2. Identity and Access (IDA)
– An IDA infrastructure should:
• Store information about users, groups, computers and other
• An identity is representation of an entity that will perform actions on
• A component of the IDA is the identity store that contains properties
that uniquely identify the object such as:
– User name
– Security identifier (SID)
– The Active Directory (AD) data store is an identity store.
– The directory itself is hosted on and managed by a domain
controller – a server performing the Activity Directory
Domain Services (AD DS) role.
3. IDA responsibilities
– AD uses Kerberos Authentication
• Access Control
– Maintains an Access Control List (ACL)
– Reflects a security policy composed of permissions
that specify access levels for particular identities.
• Audit Trail
– Allows monitoring of changes and activities within
the IDA infrastructure
• Active Directory Domain Services (AC DC)
– A central repository for identity management.
– Provides authentication and authorization services
through Group Policy.
– Provides information management and sharing
services enabling users to find any component by
searching the directory.
• Application Directory Lightweight Directory
Services (AD LDS)
– Essentially a standalone version of AD
– Stores and replicates only application related
– Commonly used by applications that require a
directory store but do not require information to be
replicated as widely as to all domain controllers.
– Allows you to deploy a custom schema to support an
application without modifying the AD DS schema.
– Formally know as Active Directory Application Mode
• Active Directory Certificate Services (AD CS)
– Used to set up a certificate authority for issuing
digital certificates as part of a public key
infrastructure (PKI) that binds the identity of a
person, device, or service to a corresponding
– If you use AD CS to provide these services to
external communities then AD CS should be linked
with an external renowned CA.
• Active Directory Rights Management Services
• An information-protection technology that
enable you to implement persistent usage
policy templates that define allowed and
– e.g. you could configure a template that allows
users to read a document but not to print or copy
• Active Directory Federation Services (AD FS)
– Enables an organization to extend IDA across
multiple platforms including both Windows and
– Projects identity and access rights across security
boundaries to trusted partners.
– Supports single sign-on (SSO)
10. Beyond IDA
• AD delivers more than IDA solutions
• AD provides the mechanisms to support,
manage, and configure resources in a
distributed network environment.
– Policy-based administration
– Replication services
• A set of rules that defines the classes of
objects and attributes that can be contained in
– e.g. the fact that AD has user objects that include
a user name and password is because the schema
defines the user object class that, the two
attributes, and the association between the object
class and attributes.
12. Policy-based administration
• Provides a single point at which to configure
settings that are then deployed to multiple
• Such policies include;
– Group policy
– Audit policies
– Fine-grained password policies
13. Replication Services
• Distribute directory data across a network
– This includes both the data store itself as well as
data required to implement policies and
configuration, including logon scripts.
14. Global Catalog
• Enables you to query AD and locate objects in
the data store.
• Contains information about every object in
• Can be used by programmatic interfaces such
as Active Directory Services Interface (ADSI)
and Lightweight Directory Access Protocol
15. Components of an AD Infrastructure
• Activity Directory data store
• Domain controller
• Functional level
• Organizational unit (OU)
16. Active Directory Data Store
• AD DS stores its identities in the directory – a
data store on domain controllers
• The directory is a single file named Ntds.dit
• that is located in the %SystemRoot%Ntds
folder on a domain controller
• The database is divided into several partitions,
including the schema, configuration, global
catalog, and the domain naming context.
17. Domain Controller (DC)
• The DCs are servers that perform the AD DC
• The DCs also run the Kerberos Key Distribution
Center (KDC) service.
• Requires one or more DCs
• DCs replicate the domain’s partition of the
data store so that any DC can authenticate any
identity in the domain.
• Is a scope of administrative policies such as
password complexity and account lockout
• A collection of one or more AD domains.
• The first domain installed in a forest is called the
forest root domain.
• A forest contains a single definition of network
configuration and a single instance of the
• A forest is a single instance of the directory – no
data is replicated by AD outside the boundaries
of the forest.
• A forest defies a security boundary.
• The DNS namespace of domains in a forest
creates trees within the forest.
• If a domain is a subdomain of another
domain, the two domains are considered a
• The domains must constitute a contiguous
portion of the DNS namespace.
• Trees are the result of the DNS names chosen
for the domains in a forest.
21. Functional Level
• The functionality available in an AD domain or
forest depends on its functional level.
• The three domain functional levels are:
– Windows 2000 native
– Windows Server 2003
– Windows Server 2008
• The functional level determines the versions
of Windows permitted on domain controllers.
22. Organization Units (OU)
• OUs provide a container for objects, and
• provide a scope with which to manage
• OUs can have Group Policy Objects (GPOs)
linked to them.
• GPOs can contain configuration settings that
will then be applied automatically by users or
computers in an OU.
• An AD site is an object that represents a portion of the
enterprise within which network connectivity is good.
• A site creates a boundary of replication and service
• DCs within a site replicate changes within seconds.
• Changes are replicated between sites on a controlled
basis with the assumption that intersite connections
are slow, expensive, or unreliable compared to the
connections within a site.
• Clients will prefer to use distributed services provided
by servers in their site or in the closest site.