Active Directory Improvements in Windows Server 2008
In the Beginning …
When Active Directory was first introduced in Windows Server 2000 it quickly became the most widely implemented Network resource management system in use.
By providing a single logon process from the Windows logon prompt on the client side for authenticated access to all resources locally and on the network as well as a single point of administration, it is hard to argue with results.
The first version of Active Directory used an access control list (ACL) to provide an object based method of managing access to network resources.
Still not every business’ needs were met with the initial release of Active Directory.
Certificate Services, Windows’ method of determining access to web based resources such as email, and Microsoft Metadirectory Services (MMS), Windows’ method for providing central access to multiple network directories, were both separate components from Active Directory.
Here and Now …
When Microsoft released Windows Server 2003 Active Directory’s prominence was secured by adhering to the demands of customers for better integration with other network security components.
Microsoft improved the way Active Directory and Certificate Services worked together. MMS was replaced with Microsoft Identity Integration Server (MIIS), which provided even better integration with other directory types.
Additional features were added in the first revision of Server 2003 such as the Authorization Manager and Windows Rights Management Services (RMS).
The Authorization Manager introduces role-based access control (RBAC) which provides the ability for Administrators to group permissions based on job roles allowing for users to be associated with multiple job roles.
RMS provides the administrator with the ability to associate usage polices that adhere to the new information protection laws to resources. RMS works together with Certificate Services and IIS to uphold its policies on the local network and the World Wide Web.
In Server 2003 Revision 2, Active Directory Federation Services (ADFS) and Active Directory Applications Mode (ADAM) were introduced.
ADFS extends the convenience of Active Directory’s single sign-on authentication to the web by creating a single user session that can be used across multiple web applications.
ADAM was introduced so directory-enabled applications could take advantage of Active Directory’s access control without requiring an actual domain or domain controller.
Windows Server 2008
In Windows Server 2008 Active Directory has continued on its path of integration with its latest family of components. Active Directory components are now available as server roles, which I have listed below:
- Active Directory Domain Services (AD DS)
- Active Directory Certificate Services (AD CS)
- Active Directory Lightweight Directory Services (AD LDS)
- Active Directory Federation Services (AD FS)
- Active Directory Rights Management Services (AD RMS)
As you have probably noticed, the server roles listed above all contain Active Directory in the name. The new Active Directory roles provide the same functionality of the many identity access components from previous Windows Server versions, but with new names.
Active Directory Domain Services (AD DS)
Active Directory Domain Services is the new name for Active Directory Directory Services and remains the core Active Directory Component. Aside from the improvements to the user interface, there are four major improvements to AD DS which I will go over below.
- Read-only domain controllers (RODC) – provide reliable security to insecure environments by replicating a writable domain controller.
Changes cannot be made to a RODC and only the user credentials used with the RODC are stored on the server. This makes it so the whole directory would not need to be rebuilt if security on the RODC were to be breeched.
- Auditing enhancements – there are now four different auditing categories: Directory Service Access, Directory Service Changes, Directory Service Replication and Detailed Directory Service Replication.
This allows for better event searching and logging policy management.
- Granular password and account lockout policies – domains are no longer limited to a single password or lockout policy. Multiple policy objects can now be saved to a domain and applied to groups or users.
- Restartable AD DS – you can now perform maintenance on AD DS by simply stopping the Domain Controller Service.
Before you had to reboot the machine and start in Directory Services Restore Mode to perform maintenance which led to more down time.
Active Directory Certificate Services (AD CS)
Certificate Services is named Active Directory Certificate Services in Server 2008. There are several notable improvements to AD CS. I have listed the major changes below.
- Certificate Web enrollment support improvements – the ActiveX control for Web enrollment, XEnroll.dll, has been replaced with the COM control, CertEnroll.dll. The new control is more secure and manageable.
- Network device enrollment support – AD CS now provides built in support for issuing certificates to network devices to allow applications using the device to interact with other network entities.
- Online certificate status protocol (OCSP) support – Server 2008 includes this as an optional role service.
OCSP checks a certificates status for revocation prevent clients from having to download the entire certificate revocation list, thus improving network performance.
- Enterprise PKI (PKIView) – PKI Health has a new name and can now be used as an MMC snap-in. This tool is used for troubleshooting and monitoring the health of certificates and certificate authorities.
- CAPI2 Diagnostics – a new PKI troubleshooting feature that performs highly detailed logging for several validation processes.
Active Directory Lightweight Directory Services (AD LDS)
Active Directory Lightweight Directory Services (AD LDS) is the new name for Active Directory Application Mode (ADAM).
AD LDS is essentially the same as ADAM except for it is now available as an in-box role in Server 2008 where it needed to be downloaded from the Microsoft Download Center in Server 2003.
As mentioned previously, but referring to ADAM, AD LS is a stripped down version of AD DS designed to be used in applications. Many CRM and HR applications use Active Directory for storing their data. AD LDS can be used instead of AD DS making it possible for these applications to be used without needing to configure access to network resources.
Active Directory Federation Services (AD FS)
The name for Active Directory Federation Services (AD FS) remains the same, save the addition of a space in the acronym.
AD FS allows for businesses to set up trust relationships with other directories, thus enabling the other directory’s user’s credentials to be used across directories. While there is little change to the name, a couple notable improvements have been made which I will go over below.
- Federation trust import/export support – before the process of configuring federation trusts was a long manual process. The manual process is still long, however once set up; settings can be exported and then imported to other AD FS Servers.
- AD FS deployment limiting – a group policy can be applied to disable deployment of AD FS servers on Windows Server 2008.
Active Directory Rights Management Services (AD RMS)
The follow-up to Windows RMS is Active Directory Rights Management Services (AD RMS).
The purpose of AD RMS remains the same as its predecessor. It is now integrated with Office 2007 and Internet Explorer 7 for securing sensitive information hosted on the server. For example, rights can be applied to emails to prevent recipients from forwarding messages.
AD RMS is available as a role in Server 2008 and now includes an MMC snap-in for administration as opposed to a Web-based interface.
Still More to Come …
The Preceding components are the five Active Directory components released in Windows Server 2008. This year, MIIS has been updated for Server 2003 under the title Identity Lifecycle Manager. An updated release for Server 2008 code-named Identity Lifecycle Manager 2 is currently in beta.
Notable new features available to this release include administration from a GUI and SharePoint Services as well as an approval request process for content available from Office 2007 applications. You can find out more about Identity Lifecycle Manager 2 here.
While it would be nice to have had the release of Identity Lifecycle Manager included with Server 2008, it goes to show you that Microsoft knows it’s work is never finished and will keep improvements to Active Directory coming.