Windows Server 2008 Active Directory Components(1).pdf

Acronyms

Legend

Active Directory Lightweight Directory Services

Product Scenario: Enterprise and Branch Office

Active Directory Federation Services

Product Scenario: Security and Policy Enforcement

Active Directory Rights Management Services

ACL

Access Control List

Active Directory

AD DB

Active Directory Database

AD DS

Active Directory Domain Services

AD FS

Active Directory Federation Services

AD LDS

Active Directory Lightweight

Directory Services

AD RMS

Active Directory Rights

Management Services

CLC

Client Licensor Certificate

Domain Administrator

DFS-R

Distributed File System –

Replication

DMZ

Demilitarized Zone

FQDN

Fully Qualified Domain Name

FRS

File Replication Service

Federation Server

FS-A

Account Federation Server

FS-R

Resource Federation Server

FSP

Federation Server Proxy

GNZ

GlobalNames Zone

GPO

Group Policy Object

GPOE

Group Policy Object Editor

GPMC

Group Policy Management Console

GUID

Globally Unique Identifier

IIS

Internet Information Services

Internet Explorer

IFM

Install from Media

KDC

Key Distribution Center

LDAP

Lightweight Directory Access

Protocol

LOB Applications

Line of Business Applications

MLGPO

Multiple Local Group Policy Objects

MMC

Microsoft Management Console

NLA

Network Location Awareness

Organizational Unit

RAC

Rights Account Certificate

RMS

Rights Management Services

RODC

Read-Only Domain Controller

SSO

Single Sign-on

SAML

Security Assertion Markup

Language

SYSVOL

System Volume

Web Server

XML

Extensible Markup Language

XrML

Extensible Rights Markup Language

Product Scenario: Security and Policy Enforcement

Active Directory Lightweight Directory Services (AD LDS) provides directory services for directory-enabled

applications. AD LDS does not require or rely on Active Directory domains or forests. AD LDS was previously

known as Active Directory Application Mode (ADAM).

Active Directory Federation Services (AD FS) provides Web single sign-on (SSO) technologies to authenticate a

user to multiple Web applications over the life of a single online session. AD FS securely shares digital identity

and entitlement rights, or "claims," across security and enterprise boundaries.

Active Directory Rights Management Services (AD RMS) is information protection technology that works with

AD RMS-enabled applications to safeguard digital information from unauthorized use – both online and offline –

inside and outside of your organization’s firewall.

Information

Important

Federation Scenarios

AD LDS Tools

Information

Bullet

ADSchemaAnalyzer

Helps migrate the AD schema to AD LDS, from one AD LDS instance to

another, or from any LDAP-compliant directory to an AD LDS instance

Active Directory to AD LDS Synchronizer

Command-line tool that synchronizes data from an AD forest to a

configuration set of an AD LDS instance

Snapshot Browser

Uses LDAP client to bind to VSS snapshot (taken by NTDSUTIL) and view

read-only instance of AD LDS database

AD DC

Authenticates users of AD RMS

User

Web SSO

Users must authenticate only once to access multiple Web-

based applications. All users are external, and no federation

trust exists.

Federated Web SSO

Federation trust relationship established between two businesses. FS

routes authentication requests from user accounts in “adatum” to Web-

based applications that are located in the “treyresearch” network.

AD LDS Usage Scenarios

Federated Web SSO with Forest Trust

Forests located in the DMZ and internal network. A federation

trust is established so accounts in internal forest can access

Web-based applications in perimeter network (including

intranet or Internet access).

AD LDS

Group expansion for AD RMS

SQL Server

Application-Specific Directory Services Scenarios

Application Development Scenarios

Extranet Access Management

X.500/LDAP Directory Migration Scenarios

Deployment in Datacenters & Perimeter Networks

(Branch Offices, DMZs)

Stores AD RMS Service Discovery Location

(Separate SQL server or, for small

configurations, SQL on AD RMS server)

FS-A

FSP-A

FS-R

Windows Server 2008 delivers a fully integrated

federated enterprise rights management solution.

This integration combines Active Directory

Federation Services (AD FS) and Active Directory

Rights Management Services (AD RMS) to extend

AD RMS to external users.

User

Groups

Service

Account

Forest Trust

FS-A/-R

Internet

Configuration Database stores:

AD or

AD LDS

Active Directory Sites and Services

Assists in administrating AD LDS replication topology

Install from Media (IFM)

IFM can also be used to install an AD LDS instance from backup media

FS-R

Data needed to manage account

certification, licensing & publishing

Client

Federation Trust

FSP

Internet

Client

DMZ

Client

adatum

Intranet Forest

DMZ

treyresearch

(online retailer)

Primary key pairs for secure rights

management

AD LDS Users and Groups

AD LDS authenticates the identity of users,

who are represented by AD LDS user objects

FS-A

Client

DMZ

Federation Trust

Client(s) User Tokens

Client

AD RMS Server

Root Certification Server

Provides certificates to

AD RMS-enabled clients

Intranet

DMZ

AD FS

Authentication Flow

License AD RMS-protected content

Enroll servers and users

Administer AD RMS functions

AD LDS Platform Support

AD LDS allows the use of Windows Security principals from the local

machine and AD for access control. Authentication process for these

user principals is redirected to the local machine and AD respectively

AD LDS is a Windows Server 2008 role

adatum.com

(Account Forest)

treyresearch.net

(Resource Forest)

Federation Server

Software-based key protection is the default for AD

RMS. For added protection, AD RMS can store its keys

in a hardware security module.

Four default groups: Administrators, Instances, Readers, and Users

AD LDS Access Control

User

Application

Wizard

User

Credentials

Cache

Uses ACLs on directory objects to determine which objects

user can access

Federation Trust

Extend AD to access resources offered

by partners across the Internet

AD LDS Replication

Federation Server

AD RMS-enabled client installed

AD RMS-enabled applications.

For example: IE, Office 2003/

2007, Office SharePoint Server

2007.

Generate token based upon

policies in federation server

Requires IIS V6 or greater

AD RMS is included in

Windows Server 2008

as a server role

Configuration Set 1

Replication Overview

Generate token-based

authentication data

AD LDS instances replicate data

based on participation in a

configuration set

Computer 1

Computer 2

AD DS / AD LDS

Authenticate users

Map attributes

AD LDS Instance

A configuration set is a group of AD LDS instances

that replicate data with each other

A single server machine can run multiple AD LDS

instances

One AD LDS instance can belong to just one

configuration set

Federation may also have a

client proxy for token requests.

Provides UI for browser clients.

Configuration

Partition 1

Configuration

Partition 1

Microsoft

Office

Outlook User

Active

Directory

Object

AD RMS-Protected Content (XrML)

(contains usage rules)

Federation Server

Issue tokens

Map attribute to claims

Manage Trust Policy

Schema 1

Each consumer of content receives

unique license that enforces rules

Web Server

Enforce user authentication

Create application authorization

context from claims

Requires IIS 6.0 or greater

Information Author

Information Recipient

App Partition 1

App Partition 2

NOT Hosted

Requires IIS 6.0 or greater

Internal

Client

Author uses AD RMS for the first time - receives Rights Account Certificate (RAC) and Client Licensor Certificate (CLC). Happens once and enables user

to publish online or offline and consume rights-protected content.

App Partition 2

Using AD RMS-enabled application, author creates file and specifies user rights. Policy license containing user policies is generated.

The AD LDS instances in a

configuration set can host

all or a subset of the

applications partitions in

the configuration set

Configuration Set 2

Application generates content key, encrypts content with it.

Online Publish - Encrypts content key with AD RMS server public key and sends to AD RMS server. Server creates and signs publishing license (PL).

Offline Publish - Encrypts content key with CLC public key, encrypts copy of key with AD RMS server public key. Creates PL and signs with CLC private key.

Append PL to encrypted content.

Computer

Credentials

Cache

Password

Replication

Policy

Computer 3

Client tries to access Web application in treyresearch.net . Web server requests token for access.

Replication

AD LDS Instance

Client redirect to Federation Server on treyresearch.net . Federation server has list of partners that have access to the Web application. Refers client to its

adatum.com Federation Server.

AD LDS

Computer 1

Configuration

Partition 2

Configuration

Partition 2

Instruct client to get a token from adatum.com Federation Server.

AD RMS-protected content file sent to Information Recipient. AD RMS-protected content may also be represented by e-mail.

Security tokens assert claims

Claims – Statements authorities make

about security principals (e.g., name, identity,

key, group, privilege, capability)

AD LDS replication and

schedule is independent

from Active Directory

Schema 2

Client is member of its domain. Presents user authentication data to adatum.com Federation Server.

Recipient receives file, opens using AD RMS-enabled application or browser. If no account certificate on the current computer, the AD RMS server will issue

one (AD RMS document notifies application of the AD RMS server URL).

Directory Clients

Using Applications

Directory-enabled Application 3

App Partition 3

Not Hosted

Based on authentication data, SAML token generated for the client.

App Partition 3

Application sends request for use license to AD RMS server that issued publishing license (if file published offline, send to server that issued the CLC). Request

includes RAC and PL for file.

Central Store Group Policy

User obtains SAML token from adatum.com Federation Server for treyresearch.net Federation Server.

Redirects client to treyresearch.net Federation Server for claims management.

App Partition 4

AD RMS server confirms recipient is authorized, checks for a named user, and creates use license for the user. Server decrypts content key using private key of

server and re-encrypts content key with public key of recipient, then adds encrypted session key to the use license. This means only the intended recipient can

access the file.

Directory-enabled

Application 4

Based on policies for the claims presented by the adatum.com token, a treyresearch.net token for the Web application is generated for the client.

AD RMS server sends use license to information recipient’s computer.

AD LDS

Computer 2

AD LDS

Computer 3

The treyresearch.net token is delivered to client.

Client can now present treyresearch.net token to Web server to gain access to the application.

Application examines both the license and the recipient’s account certificate to determine whether any certificate in either chain of trust requires a revocation list.

User granted access as specified by information author.

Firewall

Active Directory

Forest

Replication

Mechanism

Internet

Group Policy

Active Directory Management

Active Directory Read-Only Domain Controller

Product Scenario: Server Management

Product Scenario: Enterprise and Branch Office

Group Policy delivers and applies configuration or policy settings to targeted users and computers within an Active Directory

environment. Windows Server 2008 supports a Central Store for centralized XML-based template storage, advanced logging,

and enhanced Group Policy delivery and enforcement using Network Location Awareness.

Active Directory Domain Services (AD DS) expands auditing capabilities to track changes in the Active Directory objects.

Windows Server 2008 has password policy that removes the restriction of a single password policy per domain. AD DS

has the capability to stop and restart the Active Directory Service.

A Read-Only Domain Controller (RODC) allows organizations to easily deploy a DC in locations where physical security cannot be

guaranteed. RODC hosts a read-only replica of the database in Active Directory Domain Services (AD DS) for any given domain.

RMS

Protected

Content

Restartable

Central Storage for Administrative Templates

Group Policy Central Store

GlobalNames Zone

RODC GC support for

Outlook clients

RODC

Server/Client

Tools

+ Policies

1) Create Central Store on PDC Emulator

2) Central Store created for each domain

3) If Central Store available when administering domain-

based GPOs, the central store is used by default

Resolution of single-label, static, global names for servers using DNS.

Group Policy Delivery & Enforcement

Fine-Grained Password Policies

All authoritative DNS servers for a domain must be running Windows Server 2008 to provide

GlobalNames support for clients

Implemented as a Regular Forward Lookup zone, which must be named “GlobalNames”

GlobalNames zone should be Active Directory integrated and replicated forest-wide

The GlobalNames zone is manually configured with CNAME records to redirect from server’s

host name to Fully Qualified Domain Name

Except for account passwords, an RODC holds all the AD DS

objects and attributes that a writable DC holds. By default,

no user/computer passwords are stored on an RODC.

Read-Only Partial Attribute Set

Prevent replication of sensitive

information. Requires manual

configuration.

+ [GUID]

Fine-grained password policy removes the restriction of a single password policy

per domain.

Workstation / Member Server Delivery

(ADMX/ADML available for use with Windows Vista/

Windows Server 2008)

AD LDS

Server

AD LDS

Instance

Workstation / Member Server Startup

Processed every 90-120 minutes (randomized)

Refreshes on NLA notifications (Windows Vista

and Windows Server 2008)

Advantages of Central

Store include reduced

SYSVOL size and reduced

traffic between DCs

+ ADM

RODC performs normal

inbound replication for

AD DS and DFS changes

Branch Office

If multiple policies applied, then

lower number precedence wins!

Only one set of Password Settings

can apply to a user

Set Attributes on

PasswordSettings Object:

Precedence

Password Settings

Account Lockout Settings

Distinguished Name of Users

and/or Groups the settings

apply to

Requires

Windows

Server 2008

Domain Mode

+ PolicyDefinitions

Complex Single-forest or Multiple-forest deployments require additional DNS

configuration for GlobalNames zone functionality

Hub Site

Writable DCs

PolicyDefinitions folder stores all “.admx” files

All “.adml” files stored in language-specific

folders. For example, “en-US” for US English

GlobalNames Zone

Intranet CNAME server.east.contoso.com

east.contoso.com Zone

Server A 172.20.1.1

Password Replication Policy

Writable DC verifies request is coming

from an RODC and consults Password

Replication Policy for RODC

User Delivery

SYSVOL

+ en-US

Password Settings Object applied to

a user wins above settings applied

to a group

Authoritative DNS servers, which also

have a copy of the GNZ, will first check

the GNZ for data to respond

Web Server

Farm

At user logon

Processed approximately every 90-120

minutes (randomized)

Changes made on a

writeable-DC are replicated

back to RODC, but not vice

versa

ADMX/ADML replaces ADM files. ADMX and ADML files take

advantage of an XML-based format

msDS-PasswordSettings

Object(s)

Password

Replication

Policy

Branch Office

DNS server authoritative

for east.contoso.com

east.contoso.com

workstation

Central Store Benefits

Single point of storage

Multilingual support

Central Store hosted on Windows Server 2000,

Windows Server 2003, & Windows Server 2008

Domain Controller Delivery

Selectively enable password

caching. Only passwords for

accounts that are in the

“Allow” group are replicated

to RODC

Read-only replica AD DB

PasswordSettings objects

stored in ...

Applied to Users

and/or Groups

Domain Controller Startup

Processed approximately every 5 minutes

Users

Query for

server.east.contoso.com

Unidirectional replication

Domain

Controller

DHCP

Server

Password Settings Container

cn=Password Settings Container,

cn=System, dc=northwind, dc=com

Credential caching

Read-only AD-integrated DNS zone

Must be Global

Security Groups

GlobalNames Zone

Intranet CNAME server.east.contoso.com

west.contoso.com

workstation

Hub Site

Network Location Awareness (NLA)

Universal group membership

caching automatically enabled for

site in which the RODC is deployed

Multiple Local Group Policy Objects

GPO Processing Order

Using Network Location Awareness, Group Policy has

access to resource detection and event notification

capabilities in the operating system. This allows Group

Policy to refresh after detecting the following events:

NLA

YIELD

Password Settings override

Domain Password Policy

Query for

Intranet.west.contoso.com

Client types intranet into

browser. DNS Client

appends domain name

suffixes to this single-label

name.

No client DNS suffix changes required

Authenticate user and queue

request to replicate credentials

to RODC “if allowed”

FRS/ DFS-R

Use File Replication Service

(FRS) on Windows 2000 and

Windows Server 2003

172.20.1.1

Federation

Server

BitLocker

Delegated Administration for RODC

RODC contacts

writable DC at hub

site and requests

copy of credentials

Groups

Recovery from hibernation or standby

Establishment of VPN sessions

Moving in or out of a wireless network

RODC administrators can be different users from domain

administrator users. Benefits include:

At User Logon and Password Change,

check if a Password Settings Object

has been assigned to this user

DNS server authoritative

for west.contoso.com

MLGPO

Site

Domain

OUs

Credentials Cache

MLGPO Architecture

Local Computer Policy

LGPO Computer

Configuration

LGPO User

Configuration

Prevents accidental modifications of directory data existing

outside RODC

Delegated installation and recovery of RODC

Network Location Awareness also:

Use Distributed File System

Replication (DFS-R) on

Windows Server 2008 Forest

functional environments

Removes the reliance on the ICMP protocol (PING) for

assisting policy application across slow link connections

Admin

Non-Admin

Group Policy

Local User

Account

Policy

Restartable Active Directory Service

Audit Object Changes

Delegated Installation and Administration Process for RODC

Credentials encrypted

with a set of keys

AD RMS

Server

SQL

Server

Is used for bandwidth determination (applying GP over

slow links)

Active Directory Domain Services (AD DS) in Windows Server 2008 has

the capability to start and stop the Active Directory Service via the MMC or

command line.

Active Directory (AD DS and AD LDS) in Windows Server 2008 has the

capability to log changes made to AD objects.

( Note: Steps 1 and 2 are not necessarily performed from the same computer)

Pre-Create and Delegate

Group Policy Tools

Group Policy Logging

Restarting AD requires membership of the

built-in Administrators group on the DC

Move

Object

Undelete

Object

Modify

Object

Domain Administrator uses AD Users and Computers MMC snap-in to

pre-create RODC

Specifies RODC’s FQDN and Delegated Administration group

Windows Vista, Windows Server 2008

If another DC cannot be contacted, administrator

can log on either by using cached credentials or

using the DSRM credentials

Windows Logs

Applications and Services Log

No “userenv.log” required

XML-based event logs

Report, filter, and create

customized log views

Manage new Windows Vista/Windows Server 2008 Policy

Settings

Manage Windows 2000, Windows Server 2003, and

Windows XP Machine Policy Settings

Start

Stop

2 Promote RODC

Delegated Administrator (non-DA) uses DCPROMO Wizard from server

to configure as RODC

Replicates over network, with support for secure IFM

Reboots as RODC

Request sent to RODC

Reduces time required for offline operations

Log attribute

values for

new objects

Log previous

and new

locations

Log old and

new

locations

Log previous

and current

attribute values

Old/New password

values NOT logged

Directory Service States

Branch Office

(GPMC/GPOE)

Stop/Start DS without Reboot

RODC is advertised as the Key Distribution Center (KDC) for the branch office

Windows 2000, Windows Server 2003, Windows XP

AD DS Started

AD DS Stopped

(Ntds.dit offline)

AD Directory

Restore Mode

IFM is complementary to replication over the network, but it does not replace the

need for network replication.

RODC Deployment – Incremental Requirements

Audit Controls

Global Audit Policy

( Audit Active Directory Changes)

Security Audit Entry on object

Schema – Set per attribute to prevent

change logging

If the DC is contacted while the DC

service is stopped, server acts as

member server

Another DC is used for logon, and

normal Group Policy is applied

By default, an RODC will not store user or computer credentials except for its

own computer account and a special "krbtgt" account (the account that is

used for Kerberos authentication). Each RODC has a unique “krbtgt” account.

Cannot manage new Windows Vista/Windows Server 2008

Policy Settings

Manage Windows 2000, Windows Server 2003 and

Windows XP Machine Policy Settings

Collect copies of events from

multiple remote computers

and store them locally

Windows Server 2003 Forest Functional Mode

Log changes to objects in

Security Audit Log

Multiple Windows Server 2008 DCs per domain are

recommended to load balance RODC replication

RODC can be combined with Windows BitLocker Drive Encryption to provide

enhanced data security for branch offices through boot-level hard-drive

encryption

(GPMC/GPOE)

Windows Server 2008 Active Directory Feature Components

This poster is based on a prerelease version of Windows Server 2008. All information herein is subject to change.

Authors: Martin McClean & Astrid McClean (Microsoft Australia)

© 2007 Microsoft Corporation. Microsoft, Active Directory, BitLocker, IntelliMirror, Internet Explorer, RemoteApp, SharePoint, Windows, Windows PowerShell, Windows Vista and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All rights reserved. Other trademarks or trade names mentioned herein are the property of their respective owners.

Event Viewer Subscription

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: