Wednesday, November 11, 2009

Active Directory Services

Active Directory Lightweight Directory Services
Active Directory Lightweight Directory Services (AD LDS) allows administrators to create small versions of Active Directory that run as non–operating system services. Because AD LDS does not run as an operating system service, it does not require deployment on a domain controller. Any workstation or server can host an instance, or multiple instances, of AD LDS. Instead of building a domain controller so that developers have an Active Directory database to work with, you could create an instance of AD LDS on their workstations for them to test against. You could also use it as a repository for data used by a customer-relations management program or an address book directory. If you need a directory to hold data instead of a database, you may want to consider using AD LDS.

One of the biggest benefits of using AD LDS is its administrative benefits. Because AD LDS is a user version of Active Directory, anyone familiar with how to manage objects within Active Directory should be at ease when working with objects in AD LDS. And as in Active Directory, you can control your replication scope and the systems with which you replicate objects. If you have three systems that need to host the directory, you can specify that the AD LDS partitions be hosted on those systems. Until the release of Exchange 2007, developers were more interested in AD LDS than were most administrators. For developers, the possibilities provided by AD LDS are limited only by imagination. If an application’s primary use of data is reading that data and performing queries against that data rather than making mass changes, AD LDS should fit the bill.

Exchange 2007 introduced a new Exchange server role, the Edge Transport role. An Edge Transport server is not a member of your Active Directory domain and usually sits in your demilitarized zone (DMZ). Among other functions of the Edge Transport role, you can configure AD LDS in the DMZ to help facilitate the Active Directory account lookups.

Active Directory Federation Services
Many organizations are partnering with businesses to efficiently deliver products and services. As businesses form these alliances, there needs to be a secure method of authenticating users from the partners’ organizations. Part of the challenge to allowing authentication into your network is the security needed to maintain the connection between partners while keeping hostile entities at bay. In the past, this was possible with several tools and utilities, none of which appeared to work well with each other.
Active Directory Federation Services (AD FS) extends Active Directory to the Internet while guaranteeing the authenticity of the accounts attempting to authenticate. Using this technology will not only enable organizations to work with partner organizations more efficiently; it will also allow interoperability with a with range of applications and platforms, such as Netegrity, Oblix, and RSA, as well as leverage client systems that can utilize Simple Object Access Protocol (SOAP)–based command sets. When using AD FS, an organization can allow users that exist within separate forests, as well as among partner organizations, to have access to the organization’s web applications and use a single sign-on. AD FS is based on the Web Services (WS-*) architecture that is being developed with the cooperation of several companies, including IBM and Microsoft.

Active Directory Rights Management Services
Microsoft released Windows Rights Management Services (RMS) a few years ago. Windows Server 2008 introduces a pretty significant update to this product and has changed the name to Active Directory Rights Management Services (AD RMS).

Active Directory Certificate Services
The Active Directory Certificate Services (AD CS) allow you to create and manage certificates used in environments that employ public-key technologies. AD CS allows you to associate the identity of a person, device, or service to a private key.

AD CS is not a new technology, but it is new to the Active Directory family. One of the biggest changes is the addition of Cryptography API: Next Generation (CNG). CNG allows administrators to use custom algorithms with Active Directory, with Secure Sockets Layer (SSL), and with Internet Protocol Security (IPSec). This is accomplished by using the U.S. government’s Suite B cryptographic algorithms. Enhancements such as Online Certificate Status Protocol support, Network Device Enrollment Service, web enrollment, restricted enrollment agent.

Source of Information : Sybex Mastering Active Directory for Windows Server 2008

No comments: