Acronyms Legend

Active Directory Lightweight Directory Services Active Directory Federation Services Active Directory Rights Management Services
ACL Product Scenario: Enterprise and Branch Office Product Scenario: Security and Policy Enforcement Product Scenario: Security and Policy Enforcement
Access Control List Active Directory Lightweight Directory Services (AD LDS) provides directory services for directory-enabled Active Directory Federation Services (AD FS) provides Web single sign-on (SSO) technologies to authenticate a Active Directory Rights Management Services (AD RMS) is information protection technology that works with
AD applications. AD LDS does not require or rely on Active Directory domains or forests. AD LDS was previously user to multiple Web applications over the life of a single online session. AD FS securely shares digital identity AD RMS-enabled applications to safeguard digital information from unauthorized use – both online and offline – Information Important
Active Directory known as Active Directory Application Mode (ADAM). and entitlement rights, or "claims," across security and enterprise boundaries. inside and outside of your organization’s firewall.
AD DB
Active Directory Database Federation Scenarios
AD DS AD LDS Tools Information
Active Directory Domain Services ADSchemaAnalyzer Bullet User
Helps migrate the AD schema to AD LDS, from one AD LDS instance to Web SSO Federated Web SSO AD DC
AD FS another, or from any LDAP-compliant directory to an AD LDS instance Federated Web SSO with Forest Trust Authenticates users of AD RMS
AD LDS Usage Scenarios Active Directory to AD LDS Synchronizer
Users must authenticate only once to access multiple Web- Federation trust relationship established between two businesses. FS
Group expansion for AD RMS
Active Directory Federation Services AD LDS Forests located in the DMZ and internal network. A federation based applications. All users are external, and no federation routes authentication requests from user accounts in “adatum” to Web-
Application-Specific Directory Services Scenarios Command-line tool that synchronizes data from an AD forest to a trust is established so accounts in internal forest can access trust exists. based applications that are located in the “treyresearch” network. SQL Server Stores AD RMS Service Discovery Location
AD LDS Application Development Scenarios configuration set of an AD LDS instance Web-based applications in perimeter network (including
FS-R
(Separate SQL server or, for small
Extranet Access Management Snapshot Browser intranet or Internet access). FS-A configurations, SQL on AD RMS server) Windows Server 2008 delivers a fully integrated User Service
Active Directory Lightweight X.500/LDAP Directory Migration Scenarios Uses LDAP client to bind to VSS snapshot (taken by NTDSUTIL) and view
AD FS-A/-R AD
FSP-A
federated enterprise rights management solution. Groups Account
read-only instance of AD LDS database Internet Internet Configuration Database stores:
Directory Services Deployment in Datacenters & Perimeter Networks
Active Directory Sites and Services
Forest Trust
FS-R
AD or
AD
Data needed to manage account
This integration combines Active Directory
AD LDS WS Federation Services (AD FS) and Active Directory
AD RMS (Branch Offices, DMZs) Assists in administrating AD LDS replication topology Federation Trust FSP Internet Client Client
adatum DMZ Client Client certification, licensing & publishing Rights Management Services (AD RMS) to extend
Install from Media (IFM) WS DMZ treyresearch Primary key pairs for secure rights
Active Directory Rights AD LDS Users and Groups IFM can also be used to install an AD LDS instance from backup media FS-A AD WS
DMZ Intranet Forest (online retailer) management
AD RMS to external users.
Federation Trust
Management Services Client Client Client(s) User Tokens
AD RMS Server 7
AD LDS authenticates the identity of users, License AD RMS-protected content
Intranet DMZ
CLC who are represented by AD LDS user objects
AD LDS Platform Support AD FS Root Certification Server Enroll servers and users
AD LDS allows the use of Windows Security principals from the local Administer AD RMS functions
Client Licensor Certificate machine and AD for access control. Authentication process for these AD LDS is a Windows Server 2008 role Authentication Flow Provides certificates to
user principals is redirected to the local machine and AD respectively AD RMS-enabled clients
DA Four default groups: Administrators, Instances, Readers, and Users adatum.com treyresearch.net Software-based key protection is the default for AD
Domain Administrator AD LDS Access Control (Account Forest) 3 8 RMS. For added protection, AD RMS can store its keys User User
Uses ACLs on directory objects to determine which objects (Resource Forest) 2 in a hardware security module.
Application Credentials
DFS-R Federation Trust AD RMS-enabled client installed
AD LDS Replication user can access Federation Server Extend AD to access resources offered 8 Federation Server Wizard Cache
AD RMS-enabled applications.
Distributed File System – Configuration Set 1
Requires IIS V6 or greater by partners across the Internet Generate token based upon
For example: IE, Office 2003/ 1
AD RMS is included in

Replication Replication Overview 5 Generate token-based

policies in federation server
2007, Office SharePoint Server
Windows Server 2008
6
Computer 1 Computer 2 as a server role 9
AD LDS instances replicate data authentication data 7 2007.
DMZ based on participation in a AD DS / AD LDS 9 5
Demilitarized Zone configuration set AD LDS Instance AD LDS Instance A configuration set is a group of AD LDS instances Authenticate users
Map attributes
Configuration Configuration that replicate data with each other 3 2 Federation may also have a
FQDN Partition 1 Partition 1 A single server machine can run multiple AD LDS client proxy for token requests. AD RMS-Protected Content (XrML)
Microsoft Active
4 Office Directory
Fully Qualified Domain Name instances Federation Server 6
Provides UI for browser clients. (contains usage rules)
Schema 1 Schema 1
One AD LDS instance can belong to just one Issue tokens Outlook User Object
FRS configuration set Map attribute to claims Information Author Information Recipient
Each consumer of content receives
Web Server unique license that enforces rules
File Replication Service App Partition 1 App Partition 1 Manage Trust Policy 4 Enforce user authentication
FS App Partition 2
Requires IIS 6.0 or greater Internal 10 Create application authorization 1 Author uses AD RMS for the first time - receives Rights Account Certificate (RAC) and Client Licensor Certificate (CLC). Happens once and enables user
App Partition 2 Client context from claims to publish online or offline and consume rights-protected content.
NOT Hosted 1
Federation Server Requires IIS 6.0 or greater 2 Using AD RMS-enabled application, author creates file and specifies user rights. Policy license containing user policies is generated.
FS-A The AD LDS instances in a Configuration Set 2 Computer Password
3 Application generates content key, encrypts content with it.
configuration set can host Computer 3 1 Client tries to access Web application in treyresearch.net. Web server requests token for access. Online Publish - Encrypts content key with AD RMS server public key and sends to AD RMS server. Server creates and signs publishing license (PL). Credentials Replication
Account Federation Server all or a subset of the Replication
Offline Publish - Encrypts content key with CLC public key, encrypts copy of key with AD RMS server public key. Creates PL and signs with CLC private key.
AD LDS Instance AD LDS Instance 2 Client redirect to Federation Server on treyresearch.net. Federation server has list of partners that have access to the Web application. Refers client to its Cache Policy
FS-R applications partitions in AD LDS adatum.com Federation Server. Append PL to encrypted content.
the configuration set Configuration Configuration
Resource Federation Server Computer 1 Partition 2 Partition 2 3 Instruct client to get a token from adatum.com Federation Server. 4 AD RMS-protected content file sent to Information Recipient. AD RMS-protected content may also be represented by e-mail.
FSP Security tokens assert claims
AD LDS replication and
Schema 2 Schema 2 4 Client is member of its domain. Presents user authentication data to adatum.com Federation Server. 5 Recipient receives file, opens using AD RMS-enabled application or browser. If no account certificate on the current computer, the AD RMS server will issue
Federation Server Proxy Claims – Statements authorities make one (AD RMS document notifies application of the AD RMS server URL).
schedule is independent Directory Clients App Partition 3 5 Based on authentication data, SAML token generated for the client.
App Partition 3 about security principals (e.g., name, identity, 6 Application sends request for use license to AD RMS server that issued publishing license (if file published offline, send to server that issued the CLC). Request
GNZ from Active Directory Using Applications Not Hosted
key, group, privilege, capability) includes RAC and PL for file.
6 User obtains SAML token from adatum.com Federation Server for treyresearch.net Federation Server. Central Store Group Policy
GlobalNames Zone Directory-enabled Application 3 App Partition 4 App Partition 4
7 AD RMS server confirms recipient is authorized, checks for a named user, and creates use license for the user. Server decrypts content key using private key of
GPO Directory-enabled
7 Redirects client to treyresearch.net Federation Server for claims management. server and re-encrypts content key with public key of recipient, then adds encrypted session key to the use license. This means only the intended recipient can
access the file.
Group Policy Object Application 4 8 Based on policies for the claims presented by the adatum.com token, a treyresearch.net token for the Web application is generated for the client.
8 AD RMS server sends use license to information recipient’s computer.
GPOE AD LDS AD LDS 9 The treyresearch.net token is delivered to client. Firewall Active Directory
Group Policy Object Editor Computer 2 Computer 3 9 Application examines both the license and the recipient’s account certificate to determine whether any certificate in either chain of trust requires a revocation list.
10 Client can now present treyresearch.net token to Web server to gain access to the application. User granted access as specified by information author. Forest
GPMC
Group Policy Management Console
GUID Replication Internet
Mechanism
Globally Unique Identifier
IIS Group Policy Active Directory Management Active Directory Read-Only Domain Controller
Internet Information Services Product Scenario: Server Management Product Scenario: Server Management Product Scenario: Enterprise and Branch Office
Group Policy delivers and applies configuration or policy settings to targeted users and computers within an Active Directory Active Directory Domain Services (AD DS) expands auditing capabilities to track changes in the Active Directory objects. A Read-Only Domain Controller (RODC) allows organizations to easily deploy a DC in locations where physical security cannot be RMS Restartable
IE environment. Windows Server 2008 supports a Central Store for centralized XML-based template storage, advanced logging, Windows Server 2008 has password policy that removes the restriction of a single password policy per domain. AD DS guaranteed. RODC hosts a read-only replica of the database in Active Directory Domain Services (AD DS) for any given domain. Protected DS
Internet Explorer and enhanced Group Policy delivery and enforcement using Network Location Awareness. has the capability to stop and restart the Active Directory Service. Content
IFM
Install from Media
KDC Group Policy Central Store
Key Distribution Center Central Storage for Administrative Templates RODC GC support for RODC Server/Client
LDAP
GlobalNames Zone Outlook clients Tools
1) Create Central Store on PDC Emulator
+ Policies 2) Central Store created for each domain
Resolution of single-label, static, global names for servers using DNS.
Lightweight Directory Access
Protocol Group Policy Delivery & Enforcement 3) If Central Store available when administering domain-
based GPOs, the central store is used by default Fine-Grained Password Policies
All authoritative DNS servers for a domain must be running Windows Server 2008 to provide
GlobalNames support for clients Except for account passwords, an RODC holds all the AD DS
Read-Only Partial Attribute Set
Prevent replication of sensitive
+ [GUID] Fine-grained password policy removes the restriction of a single password policy Implemented as a Regular Forward Lookup zone, which must be named “GlobalNames” objects and attributes that a writable DC holds. By default, information. Requires manual
LOB Applications Workstation / Member Server Delivery
(ADMX/ADML available for use with Windows Vista/
Windows Server 2008) per domain. GlobalNames zone should be Active Directory integrated and replicated forest-wide no user/computer passwords are stored on an RODC. AD LDS AD LDS
configuration.
Line of Business Applications Workstation / Member Server Startup Advantages of Central + ADM The GlobalNames zone is manually configured with CNAME records to redirect from server’s Server Instance
Processed every 90-120 minutes (randomized) Store include reduced If multiple policies applied, then host name to Fully Qualified Domain Name RODC performs normal Branch Office
MLGPO Refreshes on NLA notifications (Windows Vista + PolicyDefinitions
Set Attributes on Requires lower number precedence wins! inbound replication for
SYSVOL size and reduced PasswordSettings Object: Windows Only one set of Password Settings Complex Single-forest or Multiple-forest deployments require additional DNS AD DS and DFS changes Hub Site
Multiple Local Group Policy Objects and Windows Server 2008)
traffic between DCs PolicyDefinitions folder stores all “.admx” files Precedence Server 2008 can apply to a user
configuration for GlobalNames zone functionality
Writable DCs
Password Settings Domain Mode
MMC User Delivery + en-US All “.adml” files stored in language-specific Account Lockout Settings Password Settings Object applied to GlobalNames Zone
Authoritative DNS servers, which also 3 Password Replication Policy
SYSVOL folders. For example, “en-US” for US English a user wins above settings applied Intranet CNAME server.east.contoso.com have a copy of the GNZ, will first check Web Server Web Server
Microsoft Management Console At user logon Distinguished Name of Users
and/or Groups the settings to a group east.contoso.com Zone the GNZ for data to respond Changes made on a Writable DC verifies request is coming
Processed approximately every 90-120 Farm
NLA ADMX/ADML replaces ADM files. ADMX and ADML files take apply to msDS-PasswordSettings Server A 172.20.1.1 Int writeable-DC are replicated Password from an RODC and consults Password
minutes (randomized) advantage of an XML-based format ran Replication Replication Policy for RODC
et. Quer back to RODC, but not vice
Network Location Awareness Object(s) DNS server authoritative 2 ea y f
st. or east.contoso.com Branch Office versa Policy
Domain Controller Delivery Central Store Benefits for east.contoso.com con
Selectively enable password
OU 17 workstation Read-only replica AD DB
11 12 1

PasswordSettings objects tos

10 2
9 3

2.2
8 4

Single point of storage Applied to Users o.c

7 6 5

Domain Controller Startup stored in ... Users Query for 0.1 om Unidirectional replication caching. Only passwords for
Organizational Unit Processed approximately every 5 minutes Multilingual support Password Settings Container and/or Groups server.east.contoso.com
.1
1 Credential caching Domain DHCP

2
Read-only AD-integrated DNS zone
accounts that are in the Controller
RAC Central Store hosted on Windows Server 2000, cn=Password Settings Container, Server
cn=System, dc=northwind, dc=com Must be Global GlobalNames Zone “Allow” group are replicated
Rights Account Certificate Windows Server 2003, & Windows Server 2008 Security Groups Intranet CNAME server.east.contoso.com west.contoso.com
Hub Site to RODC
Network Location Awareness (NLA) workstation Universal group membership
RMS Using Network Location Awareness, Group Policy has
Multiple Local Group Policy Objects YIELD Password Settings override Query for caching automatically enabled for
access to resource detection and event notification Domain Password Policy Intranet.west.contoso.com 1 site in which the RODC is deployed
Rights Management Services capabilities in the operating system. This allows Group FRS/ DFS-R GPO Processing Order Client types intranet into
browser. DNS Client 4 Authenticate user and queue
3 172.20.1.1 request to replicate credentials Federation BitLocker
RODC Policy to refresh after detecting the following events: appends domain name
Delegated Administration for RODC
RODC contacts 2 to RODC “if allowed” Server
Recovery from hibernation or standby NLA Use File Replication Service Groups suffixes to this single-label writable DC at hub
Read-Only Domain Controller Establishment of VPN sessions (FRS) on Windows 2000 and MLGPO Site Domain OUs
At User Logon and Password Change, DNS server authoritative name. RODC administrators can be different users from domain site and requests
check if a Password Settings Object for west.contoso.com administrator users. Benefits include:
SSO Moving in or out of a wireless network Windows Server 2003
has been assigned to this user No client DNS suffix changes required
Prevents accidental modifications of directory data existing
copy of credentials Credentials Cache
MLGPO Architecture
Single Sign-on Network Location Awareness also:
Use Distributed File System outside RODC
Removes the reliance on the ICMP protocol (PING) for 1 Local Computer Policy 2 3 Credentials encrypted
SAML Replication (DFS-R) on Admin Delegated installation and recovery of RODC
assisting policy application across slow link connections LGPO Computer Local User Restartable Active Directory Service Audit Object Changes with a set of keys AD RMS SQL
OR
Security Assertion Markup Is used for bandwidth determination (applying GP over Windows Server 2008 Forest Configuration Non-Admin
Account
Active Directory Domain Services (AD DS) in Windows Server 2008 has Delegated Installation and Administration Process for RODC Server Server
slow links) functional environments LGPO User Policy Active Directory (AD DS and AD LDS) in Windows Server 2008 has the ( Note: Steps 1 and 2 are not necessarily performed from the same computer)
Group Policy the capability to start and stop the Active Directory Service via the MMC or
Language Configuration
command line. capability to log changes made to AD objects.
1 Pre-Create and Delegate
SYSVOL Restarting AD requires membership of the Domain Administrator uses AD Users and Computers MMC snap-in to
Move Undelete
System Volume Group Policy Tools Group Policy Logging built-in Administrators group on the DC Object Object
Modify
pre-create RODC 1 `
WS Windows Vista, Windows Server 2008 If another DC cannot be contacted, administrator Specifies RODC’s FQDN and Delegated Administration group
Windows Logs can log on either by using cached credentials or
Object
Start 2 Promote RODC Request sent to RODC
Web Server Manage new Windows Vista/Windows Server 2008 Policy Applications and Services Log using the DSRM credentials
No “userenv.log” required Log previous Log old and Delegated Administrator (non-DA) uses DCPROMO Wizard from server
XML Settings Stop
Reduces time required for offline operations
Log attribute
and new
Log previous
Manage Windows 2000, Windows Server 2003, and values for new and current Old/New password to configure as RODC
XML-based event logs locations
Extensible Markup Language Windows XP Machine Policy Settings Report, filter, and create Directory Service States
new objects locations attribute values values NOT logged Replicates over network, with support for secure IFM Branch Office
Reboots as RODC
XrML (GPMC/GPOE) customized log views IFM is complementary to replication over the network, but it does not replace the RODC is advertised as the Key Distribution Center (KDC) for the branch office
Windows 2000, Windows Server 2003, Windows XP Stop/Start DS without Reboot AD DS Started
Extensible Rights Markup Language If the DC is contacted while the DC AD DS Stopped Audit Controls need for network replication. By default, an RODC will not store user or computer credentials except for its
Cannot manage new Windows Vista/Windows Server 2008 Event Viewer Subscription service is stopped, server acts as Global Audit Policy own computer account and a special "krbtgt" account (the account that is
(Ntds.dit offline) RODC Deployment – Incremental Requirements
Policy Settings Collect copies of events from member server AD Directory (Audit Active Directory Changes) used for Kerberos authentication). Each RODC has a unique “krbtgt” account.
Manage Windows 2000, Windows Server 2003 and multiple remote computers Another DC is used for logon, and Restore Mode Security Audit Entry on object Windows Server 2003 Forest Functional Mode
Log changes to objects in Schema – Set per attribute to prevent RODC can be combined with Windows BitLocker Drive Encryption to provide
Windows XP Machine Policy Settings and store them locally normal Group Policy is applied
change logging
Multiple Windows Server 2008 DCs per domain are
Security Audit Log enhanced data security for branch offices through boot-level hard-drive
(GPMC/GPOE) recommended to load balance RODC replication
encryption

Windows Server 2008 Active Directory Feature Components This poster is based on a prerelease version of Windows Server 2008. All information herein is subject to change. Authors: Martin McClean & Astrid McClean (Microsoft Australia)
© 2007 Microsoft Corporation. Microsoft, Active Directory, BitLocker, IntelliMirror, Internet Explorer, RemoteApp, SharePoint, Windows, Windows PowerShell, Windows Vista and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All rights reserved. Other trademarks or trade names mentioned herein are the property of their respective owners.