Beruflich Dokumente
Kultur Dokumente
1-1
Module 1
Exploring Windows Server 2008 Active Directory Roles
Contents:
Lesson 1: Overview of Active Directory Domain Services Lesson 2: Overview of AD LDS Lesson 3: Overview of Active Directory Certificate Services Lesson 4: Overview of AD RMS Lesson 5: Overview of AD FS Lab: Exploring Windows Server 2008 Active Directory Server Roles 1-3 1-8 1-14 1-24 1-31 1-37
1-2
Module Overview
Windows Server 2008 provides a rich platform for five Active Directory server roles. This module describes the fundamental concepts of these five server roles.
1-3
Lesson 1
AD DS provides a directory service that uses a centralized management and authentication service for a network. AD DS provides the core services for all of the other Active Directory server roles. This lesson provides an overview of how AD DS provides this functionality.
1-4
Key Points
A network directory service: Provides information about user objects, computers and services (such as an email address). Stores this information in a secure database and provides the tools for managing and searching the directory. Allows you to manage all network user accounts and resources in single location and apply policies to the directory objects to ensure that all are managed consistently.
Additional Reading
Deciding Between Workgroups and Domains
1-5
What is AD DS?
Key Points
Active Directory Domain Services (AD DS) is a centralized directory for user and computer management and authentication. It provides authentication services for a Windows Server 2008 network. The directory contains user objects, group objects, computer objects as well as service information. This allows the service to provide information about these objects as well as provide authentication and managing access to network resources.
Additional Reading
Deciding Between Workgroups and Domains
1-6
Key Points
AD DS provides the following for a Windows Server 2008 network: Stores user and computer objects Authenticates user and computer objects Stores group information
1-7
Key Points
Many of the other Windows Server 2008 server roles integrate with AD DS. Server roles, such as the following, rely on AD DS: Active Directory Federation Services (AD FS) Active Directory Rights Management Services (AD RMS) Active Directory Certificate Services (AD CS)
1-8
Lesson 2
Overview of AD LDS
Active Directory Lightweight Directory Services (AD LDS) is an Active Directory Server role that provides Lightweight Directory Access Protocol (LDAP) compliant directory and services. When you configure AD LDS, you are able to use it to provide authentication and directory services for custom written, third-party and other enterprise applications. This lesson provides an overview of LDAP and AD LDS.
1-9
What is LDAP?
Key Points
Lightweight Directory Access Protocol (LDAP) is a standardized client/server TCP/IP based protocol that has been in use for over 15 years and is leveraged by a large number of applications and solutions. The LDAP standards define consistent ways for naming and storing directory objects. LDAP also provides methods for accessing, searching, and modifying information that is stored in a directory.
1-10
Additional Reading
MSDN section on LDAP RFCs that address LDAP: "X.500 Lightweight Directory Access Protocol" (made obsolete by RFC 1777) "A String Representation of LDAP Search Filters" (made obsolete by RFC 1960) "Lightweight Directory Access Protocol" "The String Representation of Standard Attribute Syntaxes" "String Representation of Distinguished Names" "An LDAP URL Format" (made obsolete by RFC 2255) "A String Representation of LDAP Search Filters" (made obsolete by RFC 2254
1-11
What is AD LDS?
Key Points
Active Directory Lightweight Directory Services (AD LDS) is an LDAP directory service.
Usage
AD LDS is used: For applications that cannot or should not use AD DS. To address scenarios where access to AD DS is not recommended due to security concerns.
1-12
Flexibility
AD LDS does not have the restrictions of AD DS. You can run multiple instances on a single computer. It does not require a DNS infrastructure. It is easily modified to meet application needs.
Additional Reading
Windows Server 2008 Future Resources Windows Server 2003 Active Directory Application Mode
1-13
Key Points
Many applications require user authentication and lookup, but do not require the overhead or complexity of running AD DS. These applications can leverage AD LDS to store and retrieve this information. AD LDS can store: User information Application configuration information
Additional Reading
Active Directory Lightweight Directory Services
1-14
Lesson 3
One of the most common ways to provide security in the enterprise and on the Internet is to use digital certificates. Digital certificates provide security in many scenarios, including securing Web sites and e-mail. Active Directory Certificate Services (AD CS) enables the distribution and management of digital certificates. This lesson explains digital certificates, public key infrastructure and implementation scenarios for AD CS.
1-15
Key Points
Digital certificates are used to encrypt information for many different purposes. They are also used to authenticate users and computers in different ways. Consider the different ways that digital certificates are used for encryption and authentication. Also, consider the different applications that would support the use of certificates.
1-16
Key Points
A Public Key Infrastructure (PKI) enables an organization to distribute digital certificates to users and computers.
Components
A PKI consists of several interrelated objects, applications, and services. Certification authorities (CA). Issues and manages certificates to users, computers, and services. Each certificate issued by the CA is signed with the digital certificate of the CA. Certificate revocation lists. A list of certificates that have been revoked or removed from the CA before its expiration period.
1-17
Certificate and CA management tools. Provide both Graphical User Interface (GUI) and command-line tools to manage issued certificates, publish CA certificates and Certificate Revocation Lists (CRLs), configure CAs, import and export certificates and keys, and recover archived private keys. Digital certificates. Digital certificates are electronic credentials associated with a public key and a private key that are used to authenticate users.
1-18
What Is AD CS?
Key Points
Active Directory Certificate Services (AD CS) is the Microsoft implementation of a PKI. AD CS provides a fully functional PKI for a Windows Server network. These services can also be extended to non-Windows-based devices. AD CS provides all of the basic PKI services such as tools for management and revocation services.
Additional Reading
Active Directory Certificate Services
1-19
AD CS Implementation Examples
Key Points
AD CS can be used for a variety of scenarios including the following: SSL certificates for internal Web sites. By using SSL with an internal Web site, you can ensure that all client authentication traffic and all access to the Web site are encrypted. Smartcards with certificates issued from the AD CS Certification Authority for domain authentication. Smartcards provide a second level for authentication security by providing two-factor authentication. Encrypting File System (EFS) certificates for domain joined computers. By using EFS certificates, users can encrypt files on their hard disks while enabling administrators to centrally manage the certificates.
1-20
Certificates for routers to establish IP security (IPSec) communication. AD CS can issue the certificates required to implement IPSec - an option for enabling remote access or virtual private networks. Certificates for users to encrypt and sign e-mail messages. To encrypt email, users need to be issued certificates.
1-21
Key Points
In an auto-enrollment scenario: 1. 2. 3. The user or computer account is authenticated. The CA retrieves the certificate policies from AD DS. If the user has the appropriate permissions and the policies are configured to allow auto-enrollment, the certificate is generated and stored in AD DS.
When manual enrollment is used: 1. 2. 3. The certificate request is created on a computer and then forwarded to the CA. On the CA, the certificate is put into a pending status until an administrator reviews and approves the request. Once approved, the certificate can be downloaded and installed on the appropriate device.
1-22
Additional Reading
Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure
1-23
AD DS and AD CS Integration
Certificates stored in AD DS
The user or computer certificate is stored with the user account or computer account. These certificates are then replicated to all of the AD DS servers resulting in resilient and redundant storage of certificate information.
Certificate policies
Certificate policies that govern how certificates are generated and what settings these certificates have can also be stored and applied from AD DS.
1-24
Lesson 4
Overview of AD RMS
By using Active Directory Rights Management Services (AD RMS) and the AD RMS client, you can augment an organization's security strategy by protecting information even after the information has been shared between users. AD RMS does this through persistent usage policies, which remain with the information, no matter where it is moved. You can use AD RMS to help prevent sensitive information (such as financial reports, product specifications, customer data, and confidential e-mail messages) from intentional or accidental unauthorized use.
1-25
Key Points
A rights management solution is used to protect information stored in documents, e-mail messages and Web sites from unauthorized viewing, modification or use. Features typically include: Helping protect sensitive information from being accessed or shared with unauthorized users. A rights management solution can be used to prevent users from forwarding or copying content to other unauthorized users. Helping ensure that data content is protected and tamper-resistant. A rights management solution uses encryption and digital signatures to protect data from unauthorized access and modification. Controlling when data will expire based on time requirements, even when that information is sent over the Internet to other individuals. This helps to ensure that the most current information is available.
1-26
What is AD RMS?
Key Points
Active Directory Rights Management Services (AD RMS) is the Windows Server 2008 implementation of an enterprise rights management solution. RMS helps protect information by: Providing the tools to distribute client certificates to trusted users. Enforcing content access policies. Providing centralized management.
1-27
Additional Reading
Windows Rights Management Services How It Works: Windows Rights Management Services Active Directory Rights Management Services Overview
1-28
Key Points
You can deploy AD RMS to protect content sent in an e-mail message. 1. 2. 3. The content creator can apply a security policy to protect the content of the message. The AD RMS server encrypts the content and applies the permissions assigned by the content creator. When the content consumer receives the message, the client e-mail software requests permission from the AD RMS server before the user can view the message. The client software will receive specific parameters for what the user can do with the message from the AD RMS server and then will grant the user the appropriate usage rights.
4.
1-29
Additional Reading
Deploying Active Directory Rights Management Services in an Extranet Stepby-Step Guide
1-30
Key Points
AD RMS integrates with AD DS in three key areas: All AD RMS users must have an AD DS user account. Before a user can apply a RMS policy to content, or before a consumer can access content, they must be authenticated by AD DS. AD DS provides the e-mail addresses to obtain rights for content. All users must be configured with an e-mail address, even if the organization has not deployed an e-mail server. AD RMS services are registered as service connection points in AD DS to enable clients to locate the AD RMS servers. When a RMS aware client tries to locate an AD RMS server to protect or consume content, the client will connect to AD DS. The service connection point in AD DS provides the client with the information regarding the AD RMS server that it should use.
1-31
Lesson 5
Overview of AD FS
Active Directory Federation Services (AD FS) enables the extension of AD DS authentication to other organizations. When you deploy Active Directory Federation Services, you can enable federated trusts between two organizations so that the user accounts that have authenticated in one organization will be trusted to access an application in the other organization. This can provide single sign-on between the organizations for accessing Web applications. This lesson provides an overview of how AD FS can be used.
1-32
What is AD FS?
1-33
Key Points
AD FS allows for users in a trusted directory to access a Web-based application in the partner domain using user credentials from the local directory.
Benefits
Reduces the management overhead for administrators since only one account has to be administered. The end users only need to remember one set of user credentials.
1-34
Key Points
The B2B AD FS authentication scenario follows these basic steps: 1. 2. 3. A client computer connects to a Web application in a different organization. The Web application redirects the Web client to the resource federation server. The resource partner AD FS server responds to the client requesting that it obtain a security token from the AD FS server in the account partner organization. The client requests the security token from the account partners AD FS server and passes the token back to the Web application The client can now gain access to the Web application.
4. 5.
1-35
AD DS and AD FS Integration
Key Points
AD FS is integrated with AD DS in the following ways: AD FS requires a directory service like AD DS or AD LDS to store all user accounts. AD FS enables the account partner in the federation trust to manage all user accounts. Resource partners may also use AD DS to restrict access to the Web applications. AD FS also extends some AD DS functionality to applications located in a perimeter network.
1-36
1-37
1-38
Scenario 2
Tailspin Toys has recently experienced a situation that caused information about the companys new projects to be posted on the Internet. The executive team has mandated that a solution be created to protect confidential data from being emailed or printed so that it can be used outside of the company. You must identify a solution to meet the new executive requirements.
1-39
Scenario 3
Woodgrove Bank has been put under new regulatory restrictions that require all employees to logon to their computers with two factor authentication. These regulations also require that all e-mail is encrypted and authenticated. You must identify a solution to meet these new regulations.
Scenario 4
Tailspin Toys is developing a Web application that will include user accounts from the corporate directory. The corporate policy forbids the schema changes that are required for the Web application to function. You must identify a solution to provide a user directory as well as changes in the schema.
1-40
The main tasks for this exercise are as follows: 1. 2. Review each of the scenarios and determine which of the Active Directory server roles are required for each scenario. Make some basic decisions about Active Directory server placement.
f Task 1: Review the four scenarios and determine which of the Active
Directory Server roles will assist in providing the required solution.
f Task 2: Determine the location where each of the server roles would
be placed.
Result: At the end of this exercise, you will have practiced decision making about Active Directory server roles and placement.
1-41
f Task 1: How does the selected Active Directory role integrate with AD
DS in each scenario?
Result: At the end of this exercise, you will have (1) described how the Active Directory server roles integrate with AD DS, and (2) postulated the results of integration failure.
1-42
Review Questions
1. You have been tasked with deploying a solution to provide two-factor authentication for users on workstations located at your company. Which two Active Directory server roles would you need to deploy to provide a centrally managed two-factor authentication solution? In what way does AD CS rely on AD DS? What are some ways that certificates generated by AD CS can be used for encryption? What are some reasons for deploying AD LDS instead of AD DS? What are some of the basic functions that AD RMS provides?
2. 3. 4. 5.