Active Directory Improvements in Windows Server 2008

Embed Size (px)

Citation preview

  • 7/30/2019 Active Directory Improvements in Windows Server 2008

    1/4

    Active Directory Improvements in WindowsServer 2008

    ByJason Ensinger

    July 2, 2008

    Topics Mentioned

    Operating System(s):

    Server 2008

    In the Beginning When Active Directory was first introduced in Windows Server 2000 it quickly became the most

    widely implemented Network resource management system in use.

    By providing a single logon process from the Windows logon prompt on the client side for

    authenticated access to all resources locally and on the network as well as a single point of

    administration, it is hard to argue with results.

    The first version of Active Directory used an access control list (ACL) to provide an object basedmethod of managing access to network resources.

    Still not every business needs were met with the initial release of Active Directory.

    Certificate Services, Windows method of determining access to web based resources such as

    email, and Microsoft Metadirectory Services (MMS), Windows method for providing central access

    to multiple network directories, were both separate components from Active Directory.

    Here and Now When Microsoft released Windows Server 2003 Active Directorys prominence was secured by

    adhering to the demands of customers for better integration with other network security components.

    Microsoft improved the way Active Directory and Certificate Services worked together. MMS was

    replaced with Microsoft Identity Integration Server (MIIS), which provided even better integration with

    other directory types.Additional features were added in the first revision of Server 2003 such as the Authorization

    Manager and Windows Rights Management Services (RMS).

    The Authorization Manager introduces role-based access control (RBAC) which provides the ability

    for Administrators to group permissions based on job roles allowing for users to be associated with

    multiple job roles.

    RMS provides the administrator with the ability to associate usage polices that adhere to the new

    information protection laws to resources. RMS works together with Certificate Services and IIS to

    uphold its policies on the local network and the World Wide Web.

    In Server 2003 Revision 2, Active Directory Federation Services (ADFS) and Active Directory

    Applications Mode (ADAM) were introduced.

    ADFS extends the convenience of Active Directorys single sign-on authentication to the web by

    creating a single user session that can be used across multiple web applications.

    ADAM was introduced so directory-enabled applications could take advantage of Active Directorys

    access control without requiring an actual domain or domain controller.

    Windows Server 2008In Windows Server 2008 Active Directory has continued on its path of integration with its latest family

    of components. Active Directory components are now available as server roles, which I have listed

    below:

    http://www.trainsignal.com/blog/author/jason-ensingerhttp://www.trainsignal.com/blog/author/jason-ensingerhttp://www.trainsignal.com/blog/author/jason-ensingerhttp://www.trainsignal.com/blog/operating_system/server-2008http://www.trainsignal.com/blog/operating_system/server-2008http://www.trainsignal.com/blog/operating_system/server-2008http://www.trainsignal.com/blog/author/jason-ensinger
  • 7/30/2019 Active Directory Improvements in Windows Server 2008

    2/4

    Active Directory Domain Services (AD DS)

    Active Directory Certificate Services (AD CS)

    Active Directory Lightweight Directory Services (AD LDS)

    Active Directory Federation Services (AD FS)

    Active Directory Rights Management Services (AD RMS)

    As you have probably noticed, the server roles listed above all contain Active Directory in the name.

    The new Active Directory roles provide the same functionality of the many identity access

    components from previous Windows Server versions, but with new names.

    Active Directory Domain Services (AD DS)Active Directory Domain Services is the new name for Active Directory Directory Services and

    remains the core Active Directory Component. Aside from the improvements to the user interface,

    there are four major improvements to AD DS which I will go over below.

    Read-only domain controllers (RODC) provide reliable security to insecure environments

    by replicating a writable domain controller.

    Changes cannot be made to a RODC and only the user credentials used with the RODC are

    stored on the server. This makes it so the whole directory would not need to be rebuilt if

    security on the RODC were to be breeched.

    Auditing enhancements there are now four different auditing categories: Directory Service

    Access, Directory Service Changes, Directory Service Replication and Detailed Directory

    Service Replication.

    This allows for better event searching and logging policy management.

    Granular password and account lockout policies domains are no longer limited to a single

    password or lockout policy. Multiple policy objects can now be saved to a domain and applied

    to groups or users.

    Restartable AD DS you can now perform maintenance on AD DS by simply stopping theDomain Controller Service.

    Before you had to reboot the machine and start in Directory Services Restore Mode to perform

    maintenance which led to more down time.

    Active Directory Certificate Services (AD CS)Certificate Services is named Active Directory Certificate Services in Server 2008. There are several

    notable improvements to AD CS. I have listed the major changes below.

    Certificate Web enrollment support improvements the ActiveX control for Web enrollment,

    XEnroll.dll, has been replaced with the COM control, CertEnroll.dll. The new control is more

    secure and manageable.

    Network device enrollment support AD CS now provides built in support for issuingcertificates to network devices to allow applications using the device to interact with other

    network entities.

    Online certificate status protocol (OCSP) support Server 2008 includes this as an optional

    role service.

    OCSP checks a certificates status for revocation prevent clients from having to download the

    entire certificate revocation list, thus improving network performance.

  • 7/30/2019 Active Directory Improvements in Windows Server 2008

    3/4

    Enterprise PKI (PKIView) PKI Health has a new name and can now be used as an MMC

    snap-in. This tool is used for troubleshooting and monitoring the health of certificates and

    certificate authorities.

    CAPI2 Diagnostics a new PKI troubleshooting feature that performs highly detailed logging

    for several validation processes.

    Active Directory Lightweight Directory Services (AD LDS)Active Directory Lightweight Directory Services (AD LDS) is the new name for Active DirectoryApplication Mode (ADAM).

    AD LDS is essentially the same as ADAM except for it is now available as an in-box role in Server

    2008 where it needed to be downloaded from the Microsoft Download Center in Server 2003.

    As mentioned previously, but referring to ADAM, AD LS is a stripped down version of AD DS

    designed to be used in applications. Many CRM and HR applications use Active Directory for storing

    their data. AD LDS can be used instead of AD DS making it possible for these applications to be

    used without needing to configure access to network resources.

    Active Directory Federation Services (AD FS)The name for Active Directory Federation Services (AD FS) remains the same, save the addition of

    a space in the acronym.AD FS allows for businesses to set up trust relationships with other directories, thus enabling the

    other directorys users credentials to be used across directories. While there is little change to the

    name, a couple notable improvements have been made which I will go over below.

    Federation trust import/export support before the process of configuring federation trusts

    was a long manual process. The manual process is still long, however once set up; settings can

    be exported and then imported to other AD FS Servers.

    AD FS deployment limiting a group policy can be applied to disable deployment of AD FS

    servers on Windows Server 2008.

    Active Directory Rights Management Services (AD RMS)The follow-up to Windows RMS is Active Directory Rights Management Services (AD RMS).

    The purpose of AD RMS remains the same as its predecessor. It is now integrated with Office 2007

    and Internet Explorer 7 for securing sensitive information hosted on the server. For example, rights

    can be applied to emails to prevent recipients from forwarding messages.

    AD RMS is available as a role in Server 2008 and now includes an MMC snap-in for administration

    as opposed to a Web-based interface.

    Still More to Come The Preceding components are the five Active Directory components released in Windows Server

    2008. This year, MIIS has been updated for Server 2003 under the title Identity Lifecycle Manager.

    An updated release for Server 2008 code-named Identity Lifecycle Manager 2 is currently in beta.

    Notable new features available to this release include administration from a GUI and SharePoint

    Services as well as an approval request process for content available from Office 2007 applications.

    You can find out more aboutIdentity Lifecycle Manager 2 here.

    While it would be nice to have had the release of Identity Lifecycle Manager included with Server

    2008, it goes to show you that Microsoft knows its work is never finished and will keep

    improvements to Active Directory coming.

    More Related Posts1. Windows Server 2008 Certifications Death to the MCSE

    2. Role Playing with Windows 2008 Server Core

    3. 10 Steps to Installing the Web Server Role in Windows Server 2008

    http://www.microsoft.com/windowsserver/ilm2/default.mspxhttp://www.microsoft.com/windowsserver/ilm2/default.mspxhttp://www.microsoft.com/windowsserver/ilm2/default.mspxhttp://www.trainsignal.com/blog/windows-server-2008-certifications-death-to-the-mcsehttp://www.trainsignal.com/blog/windows-server-2008-certifications-death-to-the-mcsehttp://www.trainsignal.com/blog/windows-server-2008-certifications-death-to-the-mcsehttp://www.trainsignal.com/blog/windows-server-2008-certifications-death-to-the-mcsehttp://www.trainsignal.com/blog/windows-server-2008-server-core-roleshttp://www.trainsignal.com/blog/windows-server-2008-server-core-roleshttp://www.trainsignal.com/blog/10-steps-to-installing-the-web-server-role-in-windows-server-2008http://www.trainsignal.com/blog/10-steps-to-installing-the-web-server-role-in-windows-server-2008http://www.trainsignal.com/blog/10-steps-to-installing-the-web-server-role-in-windows-server-2008http://www.trainsignal.com/blog/windows-server-2008-server-core-roleshttp://www.trainsignal.com/blog/windows-server-2008-certifications-death-to-the-mcsehttp://www.microsoft.com/windowsserver/ilm2/default.mspx
  • 7/30/2019 Active Directory Improvements in Windows Server 2008

    4/4

    4. Less is More Windows 2008 Server Core

    5. How to Install Exchange Server 2007 on Windows Server 2008

    http://www.trainsignal.com/blog/windows-server-2008-server-corehttp://www.trainsignal.com/blog/windows-server-2008-server-corehttp://www.trainsignal.com/blog/windows-server-2008-server-corehttp://www.trainsignal.com/blog/windows-server-2008-server-corehttp://www.trainsignal.com/blog/install-exchange-2007-windows-server-2008http://www.trainsignal.com/blog/install-exchange-2007-windows-server-2008http://www.trainsignal.com/blog/install-exchange-2007-windows-server-2008http://www.trainsignal.com/blog/windows-server-2008-server-core