Active Directory Domain Services AD DS Identity and

Active Directory Domain Services (AD DS)

Identity and Access (IDA) – An IDA infrastructure should: • Store information about users, groups, computers and other identities. • An identity is representation of an entity that will perform actions on a server. • A component of the IDA is the identity store that contains properties that uniquely identify the object such as: – User name – Security identifier (SID) – password – The Active Directory (AD) data store is an identity store. – The directory itself is hosted on and managed by a domain controller – a server performing the Activity Directory Domain Services (AD DS) role.

IDA responsibilities • Authentication – AD uses Kerberos Authentication • Access Control – Maintains an Access Control List (ACL) – Reflects a security policy composed of permissions that specify access levels for particular identities. • Audit Trail – Allows monitoring of changes and activities within the IDA infrastructure

IDA Technologies supported by AD • • • Identity Applications Trust Integrity Partnership

Identity • Active Directory Domain Services (AC DC) – A central repository for identity management. – Provides authentication and authorization services through Group Policy. – Provides information management and sharing services enabling users to find any component by searching the directory.

Applications • Application Directory Lightweight Directory Services (AD LDS) – Essentially a standalone version of AD – Stores and replicates only application related information. – Commonly used by applications that require a directory store but do not require information to be replicated as widely as to all domain controllers. – Allows you to deploy a custom schema to support an application without modifying the AD DS schema. – Formally know as Active Directory Application Mode (ADAM)

Trust • Active Directory Certificate Services (AD CS) – Used to set up a certificate authority for issuing digital certificates as part of a public key infrastructure (PKI) that binds the identity of a person, device, or service to a corresponding private key. – If you use AD CS to provide these services to external communities then AD CS should be linked with an external renowned CA.

Integrity • Active Directory Rights Management Services (AD RMS) • An information-protection technology that enable you to implement persistent usage policy templates that define allowed and unauthorized used – e. g. you could configure a template that allows users to read a document but not to print or copy its contents.

Partnership • Active Directory Federation Services (AD FS) – Enables an organization to extend IDA across multiple platforms including both Windows and non-Windows environments. – Projects identity and access rights across security boundaries to trusted partners. – Supports single sign-on (SSO)

Beyond IDA • AD delivers more than IDA solutions • AD provides the mechanisms to support, manage, and configure resources in a distributed network environment. – Schema – Policy-based administration – Replication services

Schema • A set of rules that defines the classes of objects and attributes that can be contained in the directory. – e. g. the fact that AD has user objects that include a user name and password is because the schema defines the user object class that, the two attributes, and the association between the object class and attributes.

Policy-based administration • Provides a single point at which to configure settings that are then deployed to multiple systems. • Such policies include; – Group policy – Audit policies – Fine-grained password policies

Replication Services • Distribute directory data across a network – This includes both the data store itself as well as data required to implement policies and configuration, including logon scripts.

Global Catalog • Enables you to query AD and locate objects in the data store. • Contains information about every object in the directory. • Can be used by programmatic interfaces such as Active Directory Services Interface (ADSI) and Lightweight Directory Access Protocol (LDAP).

Components of an AD Infrastructure • • Activity Directory data store Domain controller Domain Forest Tree Functional level Organizational unit (OU) Sites

Active Directory Data Store • AD DS stores its identities in the directory – a data store on domain controllers • The directory is a single file named Ntds. dit • that is located in the %System. Root%Ntds folder on a domain controller • The database is divided into several partitions, including the schema, configuration, global catalog, and the domain naming context.

Domain Controller (DC) • The DCs are servers that perform the AD DC role. • The DCs also run the Kerberos Key Distribution Center (KDC) service.

Domain • Requires one or more DCs • DCs replicate the domain’s partition of the data store so that any DC can authenticate any identity in the domain. • Is a scope of administrative policies such as password complexity and account lockout policies.

Forest • A collection of one or more AD domains. • The first domain installed in a forest is called the forest root domain. • A forest contains a single definition of network configuration and a single instance of the directory schema. • A forest is a single instance of the directory – no data is replicated by AD outside the boundaries of the forest. • A forest defies a security boundary.

Tree • The DNS namespace of domains in a forest creates trees within the forest. • If a domain is a subdomain of another domain, the two domains are considered a tree. • The domains must constitute a contiguous portion of the DNS namespace. • Trees are the result of the DNS names chosen for the domains in a forest.

Functional Level • The functionality available in an AD domain or forest depends on its functional level. • The three domain functional levels are: – Windows 2000 native – Windows Server 2003 – Windows Server 2008 • The functional level determines the versions of Windows permitted on domain controllers.

Organization Units (OU) • OUs provide a container for objects, and • provide a scope with which to manage objects. • OUs can have Group Policy Objects (GPOs) linked to them. • GPOs can contain configuration settings that will then be applied automatically by users or computers in an OU.

Sites • An AD site is an object that represents a portion of the enterprise within which network connectivity is good. • A site creates a boundary of replication and service usage. • DCs within a site replicate changes within seconds. • Changes are replicated between sites on a controlled basis with the assumption that intersite connections are slow, expensive, or unreliable compared to the connections within a site. • Clients will prefer to use distributed services provided by servers in their site or in the closest site.