Exploring Windows Server 2008 Active Directory Roles

1-1

Module 1
Exploring Windows Server 2008 Active Directory Roles
Contents:
Lesson 1: Overview of Active Directory Domain Services Lesson 2: Overview of AD LDS Lesson 3: Overview of Active Directory Certificate Services Lesson 4: Overview of AD RMS Lesson 5: Overview of AD FS Lab: Exploring Windows Server 2008 Active Directory Server Roles 1-3 1-8 1-14 1-24 1-31 1-37

BETA COURSEWARE. EXPIRES 4/30/2008

1-2

Fundamentals of Windows Server 2008 Active Directory

Module Overview

Windows Server 2008 provides a rich platform for five Active Directory server roles. This module describes the fundamental concepts of these five server roles.

BETA COURSEWARE. EXPIRES 4/30/2008

Exploring Windows Server 2008 Active Directory Roles

1-3

Lesson 1

Overview of Active Directory Domain Services

AD DS provides a directory service that uses a centralized management and authentication service for a network. AD DS provides the core services for all of the other Active Directory server roles. This lesson provides an overview of how AD DS provides this functionality.

BETA COURSEWARE. EXPIRES 4/30/2008

1-4

Fundamentals of Windows Server 2008 Active Directory

What is a Directory Service?

Key Points
A network directory service: Provides information about user objects, computers and services (such as an email address). Stores this information in a secure database and provides the tools for managing and searching the directory. Allows you to manage all network user accounts and resources in single location and apply policies to the directory objects to ensure that all are managed consistently.

Additional Reading
Deciding Between Workgroups and Domains

BETA COURSEWARE. EXPIRES 4/30/2008

Exploring Windows Server 2008 Active Directory Roles

1-5

What is AD DS?

Key Points
Active Directory Domain Services (AD DS) is a centralized directory for user and computer management and authentication. It provides authentication services for a Windows Server 2008 network. The directory contains user objects, group objects, computer objects as well as service information. This allows the service to provide information about these objects as well as provide authentication and managing access to network resources.

Additional Reading
Deciding Between Workgroups and Domains

BETA COURSEWARE. EXPIRES 4/30/2008

1-6

Fundamentals of Windows Server 2008 Active Directory

How Does AD DS Work?

Key Points
AD DS provides the following for a Windows Server 2008 network: Stores user and computer objects Authenticates user and computer objects Stores group information

BETA COURSEWARE. EXPIRES 4/30/2008

Exploring Windows Server 2008 Active Directory Roles

1-7

AD DS Integration with other Active Directory Server Roles

Key Points
Many of the other Windows Server 2008 server roles integrate with AD DS. Server roles, such as the following, rely on AD DS: Active Directory Federation Services (AD FS) Active Directory Rights Management Services (AD RMS) Active Directory Certificate Services (AD CS)

BETA COURSEWARE. EXPIRES 4/30/2008

1-8

Fundamentals of Windows Server 2008 Active Directory

Lesson 2

Overview of AD LDS

Active Directory Lightweight Directory Services (AD LDS) is an Active Directory Server role that provides Lightweight Directory Access Protocol (LDAP) compliant directory and services. When you configure AD LDS, you are able to use it to provide authentication and directory services for custom written, third-party and other enterprise applications. This lesson provides an overview of LDAP and AD LDS.

BETA COURSEWARE. EXPIRES 4/30/2008

Exploring Windows Server 2008 Active Directory Roles

1-9

What is LDAP?

Key Points
Lightweight Directory Access Protocol (LDAP) is a standardized client/server TCP/IP based protocol that has been in use for over 15 years and is leveraged by a large number of applications and solutions. The LDAP standards define consistent ways for naming and storing directory objects. LDAP also provides methods for accessing, searching, and modifying information that is stored in a directory.

BETA COURSEWARE. EXPIRES 4/30/2008

1-10

Fundamentals of Windows Server 2008 Active Directory

Additional Reading
MSDN section on LDAP RFCs that address LDAP: "X.500 Lightweight Directory Access Protocol" (made obsolete by RFC 1777) "A String Representation of LDAP Search Filters" (made obsolete by RFC 1960) "Lightweight Directory Access Protocol" "The String Representation of Standard Attribute Syntaxes" "String Representation of Distinguished Names" "An LDAP URL Format" (made obsolete by RFC 2255) "A String Representation of LDAP Search Filters" (made obsolete by RFC 2254

BETA COURSEWARE. EXPIRES 4/30/2008

Exploring Windows Server 2008 Active Directory Roles

1-11

What is AD LDS?

Key Points
Active Directory Lightweight Directory Services (AD LDS) is an LDAP directory service.

Usage
AD LDS is used: For applications that cannot or should not use AD DS. To address scenarios where access to AD DS is not recommended due to security concerns.

BETA COURSEWARE. EXPIRES 4/30/2008

1-12

Fundamentals of Windows Server 2008 Active Directory

Flexibility
AD LDS does not have the restrictions of AD DS. You can run multiple instances on a single computer. It does not require a DNS infrastructure. It is easily modified to meet application needs.

Additional Reading
Windows Server 2008 Future Resources Windows Server 2003 Active Directory Application Mode

BETA COURSEWARE. EXPIRES 4/30/2008

Exploring Windows Server 2008 Active Directory Roles

1-13

AD LDS Implementation Examples

Key Points
Many applications require user authentication and lookup, but do not require the overhead or complexity of running AD DS. These applications can leverage AD LDS to store and retrieve this information. AD LDS can store: User information Application configuration information

Additional Reading
Active Directory Lightweight Directory Services

BETA COURSEWARE. EXPIRES 4/30/2008

1-14

Fundamentals of Windows Server 2008 Active Directory

Lesson 3

Overview of Active Directory Certificate Services

One of the most common ways to provide security in the enterprise and on the Internet is to use digital certificates. Digital certificates provide security in many scenarios, including securing Web sites and e-mail. Active Directory Certificate Services (AD CS) enables the distribution and management of digital certificates. This lesson explains digital certificates, public key infrastructure and implementation scenarios for AD CS.

BETA COURSEWARE. EXPIRES 4/30/2008

Exploring Windows Server 2008 Active Directory Roles

1-15

Discussion: What Are Digital Certificates Used For?

Key Points
Digital certificates are used to encrypt information for many different purposes. They are also used to authenticate users and computers in different ways. Consider the different ways that digital certificates are used for encryption and authentication. Also, consider the different applications that would support the use of certificates.

BETA COURSEWARE. EXPIRES 4/30/2008

1-16

Fundamentals of Windows Server 2008 Active Directory

What is a Public Key Infrastructure (PKI)?

Key Points
A Public Key Infrastructure (PKI) enables an organization to distribute digital certificates to users and computers.

Components
A PKI consists of several interrelated objects, applications, and services. Certification authorities (CA). Issues and manages certificates to users, computers, and services. Each certificate issued by the CA is signed with the digital certificate of the CA. Certificate revocation lists. A list of certificates that have been revoked or removed from the CA before its expiration period.

BETA COURSEWARE. EXPIRES 4/30/2008

Exploring Windows Server 2008 Active Directory Roles

1-17

Certificate and CA management tools. Provide both Graphical User Interface (GUI) and command-line tools to manage issued certificates, publish CA certificates and Certificate Revocation Lists (CRLs), configure CAs, import and export certificates and keys, and recover archived private keys. Digital certificates. Digital certificates are electronic credentials associated with a public key and a private key that are used to authenticate users.

BETA COURSEWARE. EXPIRES 4/30/2008

1-18

Fundamentals of Windows Server 2008 Active Directory

What Is AD CS?

Key Points
Active Directory Certificate Services (AD CS) is the Microsoft implementation of a PKI. AD CS provides a fully functional PKI for a Windows Server network. These services can also be extended to non-Windows-based devices. AD CS provides all of the basic PKI services such as tools for management and revocation services.

Additional Reading
Active Directory Certificate Services

BETA COURSEWARE. EXPIRES 4/30/2008

Exploring Windows Server 2008 Active Directory Roles

1-19

AD CS Implementation Examples

Key Points
AD CS can be used for a variety of scenarios including the following: SSL certificates for internal Web sites. By using SSL with an internal Web site, you can ensure that all client authentication traffic and all access to the Web site are encrypted. Smartcards with certificates issued from the AD CS Certification Authority for domain authentication. Smartcards provide a second level for authentication security by providing two-factor authentication. Encrypting File System (EFS) certificates for domain joined computers. By using EFS certificates, users can encrypt files on their hard disks while enabling administrators to centrally manage the certificates.

BETA COURSEWARE. EXPIRES 4/30/2008

1-20

Fundamentals of Windows Server 2008 Active Directory

Certificates for routers to establish IP security (IPSec) communication. AD CS can issue the certificates required to implement IPSec - an option for enabling remote access or virtual private networks. Certificates for users to encrypt and sign e-mail messages. To encrypt email, users need to be issued certificates.

BETA COURSEWARE. EXPIRES 4/30/2008

Exploring Windows Server 2008 Active Directory Roles

1-21

How Does AD CS Work?

Key Points
In an auto-enrollment scenario: 1. 2. 3. The user or computer account is authenticated. The CA retrieves the certificate policies from AD DS. If the user has the appropriate permissions and the policies are configured to allow auto-enrollment, the certificate is generated and stored in AD DS.

When manual enrollment is used: 1. 2. 3. The certificate request is created on a computer and then forwarded to the CA. On the CA, the certificate is put into a pending status until an administrator reviews and approves the request. Once approved, the certificate can be downloaded and installed on the appropriate device.

BETA COURSEWARE. EXPIRES 4/30/2008

1-22

Fundamentals of Windows Server 2008 Active Directory

Additional Reading
Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure

BETA COURSEWARE. EXPIRES 4/30/2008

Exploring Windows Server 2008 Active Directory Roles

1-23

AD DS and AD CS Integration

Key Points Automatically generated certificates

Computers and user objects can have certificates generated from AD CS if the users and computers have appropriate permissions and the certificate policy is configured to allow auto-enrollment.

Certificates stored in AD DS
The user or computer certificate is stored with the user account or computer account. These certificates are then replicated to all of the AD DS servers resulting in resilient and redundant storage of certificate information.

Certificate policies
Certificate policies that govern how certificates are generated and what settings these certificates have can also be stored and applied from AD DS.

BETA COURSEWARE. EXPIRES 4/30/2008

1-24

Fundamentals of Windows Server 2008 Active Directory

Lesson 4

Overview of AD RMS

By using Active Directory Rights Management Services (AD RMS) and the AD RMS client, you can augment an organization's security strategy by protecting information even after the information has been shared between users. AD RMS does this through persistent usage policies, which remain with the information, no matter where it is moved. You can use AD RMS to help prevent sensitive information (such as financial reports, product specifications, customer data, and confidential e-mail messages) from intentional or accidental unauthorized use.

BETA COURSEWARE. EXPIRES 4/30/2008

Exploring Windows Server 2008 Active Directory Roles

1-25

What is an Enterprise Rights Management Solution?

Key Points
A rights management solution is used to protect information stored in documents, e-mail messages and Web sites from unauthorized viewing, modification or use. Features typically include: Helping protect sensitive information from being accessed or shared with unauthorized users. A rights management solution can be used to prevent users from forwarding or copying content to other unauthorized users. Helping ensure that data content is protected and tamper-resistant. A rights management solution uses encryption and digital signatures to protect data from unauthorized access and modification. Controlling when data will expire based on time requirements, even when that information is sent over the Internet to other individuals. This helps to ensure that the most current information is available.

BETA COURSEWARE. EXPIRES 4/30/2008

1-26

Fundamentals of Windows Server 2008 Active Directory

What is AD RMS?

Key Points
Active Directory Rights Management Services (AD RMS) is the Windows Server 2008 implementation of an enterprise rights management solution. RMS helps protect information by: Providing the tools to distribute client certificates to trusted users. Enforcing content access policies. Providing centralized management.

Note: RMS-enabled applications are required to use AD RMS.

BETA COURSEWARE. EXPIRES 4/30/2008

Exploring Windows Server 2008 Active Directory Roles

1-27

Additional Reading
Windows Rights Management Services How It Works: Windows Rights Management Services Active Directory Rights Management Services Overview

BETA COURSEWARE. EXPIRES 4/30/2008

1-28

Fundamentals of Windows Server 2008 Active Directory

AD RMS Implementation Examples

Key Points
You can deploy AD RMS to protect content sent in an e-mail message. 1. 2. 3. The content creator can apply a security policy to protect the content of the message. The AD RMS server encrypts the content and applies the permissions assigned by the content creator. When the content consumer receives the message, the client e-mail software requests permission from the AD RMS server before the user can view the message. The client software will receive specific parameters for what the user can do with the message from the AD RMS server and then will grant the user the appropriate usage rights.

4.

BETA COURSEWARE. EXPIRES 4/30/2008

Exploring Windows Server 2008 Active Directory Roles

1-29

Additional Reading
Deploying Active Directory Rights Management Services in an Extranet Stepby-Step Guide

BETA COURSEWARE. EXPIRES 4/30/2008

1-30

Fundamentals of Windows Server 2008 Active Directory

AD DS and AD RMS Integration

Key Points
AD RMS integrates with AD DS in three key areas: All AD RMS users must have an AD DS user account. Before a user can apply a RMS policy to content, or before a consumer can access content, they must be authenticated by AD DS. AD DS provides the e-mail addresses to obtain rights for content. All users must be configured with an e-mail address, even if the organization has not deployed an e-mail server. AD RMS services are registered as service connection points in AD DS to enable clients to locate the AD RMS servers. When a RMS aware client tries to locate an AD RMS server to protect or consume content, the client will connect to AD DS. The service connection point in AD DS provides the client with the information regarding the AD RMS server that it should use.

BETA COURSEWARE. EXPIRES 4/30/2008

Exploring Windows Server 2008 Active Directory Roles

1-31

Lesson 5

Overview of AD FS

Active Directory Federation Services (AD FS) enables the extension of AD DS authentication to other organizations. When you deploy Active Directory Federation Services, you can enable federated trusts between two organizations so that the user accounts that have authenticated in one organization will be trusted to access an application in the other organization. This can provide single sign-on between the organizations for accessing Web applications. This lesson provides an overview of how AD FS can be used.

BETA COURSEWARE. EXPIRES 4/30/2008

1-32

Fundamentals of Windows Server 2008 Active Directory

What is AD FS?

Key Points Enables a trust relationship

Active Directory Federation Services (AD FS) allows you to configure a federated trust relationship between two organizations. The account partner organization contains and manages the user accounts. The resource partner organization maintains a Web based application.

Provides access to applications

After users in the account organization are authenticated by AD DS in their organization, the account can be used to access applications across the federation trust.

Provides single sign-on

AD FS can also provide single sign-on (SSO) for separate Web-based applications.

BETA COURSEWARE. EXPIRES 4/30/2008

Exploring Windows Server 2008 Active Directory Roles

1-33

How AD FS Traffic Flows in a B2B Federation Scenario

Key Points
AD FS allows for users in a trusted directory to access a Web-based application in the partner domain using user credentials from the local directory.

Benefits
Reduces the management overhead for administrators since only one account has to be administered. The end users only need to remember one set of user credentials.

BETA COURSEWARE. EXPIRES 4/30/2008

1-34

Fundamentals of Windows Server 2008 Active Directory

How Does AD FS Work?

Key Points
The B2B AD FS authentication scenario follows these basic steps: 1. 2. 3. A client computer connects to a Web application in a different organization. The Web application redirects the Web client to the resource federation server. The resource partner AD FS server responds to the client requesting that it obtain a security token from the AD FS server in the account partner organization. The client requests the security token from the account partners AD FS server and passes the token back to the Web application The client can now gain access to the Web application.

4. 5.

BETA COURSEWARE. EXPIRES 4/30/2008

Exploring Windows Server 2008 Active Directory Roles

1-35

AD DS and AD FS Integration

Key Points
AD FS is integrated with AD DS in the following ways: AD FS requires a directory service like AD DS or AD LDS to store all user accounts. AD FS enables the account partner in the federation trust to manage all user accounts. Resource partners may also use AD DS to restrict access to the Web applications. AD FS also extends some AD DS functionality to applications located in a perimeter network.

BETA COURSEWARE. EXPIRES 4/30/2008

1-36

Fundamentals of Windows Server 2008 Active Directory

Summary of the Active Directory Server Roles

BETA COURSEWARE. EXPIRES 4/30/2008

Exploring Windows Server 2008 Active Directory Roles

1-37

Lab: Exploring Windows Server 2008 Active Directory Server Roles

BETA COURSEWARE. EXPIRES 4/30/2008

1-38

Fundamentals of Windows Server 2008 Active Directory

Exercise 1: Planning Active Directory Server Role Implementations

Scenario 1
Woodgrove Bank is partnering with Tailspin Toys. Tailspin Toys employees need to be able to access an online application to complete wire transfers to toy suppliers. You must identify a solution to provide access for the Tailspin Toys employees to the Web application.

Scenario 2
Tailspin Toys has recently experienced a situation that caused information about the companys new projects to be posted on the Internet. The executive team has mandated that a solution be created to protect confidential data from being emailed or printed so that it can be used outside of the company. You must identify a solution to meet the new executive requirements.

BETA COURSEWARE. EXPIRES 4/30/2008

Exploring Windows Server 2008 Active Directory Roles

1-39

Scenario 3
Woodgrove Bank has been put under new regulatory restrictions that require all employees to logon to their computers with two factor authentication. These regulations also require that all e-mail is encrypted and authenticated. You must identify a solution to meet these new regulations.

Scenario 4
Tailspin Toys is developing a Web application that will include user accounts from the corporate directory. The corporate policy forbids the schema changes that are required for the Web application to function. You must identify a solution to provide a user directory as well as changes in the schema.

BETA COURSEWARE. EXPIRES 4/30/2008

1-40

Fundamentals of Windows Server 2008 Active Directory

The main tasks for this exercise are as follows: 1. 2. Review each of the scenarios and determine which of the Active Directory server roles are required for each scenario. Make some basic decisions about Active Directory server placement.

f Task 1: Review the four scenarios and determine which of the Active
Directory Server roles will assist in providing the required solution.

f Task 2: Determine the location where each of the server roles would
be placed.

Result: At the end of this exercise, you will have practiced decision making about Active Directory server roles and placement.

BETA COURSEWARE. EXPIRES 4/30/2008

Exploring Windows Server 2008 Active Directory Roles

1-41

Exercise 2: Understanding Active Directory Server Role Integration with AD DS

Scenarios
Please see the above 4 scenarios from Exercise 1. The main tasks for this exercise are as follows: 1. 2. The student will review each of the scenarios and determine how the server roles are integrated with Active Directory Domain Service in each scenario. The instructor will then lead a class discussion reviewing the answers provided by students for both exercises.

f Task 1: How does the selected Active Directory role integrate with AD
DS in each scenario?

f Task 2: What might happen if the AD DS integration stopped

working?

Result: At the end of this exercise, you will have (1) described how the Active Directory server roles integrate with AD DS, and (2) postulated the results of integration failure.

BETA COURSEWARE. EXPIRES 4/30/2008

1-42

Fundamentals of Windows Server 2008 Active Directory

Module Review and Takeaways

Review Questions
1. You have been tasked with deploying a solution to provide two-factor authentication for users on workstations located at your company. Which two Active Directory server roles would you need to deploy to provide a centrally managed two-factor authentication solution? In what way does AD CS rely on AD DS? What are some ways that certificates generated by AD CS can be used for encryption? What are some reasons for deploying AD LDS instead of AD DS? What are some of the basic functions that AD RMS provides?

2. 3. 4. 5.

BETA COURSEWARE. EXPIRES 4/30/2008