Web Client Web Server Different keys are used to encrypt and decrypt the message Private Key Public Key

What Are Certificate Templates?
Module 4:Introduction to Active Directory® Certificate Services Course 6424A What Are Certificate Templates? Certificate templates: Define what certificates can be issued by the CAs Describe what you use certificate templates for, and what sort of certificates can be created and by whom. Talk about some of the installed default templates and what they do: Basic EFS Key Recovery Agent (for a user that can recover special private keys) Router (for encryption of router communications) Smart card log on (certificates used for smart card log on) Web Server (for SSL) References Active Directory Certificate Services Help: Default Certificate Templates Managing Certificate Templates Define certificates used for various purposes Define which security principals have permissions to read, enroll, and configure the certificate template

Lesson 3: Implementing Certificate Enrollment and Revocation
Module 4:Introduction to Active Directory® Certificate Services Course 6424A Lesson 3: Implementing Certificate Enrollment and Revocation Options for Implementing Certificate Enrollment Administering Certificate Enrollment Demonstration: Administering Certificate Requests Options for Automating Certificate Enrollment What is Certificate Revocation? Demonstration: Revoking Certificates

Options for Implementing Certificate Enrollment
Module 4:Introduction to Active Directory® Certificate Services Course 6424A Options for Implementing Certificate Enrollment What methods are used for certificate enrollment? Describe each of the ways to perform certificate enrollment. Web enrollment – Connect to the certificate enrollment site installed on the CA. Walk through the wizard for the needed certificate type and paste the certificate request. It allows the user to download the certificate to the machine directly. This is good for machines that connect to the network and that can access the CA. This is a good option for those instances in which certificates cannot be auto enrolled. Manual/offline enrollment - This allows a machine that cannot communicate directly with the CA, either because of network configuration or because the device does not support this (such as a router). The device would generate a certificate request, which is transported to the CA and then imported using the management tools. The certificate then could be exported and transported back to the device for installation. Auto-enrollment - This is a useful feature of AD CS. It allows the administrator to configure subjects to automatically enroll for certificates, retrieve issued certificates, and renew expiring certificates, without requiring subject interaction. The subject does not need to be aware of any certificate operations, unless you configure the certificate template to interact with the subject. To properly configure auto-enrollment, the administrator must determine the appropriate certificate template or templates to use. Web Enrollment Manual/Offline Enrollment Automatic Enrollment

Administering Certificate Enrollment
Module 4:Introduction to Active Directory® Certificate Services Course 6424A Administering Certificate Enrollment To obtain a certificate using manual enrollment: 1 Create a certificate request This is a straightforward process that has been briefly discussed in this module. When discussing this, it would be good to review the scenarios for which this type of manual approval could be used, such as for SSL certificates, public Web sites, etc. Mention that this is the process that typically is used when requesting certificates from public CAs. 2 Submit certificate request to CA 3 Obtain administrative approval for certificate 4 Retrieve certificate from CA and install on client

Course 6424A Options for Automating Certificate Enrollment Group Policy triggers automatic request Since AD CS can be integrated with AD DS, a certificate’s authentication and verification can be automated in many instances. Computers and users must authenticate against Active Directory. If the computer is authenticated to AD DS, then the CA is assured of the requestor’s identity. When the computer or user authenticates, and if the template is configured to allow auto-enrollment, the certificate can be issued automatically to the computer or user. Group Policy can be employed to have each computer request and obtain a certificate from a CA. Since the computers are in the domain, the certificates can be auto-enrolled. Enterprise CA Group Policy Domain Computer Auto-enroll is enabled on the template from which the requested certificate is created

What Is Certificate Revocation?
Module 4:Introduction to Active Directory® Certificate Services Course 6424A What Is Certificate Revocation? Certificate revocation occurs when a certificate is invalidated before its expiration period When certificates are revoked before their expiration, they are moved to a revocation list. Why would you revoke a certificate? The server or user that it was issued to is no longer in use. The server or user’s private key has been compromised and is no longer secure. A new certificate was created. The CA was compromised. How is the revocation list provided? Online Certificate Status Protocol (OCSP) responder service. This protocol enables clients to verify whether the certificate it is validating has been revoked. The client queries the service to determine if the certificate is on the revocation list. Certificate Revocation List. This is a file-based list where the client will download the CRL and/or the delta CRLs to determine if the certificate is on the list. References Active Directory Certificate Services Help: Creating a Revocation Configuration Clients can ensure the certificate has not been revoked by using the following methods: Online Certificate Status Protocol responder service (OCSP) Certificate Revocation Lists (CRLs)

Active Directory Federation Services
(AD FS)

Module Overview AD FS Overview AD FS Deployment Scenarios
Course 6424A Module Overview Module 6: Introduction to Active Directory® Federation Services AD FS Overview AD FS Deployment Scenarios Configuring AD FS Components

Lesson 1: AD FS Overview What Is Identity Federation?
Course 6424A Lesson 1: AD FS Overview Module 6: Introduction to Active Directory® Federation Services What Is Identity Federation? What Are the Identity Federation Scenarios? Benefits of Deploying AD FS

What is Identity Federation?
Course 6424A What is Identity Federation? Module 6: Introduction to Active Directory® Federation Services Identity federation is a process that enables distributed identification, authentication, and authorization across organizational and platform boundaries Identity Federation allows for separate authentication domains or realms to be able to share resources without having to provide complete access to each of the authentication domains. So what does this REALLY mean? In the real world everyone has a number of username and passwords that they must remember, even in the same organizations or within partner organizations. Identity federation allows for different authentication domains/realms to provide single sign-on (SSO) services. This can be done without creating a full Active Directory trust between the organizations. An identity federation: Requires a trust relationship between two organizations or entities Allows organizations to retain control of: Resource access Their own user and group accounts

What Are the Identity Federation Scenarios?
Course 6424A What Are the Identity Federation Scenarios? Module 6: Introduction to Active Directory® Federation Services Federation for business-to-business (B2B) Federation for business-to-consumer or business-to-employee in a Web single sign-on scenario Federation within an organization across multiple Web applications Federation for B2B Enables businesses to provide SSO for a business partner or other business unit that has a separate domain. Federation for business-to-consumer or business-to-employee in a Web single sign-on scenario This design allows a business that had a perimeter network domain to provide authentication for internal user accounts. Federation within an organization across multiple Web applications This provides SSO across multiple Web applications. No trusts exist in this scenario.

Benefits of Deploying AD FS
Course 6424A Benefits of Deploying AD FS Module 6: Introduction to Active Directory® Federation Services AD FS provides the following benefits: Enables improved: Security and control over authentication Regulatory compliance Interoperability with heterogeneous systems AD FS provides the benefits that the following section details: Enables improved: Security and control over authentication. You establish rules to control which users are allowed to authenticate across the federated trust. Regulatory compliance. Because of controlled authentication, and not providing business partners or Internet users direct authentication with your corporate domains, this enables scenarios that would allow you to maintain regulatory compliance. Interoperability with heterogeneous systems. AD FS leverages Web services, so it can interoperate with many heterogeneous systems. Whitepapers have been created to set up this interoperation. AD FS works with AD DS or AD LDS, which allows for flexibility and INSERT use with other third-party applications. Extends Active Directory to the Internet, as it allows for users on the Internet to authenticate against AD DS for use in Web applications. Works with Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) Extends AD DS to the Internet

Lesson 2: AD FS Deployment Scenarios
Course 6424A Lesson 2: AD FS Deployment Scenarios Module 6: Introduction to Active Directory® Federation Services What Is a Federation Trust? What Are the AD FS Components? How AD FS Provides Identity Federation in a B2B Scenario How AD FS Traffic Flows in a B2B Federation Scenario How AD FS Provides Web Single Sign-On Integrating AD FS and AD RMS

What Is a Federation Trust?
Course 6424A What Is a Federation Trust? Module 6: Introduction to Active Directory® Federation Services AD DS Web Server This trust is one way and the arrow pointer is always where the accounts come from. The side of the trust where the accounts are managed is the “account partner”, while the side of the trust that has the resources that will be accessed is the “resource partner”. However, federation trusts are not like Windows trusts. In a federation trust, the federation servers in the account partner and the resource partner do not need to communicate directly with each other. Resource Federation Server Account Federation Server Federation Trust Account Partner Organization Resource Partner Organization

What Are the AD FS Components?
Course 6424A What Are the AD FS Components? Module 6: Introduction to Active Directory® Federation Services AD FS Components: AD DS domain controllers AD DS domain controllers Domain controllers store directory data and manage user and domain interactions, including user logon processes, authentication, and directory searches. Federation servers A federation server is a computer that runs a specialized Web service that can issue, manage, and validate requests for security tokens and identity management. Security tokens consist of a collection of identity claims, such as a user's name or role. In addition, a federation server can protect the contents of security tokens in transit with an X.509 certificate, which makes it possible to validate trusted issuers. Federation Service Proxies You can use a federation server proxy to enhance the security and performance of your Active Directory Federation Services (AD FS) 2.0 deployment. When you install the AD FS 2.0 software on a computer and configure it for the federation server proxy role, that computer functions as proxy server in a perimeter network (also known as a screened subnet) for a protected Federation Service on an internal network. AD FS Web Agent Active Directory Federation Service (AD FS) Web Agents are Internet Server Application Programming Interface (ISAPI) extensions. They run on Internet Information Services (IIS) and Windows Server, and they manage security tokens and authentication cookies for the Web server. An AD FS Web Agent intercepts incoming client URL requests for a protected resource and ensures that a valid authentication token is presented. Account federation server Account Federation Service Proxy Resource Federation Server Resource Federation Server Proxy AD FS Web Agent

How AD FS Provides Identity Federation in a B2B Scenario
Course 6424A How AD FS Provides Identity Federation in a B2B Scenario Module 6: Introduction to Active Directory® Federation Services INTRANET FOREST PERIMETER NETWORK Resource Federation Server Proxy AD DS Account Federation Server Proxy Resource FederationServer Account Federation Server AD FS-enabled Web Server Federation Trust Contoso Online Retailer

How AD FS Traffic Flows in a Business to Business Federation Scenario
Course 6424A How AD FS Traffic Flows in a Business to Business Federation Scenario Module 6: Introduction to Active Directory® Federation Services 5 AD DS In this design, external users, such as customers, can access the Web application by authenticating to the external account federation server, which is located in the perimeter network. External users have user accounts in the perimeter-network Active Directory forest. Internal users, such as employees, also can access the Web application by authenticating to the internal account federation server, which is located in the internal network. Internal users have accounts in the internal Active Directory forest. If the Web-based application is a Windows NT token-based application, the AD FS Web Agent that is running on the Web application server intercepts requests and creates Windows NT security tokens, which are required by the Web application to make authorization decisions. For external users, this is possible because the AD FS-enabled Web server that hosts the Windows NT token-based application is joined to the domain in the external forest. For internal users, this is enabled through the forest trust relationship that exists between the perimeter forest and the internal forest. If the Web-based application is a claims-aware application, the AD FS Web Agent that is running on the Web application server does not have to create Windows NT security tokens for the user. The AD FS Web agent can expose the claims that come across, which makes it possible for the application to make authorization decisions based on the contents of the security token that is provided by the account federation server. As a result, when it deploys claims-aware applications, the AD FS-enabled Web server does not have to be joined to the domain, and the external-forest-to-internal-forest trust is not required. Web Server 4 1 3 2 Resource Federation Server Account Federation Server Federation Trust Contoso Online Retailer

Lesson 3: Configuring AD FS Components
Course 6424A Lesson 3: Configuring AD FS Components Module 6: Introduction to Active Directory® Federation Services Federation Service Configuration Options What Are AD FS Trust Policies? AD FS Web Proxy Agent Configuration Options What Are AD FS Claims?

Federation Service Configuration Options
Course 6424A Federation Service Configuration Options Module 6: Introduction to Active Directory® Federation Services To implement the federation service: Create a trust policy for both the resource and account partners Briefly talk about the main settings that will need to be configured before AD FS is functional: Create organizational claims Create account stores Create applications Create a trust Create organizational claims Create account stores Create and configure applications

What Are AD FS Trust Policies?
Course 6424A What Are AD FS Trust Policies? Module 6: Introduction to Active Directory® Federation Services Trust policies are the configuration settings that define how to configure a federated trust and how the federated trust works Resource partner trust policies include: Discuss how the trust policies really are the definition of the trust functions,. Then describe each of the configuration options for the resource and account partners trust policies. Token Lifetime Federation Service URI Federation Service endpoint URL The option to use a Windows trust relationship for this partner In addition, the account partner trust policies include: Location for a certificate to verify the resource partner Options for configuring how resource accounts are created

AD FS Web Proxy Agent Configuration Options
Course 6424A AD FS Web Proxy Agent Configuration Options Module 6: Introduction to Active Directory® Federation Services AD FS Web Proxy Agent Configuration Options: Install the AD FS Web Agent on the IIS server Windows Token-based authentication requires ISAPI extensions Claims-aware authorization can authenticate natively with ASP.NET 1 Determine how to collect user credential information from browser clients and Web applications 2

What Are AD FS Claims? Claim Type Description Identity
Course 6424A What Are AD FS Claims? Module 6: Introduction to Active Directory® Federation Services Claim Type Description Identity UPN: indicates a Kerberos version 5 protocol-style user principal name (UPN), for example: indicates Request for Comments (RFC) 2822–style e- mail names of the form Common name: indicates an arbitrary string that is used for personalization Group Indicates membership in a group or role Custom Indicates a claim that contains custom information about a user, for example, an employee ID number Define an AD FS claim, and then talk about each type: identity, group, and custom. Be sure to talk about how they differ and, if possible, give an example of each. The table below shows more information than the slide table: Claim Type Description Identity UPN, , and common name are referred to in AD FS as identity claim types: UPN: Indicates a Kerberos-style user principal name (UPN), for example, Only one claim may be the UPN type. Even if multiple UPN values must be communicated, only one may be of the UPN type. Additional UPNs may be configured as custom claim types. Indicates Request for Comments (RFC) 2822–style names of the form Only one claim may be the type. Even if multiple e- mail values must be communicated, only one may be of type. Additional e- mails may be configured as custom claim types. Common name: Indicates an arbitrary string that is used for personalization. Examples include John Smith or Tailspin Toys Employee. Only one claim may have the common name type. It is important to note that there is no mechanism for guaranteeing the uniqueness of the common name claim. Therefore, use caution when you use this claim type for authorization decisions. Group Indicates membership in a group or role. Administrators define individual claims that have the group type “Group claims.” For example, you might define the following set of group claims: [Developer, Tester, Program Manager]. Each group claim is a separate unit of administration for claim population and mapping. It is useful to think of the value of a group claim as a Boolean value indicating membership.

Active Directory Rights Management Services (AD RMS)

Module 5: Introduction to Active Directory® Rights Management Services
Course 6424A Module Overview AD RMS Overview Understanding AD RMS Managing AD RMS

Lesson 1: AD RMS Overview
Module 5: Introduction to Active Directory® Rights Management Services Course 6424A Lesson 1: AD RMS Overview Overview of AD RMS How AD RMS Works Options for Using AD RMS

Course 6424A Overview of AD RMS Active Directory Rights Management Services (AD RMS) is an information protection technology that works with AD RMS-enabled applications to help safeguard digital information from unauthorized use Intellectual property is incredibly important to many businesses. Example: Contoso has developed a first-to-market product that gives them an edge over their competitors. To keep the details of this product within the confines of the company’s network, it makes sense to utilize rights management to keep the users that have permission to access the documentation to a minimum, and keep those users from being able to print or send this critical documentation. The increased threat of computer-related crimes also is a reason to be more protective of information. Additionally, new legislative standards for many companies are causing an increased need to protect sensitive data. AD RMS can be used to: Restrict access to an organization’s intellectual property Limit the actions users can perform on content Limit the risk of content being exposed outside the organization

Course 6424A How AD RMS Works The general RMS process: Author receives a client licensor certificate the first time they rights-protect information. Author defines a set of usage rights and rules for their file, and the application creates a “publishing license” and encrypts the file. Author distributes the file. Recipient clicks the file to open it, and the application calls to the RMS server, which validates the user and issues a “use license.” Application renders the file, and enforces its rights. RMS Server 1 4 5 3 2 Information Author Recipient

Options for Using AD RMS
Module 5: Introduction to Active Directory® Rights Management Services Options for Using AD RMS Course 6424A Action Application Features Protect Sensitive Files Microsoft® Office: Word Excel® PowerPoint® Set rights (View, Change, Print) Set validity period Do-Not-Forward/Print E- mail Microsoft Office Outlook® Help protect sensitive from being sent to the Internet Help protect confidential from being taken outside of the company Help Safeguard Intranet Content Internet Explorer® Microsoft Office SharePoint® Services Help safeguard intranet content by restricting access to: View Change Print Identity Federation Support All RMS-enabled applications Help safeguard data across AD FS trusts AD RMS can be used to: Help protect messages Enforce document rights Help protect Intranet content

Lesson 2: Understanding AD RMS
Module 5: Introduction to Active Directory® Rights Management Services Course 6424A Lesson 2: Understanding AD RMS AD RMS Components AD RMS Certificates and Licenses How AD RMS Secures Content How AD RMS Restricts Access to Data

Course 6424A AD RMS Components SQL Server Active Directory Domain Controller Author: Creator of an RMS-protected document. RMS Enabled applications: Applications that are aware of RMS, and which can be used to create and read RMS-protected documents. Recipient: Receiver of the RMS-protected document. AD RMS Server: Responsible for providing protection to documents. Database server: Used to store configuration and RMS-related information. Active Directory Domain Services (AD DS): Used to authenticate authors and recipients. AD RMS Server Recipient Information Author RMS Enabled Application

AD RMS Certificates and Licenses
Module 5: Introduction to Active Directory® Rights Management Services Course 6424A AD RMS Certificates and Licenses AD RMS Certificates and Licenses include: Lockbox Machine certificate Rights account certificate Client licensor certificate Publishing license Use license Revocation list Lockbox: A lockbox is a dynamic link library (DLL) that can be used to increase the security of the environment in which an Active Directory Rights Management Services (AD RMS) application runs. The lockbox verifies all licenses and certificates used by the application and, for AD RMS clients, protects the process space by limiting access to required and optional modules identified in the application manifest. Machine certificate: Machine certificates hold the computer's public key and are tied to the lockbox. Rights account certificate: Rights account certificates tie a user to a machine certificate. Each user on the machine has a rights account certificate. The certificate contains the user's public key in cleartext, as well as their private key, which is encrypted by the machine's public key. Client licensor certificate: Client and server licensor certificates allow a client to sign an issuance license, or allow a server other than a Microsoft server to issue a license or certificate. Publishing license: Issuance licenses are created by a content publisher and are used by the consumer to acquire an end-user license. Use license: End-user licenses are for content or for an application that contains the keys necessary to open the content as well as the rights and conditions.

How AD RMS Protects Content
Module 5: Introduction to Active Directory® Rights Management Services Course 6424A How AD RMS Protects Content SQL Server Active Directory Domain Controller Explain each step using the following guide: The author uses AD RMS for the first time, and receives the Rights Account Certificate (RAC) and Client Licensor Certificate (CLC). This happens once, and it enables the user to publish online or offline, and consume rights-protected content. The author uses the AD RMS-enabled application to create the file and specify user rights. The policy license containing user policies is generated. The application generates the content key and uses it to encrypt content: a. Online Publish - Encrypts the content key with AD RMS server public key and sends it to the AD RMS server. The server creates and signs the publishing license (PL). b. Offline Publish - Encrypts the content key with CLC public key, and then encrypts a copy of the key with the AD RMS server public key. Creates PL and signs it with the CLC private key, and then appends the PL to the encrypted content. AD RMS-protected content file sent to Information Recipient. AD RMS-protected content also may be represented by . 3 AD RMS Server 1 2 RMS-enabled Application 4 Information Author Recipient

How AD RMS Restricts Access to Data
Module 5: Introduction to Active Directory® Rights Management Services Course 6424A How AD RMS Restricts Access to Data 3 SQL Server Active Directory Domain Controller Explain each step using the following guide: The recipient receives the file and opens it using AD RMS-enabled application or browser. If there is no account certificate on the current computer, the AD RMS server will issue one, and the AD RMS document notifies the application of the AD RMS server URL. The application sends a request for use license to AD RMS server that issued the publishing license (if the file published offline, it is sent to server that issued the CLC) and requests the RAC and PL for the file. The AD RMS server confirms that the recipient is authorized, checks for a named user, and creates a use license for the user. The server decrypts the content key using the server’s private key, and then re-encrypts the content key with the recipient’s public key. It then adds the encrypted session key to the use license, which means that only the intended recipient can access the file. The AD RMS server sends the use license to the information recipient’s computer. The application examines both the license and the recipient’s account certificate to determine whether any certificate in either chain of trust requires a revocation list. The user is granted access as specified by the information author. 2 AD RMS Server 4 5 1 RMS-enabled Application Information Author Recipient

Lesson 3: Managing AD RMS
Module 5: Introduction to Active Directory® Rights Management Services Course 6424A Lesson 3: Managing AD RMS AD RMS Server Role Installation Overview What Are Exclusion Policies? What Are Rights Policy Templates?

AD RMS Server Role Installation Overview
Module 5: Introduction to Active Directory® Rights Management Services Course 6424A AD RMS Server Role Installation Overview Installation Requirements: The server must be a member of the domain AD RMS requires the following additional roles to be installed on the AD RMS Server: Web Server (INSERT Microsoft Internet Information Services [IIS]) Windows Process Activation Service (WPAS) Message Queuing Windows Internal Database Note that a separate service account will need to be created prior to running the Add Role Wizard. If multiple RMS servers will be used in a cluster, a separate SQL Server will need to be installed, so that the servers can share configuration data. Once the installation is complete, you will need to log off and then log on. References Windows Server Active Directory Rights Management Services Step-by-Step Guide: AD RMS Help File: “Installing an AD RMS Cluster” Additional Roles required: Web Server (IIS) Windows Process Activation Service (WPAS) Message Queuing Windows Internal Database Service Account Microsoft SQL Server

What Are Exclusion Policies?
Module 5: Introduction to Active Directory® Rights Management Services Course 6424A What Are Exclusion Policies? Exclusion policies prevent users, applications, lockboxes, and operating systems from acquiring certificates and licenses from servers in the cluster There are differences between exclusion policies and revocation lists. Revocation lists affect previously granted licenses and certificates from being used to decrypt rights-protected content, whereas exclusion policies keep a license from being generated. Exclusion can be enabled by: User ID Public Key String Application by version Lockbox Version Windows Version

What Are Rights Policy Templates?
Module 5: Introduction to Active Directory® Rights Management Services Course 6424A What Are Rights Policy Templates? Rights policy templates provide a manageable, consistent way for workers to apply predefined policies to information When defining rights policy templates, use the example that an organization might create rights policy templates for their employees that assign separate usage rights and conditions for company-confidential, classified, and private data. RMS-enabled applications can use these templates, providing a simple, consistent way for workers to apply predefined policies to information. Discuss the options available when creating a rights policy template. References AD RMS Online Help Administrators can use rights policy templates to: Apply expiration policies for content and licenses Set extended policies that: Allow content to be viewed in a browser Disable client-side caching of use licenses Set revocation policies to enable content rights to be revoked Templates are defined for each language to be supported

Active Directory Lightweight Directory Services (AD LDS)

Module Overview AD LDS Overview Implementing and Administering AD LDS
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A Module Overview AD LDS Overview Implementing and Administering AD LDS Implementing AD LDS Replication Comparing AD DS and AD LDS

Lesson 1: AD LDS Overview
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A Lesson 1: AD LDS Overview How AD LDS Works AD LDS Administration Tools What Is the AD LDS Schema?

How AD LDS Works AD LDS is a hierarchical file-based directory store
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A How AD LDS Works AD LDS is a hierarchical file-based directory store Uses the Extensible Storage Engine (ESE) for file storage ESE Discuss the similarities of AD LDS and AD DS. AD LDS uses a hierarchical Extensible Storage Engine (ESE) database just like AD DS and Exchange. AD LDS can be accessed via LDAP The store is organized into three partitions types: Configuration Schema Application

AD LDS Administration Tools
Module 3: Introduction to Active Directory® Lightweight Directory Services AD LDS Administration Tools Course 6424A Tool Usage Active Directory Lightweight Directory Services Wizard Create a new instance of AD LDS Create a new replica of an AD LDS instance ADSIEdit Modifying data Viewing data LDP Creating application partition instances Ldifde or Csvde Importing and exporting data Dsacls View or set permissions AdamSync Used to synchronize an instance of AD DS to AD LDS ADSchemaAnalyzer Used in migrating the Active Directory schema to ADAM ADSIEdit is a more friendly interface than LDP. However, it does not support Secure Sockets Layer (SSL) connections to AD LDS.

What Is the AD LDS Schema?
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A What Is the AD LDS Schema? AD LDS Schema defines the types of objects and data that can be created and stored in an AD LDS instance using object classes and attributes Schema defines every object and attribute in a directory. In order for an object type to be created in the directory, You first must define it in the schema. All partitions in an instance share a schema and that if different schemas need to be supported, separate instances would need to be created. Schema Partition Application Partition Definition for an automobile object class Directory objects based on the automobile object class Definition for a user object class Directory objects based on the user object class

Lesson 2: Implementing and Administering AD LDS
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A Lesson 2: Implementing and Administering AD LDS What Is an AD LDS Instance? What Is an AD LDS Application Partition? AD LDS Users and Groups How Does Access Control Work in AD LDS?

What Is an AD LDS Instance?
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A What Is an AD LDS Instance? An AD LDS Instance is a running copy of AD LDS service that contains is own communication interface and directory store A Single AD LDS Instance AD LDS instances are similar to SQL Server® instances. Multiple SQL instances can be installed on a single server computer each functioning as separate database entities. A LDS instance is similar. A new instance of LDS can be created on the same server, and configured and used separately. Some reasons for using multiple instances, might include having separate schema applications or applications that would need to replicate differently, or even to have them isolated for security. Each instance also has separate TCP ports to which they are bound. Directory Service Interfaces (LDAP, replication) Client Directory Data Store (Adamntds.nit) The directory store has its own copy of the three partitions

What Is an AD LDS Application Partition?
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A What Is an AD LDS Application Partition? The AD LDS application partition holds the data that is used by the application A Single AD LDS Instance This partition stores the data that your applications will use. Most likely you will use the application to manage the objects in this partition. All objects created in the application partitions must already be defined in the schema. Each of the application partitions configuration information for an instance are stored in the configuration partition in the cn=Partititions, cn=Configuration container. Application partition 1 Configuration partition Schema partition Multiple application directory partitions can be created in each LDS instance; however each partition would share a single set of configuration and schema partitions

Module 3: Introduction to Active Directory® Lightweight Directory Services
AD LDS Users and Groups Course 6424A AD LDS provides four default, role-based groups stored in the roles container of the appropriate partitions A set of default groups are created when the instance is created. Additional user and group accounts can be added to the configuration partition or to a specific application partition. Role Default Members Default Access Administrators Configuration partition: AD LDS administrators that are assigned during AD LDS setup Application partitions: The Administrators group from the configuration partition Full access to all partitions Readers None Read access to the partition Users Configuration partition: Transitively, all AD LDS users Application partitions: Transitively, all AD LDS users that are created in the partition Instances Configuration partition: All instances

How Does Access Control Work in AD LDS?
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A How Does Access Control Work in AD LDS? AD LDS Access Control: Authenticates the identity of users requesting access to the directory, allowing only successfully authenticated users into the directory 1 Describe process flow of access control: Before making a request for data, the directory-enabled application must present the user's credentials to AD LDS for authentication or binding. This request includes a user name, password, and—depending on the type of bind—a domain name or computer name. The application then can access data that AD LDS hosts. What sort of authentication can be done against AD LDS? AD LDS security principals are authenticated directly by AD LDS. Windows local security principals are authenticated by the local computer. Domain security principals are authenticated by an Active Directory Domain Services (AD DS) domain controller. What are access control lists (ACLs)? ACLs define which security principles have access to a particular object. Access can be given to users by adding them to groups or by directory assigning permissions to the user objects using dsacls. Dsacls can be used to assign users or group permissions on objects in AD LDS. References AD LDS Help topic, “Working with Authentication and Access Control” Uses security descriptors, called access control lists (ACLs), on directory objects to determine which objects an authenticated user can access 2

Lesson 3: Implementing AD LDS Replication
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A Lesson 3: Implementing AD LDS Replication How AD LDS Replication Works Why Implement AD LDS Replication?

How AD LDS Replication Works
Module 3: Introduction to Active Directory® Lightweight Directory Services How AD LDS Replication Works Course 6424A AD LDS uses multimaster replication: All instances are writable Changes on one instance are replicated to the other instances Changes can be made to any of the instances and then the changes that were made are merged and replicated across the instances making all of the instances identical again. To be able to replicate partitions between instances, the instances must be installed in a configuration set. A configuration set can be joined only during the installation of the AD LDS instance. AD LDS servers replicate changes to all servers Client adds “User 2” on Server 1 Client modifies “User 1” display name on Server 2 Server 2 Server 1 Server 3

Why Implement AD LDS Replication?
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A Why Implement AD LDS Replication? Why implement AD LDS Replication? High availability Load balancing Geographic limitations

Lesson 4: Comparing AD DS and AD LDS
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A Lesson 4: Comparing AD DS and AD LDS Similarities between AD DS and AD LDS Differences between AD DS and AD LDS Integrating AD DS and AD LDS

Similarities Between AD DS and AD LDS
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A Similarities Between AD DS and AD LDS Similarities between AD DS and AD LDS: Support LDAP connections Support LDAP connections: both are LDAP-based, allowing LDAP connections for hierarchical storage. Multimaster Replication: both allow each instance to be written to so that change can happen on any instance and be replicated to all instances. Delegated Administration: administration can be delegated to partitions or OUs by group or role. Use Extensible Storage Engine for database: both store their data in a ESE database. Use multimaster replication Support delegated administration Use Extensible Storage Engine for the database store

Differences Between AD DS and AD LDS
Module 3: Introduction to Active Directory® Lightweight Directory Services Differences Between AD DS and AD LDS Course 6424A Features AD LDS AD DS Capable of multiple instances running on one server X Runs on nondomain controllers Does not require DNS infrastructure Group policy Global Catalog functions Kerberos V5 Protocol authentication Full-featured administrator tools Automatic failover of services Features that AD LDS has that AD DS does not: Have multiple instances running on one server: AD DS can only have a single instance on a single server. Runs on non-domain controllers: AD DS has a specific role dedicated to domain controllers. Does not require DNS infrastructure: AD DS requires DNS to be configured for all client machines so that they can find services. Features that AD DS has that AD LDS does not: Group Policy: Group Policy can be used to enforce settings on objects in the directory. Global Catalog functions: Having a central repository for searching objects in multiple domains in a forest. Kerberos Authentication: AD DS uses Kerberos for some authentication tasks. Full featured administrator tools: AD DS has Active Directory Users and Computers, Active Directory Site and Services, and other administrative tools for managing AD DS. Automatic failover of services: Because AD DS relies on DNS if a domain controller fails clients can find a operational domain controller with DNS. AD LDS would need to have an application aware of how to deal with that scenario.

Integrating AD DS and AD LDS
Module 3: Introduction to Active Directory® Lightweight Directory Services Course 6424A Integrating AD DS and AD LDS To integrate AD DS and AD LDS: Prepare the schema for synchronization 1 Since AD DS is the foundation for enterprises today, there is no doubt that the data in AD DS is valuable. Many applications may want to use this data. Rather than extending the schema of AD DS, AD LDS can synchronize the data from AD DS allowing in the AD LDS schema to be changed to meet the application needs. Also, the application requesting this data may be outside of the direct control of the enterprise IT staff. Allowing AD LDS to synchronize the data from AD DS and allowing that application access AD LDS provides a layer of protection for AD DS. Discuss the process of configuring the synchronization: Prepare the Schema Prepare the Configuration for AdamSync Configure AdamSync Run AdamSync 2 Prepare the configuration for AdamSync Run AdamSync 3

Understanding Active Directory

Similar presentations

Presentation on theme: "Understanding Active Directory"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Understanding Active Directory

Similar presentations

Presentation on theme: "Understanding Active Directory"— Presentation transcript:

Similar presentations

About project

Feedback