Active Directory Domain Services
Active Directory Domain Services
(AD DS)
Identity and Access (IDA)
An IDA infrastructure should:
Store information about users, groups, computers and other
identities.
An identity is representation of an entity that will perform actions on
a server.
A component of the IDA is the identity store that contains properties
that uniquely identify the object such as:
User name
Security identifier (SID)
password
The Active Directory (AD) data store is an identity store.
The directory itself is hosted on and managed by a domain
controller a server performing the Activity Directory
Domain Services (AD DS) role.
IDA responsibilities
Authentication
AD uses Kerberos Authentication
Access Control
Maintains an Access Control List (ACL)
Reflects a security policy composed of permissions
that specify access levels for particular identities.
Audit Trail
Allows monitoring of changes and activities within
the IDA infrastructure
IDA Technologies
supported by AD
Identity
Applications
Trust
Integrity
Partnership
Identity
Active Directory Domain Services (AC DC)
A central repository for identity management.
Provides authentication and authorization services
through Group Policy.
Provides information management and sharing
services enabling users to find any component by
searching the directory.
Applications
Application Directory Lightweight Directory
Services (AD LDS)
Essentially a standalone version of AD
Stores and replicates only application related
information.
Commonly used by applications that require a
directory store but do not require information to be
replicated as widely as to all domain controllers.
Allows you to deploy a custom schema to support an
application without modifying the AD DS schema.
Formally know as Active Directory Application Mode
(ADAM)
Trust
Active Directory Certificate Services (AD CS)
Used to set up a certificate authority for issuing
digital certificates as part of a public key
infrastructure (PKI) that binds the identity of a
person, device, or service to a corresponding
private key.
If you use AD CS to provide these services to
external communities then AD CS should be linked
with an external renowned CA.
Integrity
Active Directory Rights Management Services
(AD RMS)
An information-protection technology that
enable you to implement persistent usage
policy templates that define allowed and
unauthorized used
e.g. you could configure a template that allows
users to read a document but not to print or copy
its contents.
Partnership
Active Directory Federation Services (AD FS)
Enables an organization to extend IDA across
multiple platforms including both Windows and
non-Windows environments.
Projects identity and access rights across security
boundaries to trusted partners.
Supports single sign-on (SSO)
Beyond IDA
AD delivers more than IDA solutions
AD provides the mechanisms to support,
manage, and configure resources in a
distributed network environment.
Schema
Policy-based administration
Replication services
Schema
A set of rules that defines the classes of
objects and attributes that can be contained in
the directory.
e.g. the fact that AD has user objects that include
a user name and password is because the schema
defines the user object class that, the two
attributes, and the association between the object
class and attributes.
Policy-based administration
Provides a single point at which to configure
settings that are then deployed to multiple
systems.
Such policies include;
Group policy
Audit policies
Fine-grained password policies
Replication Services
Distribute directory data across a network
This includes both the data store itself as well as
data required to implement policies and
configuration, including logon scripts.
Global Catalog
Enables you to query AD and locate objects in
the data store.
Contains information about every object in
the directory.
Can be used by programmatic interfaces such
as Active Directory Services Interface (ADSI)
and Lightweight Directory Access Protocol
(LDAP).
Components of an AD Infrastructure
Activity Directory data store
Domain controller
Domain
Forest
Tree
Functional level
Organizational unit (OU)
Sites
Active Directory Data Store
AD DS stores its identities in the directory a
data store on domain controllers
The directory is a single file named Ntds.dit
that is located in the %SystemRoot%\Ntds
folder on a domain controller
The database is divided into several partitions,
including the schema, configuration, global
catalog, and the domain naming context.
Domain Controller (DC)
The DCs are servers that perform the AD DC
role.
The DCs also run the Kerberos Key Distribution
Center (KDC) service.
Domain
Requires one or more DCs
DCs replicate the domains partition of the
data store so that any DC can authenticate any
identity in the domain.
Is a scope of administrative policies such as
password complexity and account lockout
policies.
Forest
A collection of one or more AD domains.
The first domain installed in a forest is called the
forest root domain.
A forest contains a single definition of network
configuration and a single instance of the
directory schema.
A forest is a single instance of the directory no
data is replicated by AD outside the boundaries
of the forest.
A forest defies a security boundary.
Tree
The DNS namespace of domains in a forest
creates trees within the forest.
If a domain is a subdomain of another
domain, the two domains are considered a
tree.
The domains must constitute a contiguous
portion of the DNS namespace.
Trees are the result of the DNS names chosen
for the domains in a forest.
Functional Level
The functionality available in an AD domain or
forest depends on its functional level.
The three domain functional levels are:
Windows 2000 native
Windows Server 2003
Windows Server 2008
The functional level determines the versions
of Windows permitted on domain controllers.
Organization Units (OU)
OUs provide a container for objects, and
provide a scope with which to manage
objects.
OUs can have Group Policy Objects (GPOs)
linked to them.
GPOs can contain configuration settings that
will then be applied automatically by users or
computers in an OU.
Sites
An AD site is an object that represents a portion of the
enterprise within which network connectivity is good.
A site creates a boundary of replication and service
usage.
DCs within a site replicate changes within seconds.
Changes are replicated between sites on a controlled
basis with the assumption that intersite connections
are slow, expensive, or unreliable compared to the
connections within a site.
Clients will prefer to use distributed services provided
by servers in their site or in the closest site.