Introduction to Active Directory Domain Service
The Active Directory Domain Services (AD DS) provides directory services that enable an enterprise administrator to mange a huge network centrally and securely. The network might span a building or multiple geographical locations around the world.
With the introduction of Identity and Access (IDA) technology in Windows Server 2008 Active Directory (AD), the security of the system has increased with the decrease in operational cost. The IDA solution has greatly helped in deepening the electronic relationships of a company with its customers and partners. It enables a company to successfully protect its infrastructure centrally that includes files, emails, applications and databases.
The IDA solution is especially designed for enterprise networks to manage the identities and relationships that make up network environments. Below given are some important features of IDA:
- It stores information about users, groups, computers and other identities.
- It authenticates the identity of the user and grants access to the user if the access request is valid.
- It controls access to protected and confidential documents on the basis of the policies present in AD DS.
- It provides and audit trail by monitoring changes to and activities within the IDA infrastructure.
The components of IDA are:
- AD DS (Active Directory Domain Services): AD DS is the central repository of the system that allows easy management of AD objects within an organization. Users can find objects such as printers, file server, users, and groups by searching the Active Directory. It provides authorization and authentication service to network users through group policy. AD DS also provides information management and sharing services.It can only run on a domain controller. AD DS supports Group Policy, integrates with Public Key Infrastructures (PKI), Messaging APIs; and X.509 certificates, mange objects such as servers and workstations, authenticate domain security principals, and do much more. AD DS should be used for applications like Exchange Server that significantly extends AD DS schema to provide core networking service to an organization.
- AD LDS (Active Directory Lightweight Services): AD LDS is a simplified or a standalone version of AD DS. It provides mostly the same features as AD DS except a few features that include security principals and the modification of AD DS. Its main feature however is to provide directory services to directory-enabled applications without the overhead of modifying database schema of Network Operating system throughout a forest. AD LDS stores and replicates only application related information.You can install AD LDS on client workstations and use AD LDS single instance directories to develop applications that require access to identity data. As a thumb rule consider installing AD LDS instead of AD DS, if you don’t need to extend directory schema to run a directory-enabled application. AD LDS is quite a flexible service that uses Lightweight Directory Access Protocol (LDAP) to support directory-enabled applications. It however, relies on multimaster replication for data consistency just like AD DS and supports Application Programming Interface (API), Active Directory Services Interface (ADSI), replication from removable media, and backup tools similar to AD DS.
- AD CS (Active Directory Certificate Services): AD CS allows you to set up a certificate authority for issuing digital certificates. It allows you to create custom public key certificates that bind the identity of a person, device, or service to a corresponding private key. The certificates can be used to authenticate users, computers, and other services in software security systems that employ public key technologies.The Certification authorities (CAs) are used to issue certificates to manage certificate validity. It uses also web enrollment that allows users to connect to a CA by means of a Web browser and then request certificates and perform smart card certificate enrollment. AD CS provides a cost-effective, efficient, and secure way to manage the distribution and use of certificates. Although AD CS can be deployed on a single server, it may at times require multiple servers configured as CAs, Online Responders, and Web enrollment portals.
- AD RMS (Active Directory Rights Management Services): AD RMS allows you to protect information from unauthenticated access. It uses AD DS to regulate access to rights-protected content for all AD RMS users in an AD DS forest. Although, the document’s ACL can be used to protect it from unauthorized access, ADRMS implements persistent usage policy templates. These templates define allowed or unauthorized use of the document when it is online, offline or inside/outside the firewall.
- AD FS (Active Directory Federation Services: AD FS is a partnership service that allows the IDA to extend between trusted business partners across an extranet. It is supported on both Windows and non-Windows environment. It allows an organization to authenticate the users and project identity and access rights across the security boundaries of trusted partners. In a federated environment each organization manages its own identities. However, users who get authenticated in their organization can access the resources of the other organization. This process is known as SSO (Single Sign on). AD FS requires a trust policy to be created.