5/26/2018 Active Directory Improvements

1/3

Active Directory Improvements in Windows Server 2008http://www.trainsignal.com/blog/windows-server-2008-active-directoryByJason EnsingerJuly 2, 2008

In the Beginning

When Active Directory was first introduced in Windows Server 2000 it quickly became the most widely implementedNetwork resource management system in use.

By providing a single logon process from the Windows logon prompt on the client side for authenticated access to allresources locally and on the network as well as a single point of administration, it is hard to argue with results.

The first version of Active Directory used an access control list (ACL) to provide an object based method of managingaccess to network resources.

Still not every business needs were met with the initial release of Active Directory.

Certificate Services, Windows method of determining access to web based resources such as email, and MicrosoftMetadirectory Services (MMS), Windows method for providing central access to multiple network directories, were bothseparate components from Active Directory.

Here and Now

When Microsoft released Windows Server 2003 Active Directorys prominence was secured by adhering to the demandof customers for better integration with other network security components.

Microsoft improved the way Active Directory and Certificate Services worked together. MMS was replaced with MicrosoIdentity Integration Server (MIIS), which provided even better integration with other directory types.

Additional features were added in the first revision of Server 2003 such as the Authorization Manager and WindowsRights Management Services (RMS).

The Authorization Manager introduces role-based access control (RBAC) which provides the ability for Administrators t

group permissions based on job roles allowing for users to be associated with multiple job roles.

RMS provides the administrator with the ability to associate usage polices that adhere to the new information protectionlaws to resources. RMS works together with Certificate Services and IIS to uphold its policies on the local network and World Wide Web.

In Server 2003 Revision 2, Active Directory Federation Services (ADFS) and Active Directory Applications Mode (ADAMwere introduced.

ADFS extends the convenience of Active Directorys single sign-on authentication to the web by creating a single usersession that can be used across multiple web applications.

ADAM was introduced so directory-enabled applications could take advantage of Active Directorys access control withrequiring an actual domain or domain controller.

Windows Server 2008

In Windows Server 2008 Active Directory has continued on its path of integration with its latest family of components.Active Directory components are now available as server roles, which I have listed below:

Active Directory Domain Services (AD DS)

Active Directory Certificate Services (AD CS)

Active Directory Lightweight Directory Services (AD LDS)

Active Directory Federation Services (AD FS)

Active Directory Rights Management Services (AD RMS)

http://www.trainsignal.com/blog/windows-server-2008-active-directoryhttp://www.trainsignal.com/blog/windows-server-2008-active-directoryhttp://www.trainsignal.com/blog/author/jason-ensingerhttp://www.trainsignal.com/blog/author/jason-ensingerhttp://www.trainsignal.com/blog/author/jason-ensingerhttp://www.trainsignal.com/blog/author/jason-ensingerhttp://www.trainsignal.com/blog/windows-server-2008-active-directory

5/26/2018 Active Directory Improvements

2/3

As you have probably noticed, the server roles listed above all contain Active Directory in the name. The new ActiveDirectory roles provide the same functionality of the many identity access components from previous Windows Serverversions, but with new names.

Active Directory Domain Services (AD DS)

Active Directory Domain Services is the new name for Active Directory Directory Services and remains the core ActiveDirectory Component. Aside from the improvements to the user interface, there are four major improvements to AD DSwhich I will go over below.

Read-only domain controllers (RODC)provide reliable security to insecure environments by replicating awritable domain controller.

Changes cannot be made to a RODC and only the user credentials used with the RODC are stored on the servThis makes it so the whole directory would not need to be rebuilt if security on the RODC were to be breeched

Auditing enhancementsthere are now four different auditing categories: Directory Service Access, DirectorService Changes, Directory Service Replication and Detailed Directory Service Replication.

This allows for better event searching and logging policy management.

Granular password and account lockout policiesdomains are no longer limited to a single password orlockout policy. Multiple policy objects can now be saved to a domain and applied to groups or users.

Restartable AD DSyou can now perform maintenance on AD DS by simply stopping the Domain Controller

Service.

Before you had to reboot the machine and start in Directory Services Restore Mode to perform maintenancewhich led to more down time.

Active Directory Certificate Services (AD CS)

Certificate Services is named Active Directory Certificate Services in Server 2008. There are several notableimprovements to AD CS. I have listed the major changes below.

Certificate Web enrollment support improvementsthe ActiveX control for Web enrollment, XEnroll.dll, hasbeen replaced with the COM control, CertEnroll.dll. The new control is more secure and manageable.

Network device enrollment supportAD CS now provides built in support for issuing certificates to networkdevices to allow applications using the device to interact with other network entities.

Online certificate status protocol (OCSP) supportServer 2008 includes this as an optional role service.

OCSP checks a certificates status for revocation prevent clients from having to download the entire certificaterevocation list, thus improving network performance.

Enterprise PKI (PKIView)PKI Health has a new name and can now be used as an MMC snap-in. This tool iused for troubleshooting and monitoring the health of certificates and certificate authorities.

CAPI2 Diagnosticsa new PKI troubleshooting feature that performs highly detailed logging for severalvalidation processes.

Active Directory Lightweight Directory Services (AD LDS)

Active Directory Lightweight Directory Services (AD LDS) is the new name for Active Directory Application Mode (ADAM

AD LDS is essentially the same as ADAM except for it is now available as an in-box role in Server 2008 where it needeto be downloaded from the Microsoft Download Center in Server 2003.

As mentioned previously, but referring to ADAM, AD LS is a stripped down version of AD DS designed to be used inapplications. Many CRM and HR applications use Active Directory for storing their data. AD LDS can be used instead oAD DS making it possible for these applications to be used without needing to configure access to network resources.

5/26/2018 Active Directory Improvements

3/3

Active Directory Federation Services (AD FS)

The name for Active Directory Federation Services (AD FS) remains the same, save the addition of a space in theacronym.

AD FS allows for businesses to set up trust relationships with other directories, thus enabling the other directorys usercredentials to be used across directories. While there is little change to the name, a couple notable improvements havebeen made which I will go over below.

Federation trust import/export supportbefore the process of configuring federation trusts was a long manprocess. The manual process is still long, however once set up; settings can be exported and then imported toother AD FS Servers.

AD FS deployment limitinga group policy can be applied to disable deployment of AD FS servers onWindows Server 2008.

Active Directory Rights Management Services (AD RMS)

The follow-up to Windows RMS is Active Directory Rights Management Services (AD RMS).

The purpose of AD RMS remains the same as its predecessor. It is now integrated with Office 2007 and Internet Explo7 for securing sensitive information hosted on the server. For example, rights can be applied to emails to prevent

recipients from forwarding messages.

AD RMS is available as a role in Server 2008 and now includes an MMC snap-in for administration as opposed to a Webased interface.

Still More to Come

The Preceding components are the five Active Directory components released in Windows Server 2008. This year, MIIShas been updated for Server 2003 under the title Identity Lifecycle Manager. An updated release for Server 2008 code-named Identity Lifecycle Manager 2 is currently in beta.

Notable new features available to this release include administration from a GUI and SharePoint Services as well as anapproval request process for content available from Office 2007 applications. You can find out more aboutIdentity

Lifecycle Manager 2 here.

While it would be nice to have had the release of Identity Lifecycle Manager included with Server 2008, it goes to showyou that Microsoft knows its work is never finished and will keep improvements to Active Directory coming.

http://www.microsoft.com/windowsserver/ilm2/default.mspxhttp://www.microsoft.com/windowsserver/ilm2/default.mspxhttp://www.microsoft.com/windowsserver/ilm2/default.mspxhttp://www.microsoft.com/windowsserver/ilm2/default.mspxhttp://www.microsoft.com/windowsserver/ilm2/default.mspxhttp://www.microsoft.com/windowsserver/ilm2/default.mspx