Reason #2: A Single Complete IDA Solution
The second most important aspect of Windows Server is Active Directory (AD). Since its early beginnings in Windows 2000 Server, Microsoft has parlayed Active Directory as the most widely deployed network directory service in the world. With reason, too since AD is one of the very best technologies to come out of Redmond in the last decade.
This network operating system (NOS) directory can authenticate and authorize users, workstations, mobile systems, personal digital assistants, servers, applications and much more. It is simple to deploy and through its Group Policy capabilities, it can manage millions of objects at once. The problem with Active Directory to date is that while it maintains your authority within the boundaries of your firewalls, it does nothing for you in the outside world. No more.
With the release of Windows Server 2008, Microsoft has rebranded a series of different technologies as Active Directory components and now provides one of the very best identity and access (IDA) solutions in the world, all without turning the firewall into Swiss cheese!
Each technology covers a specific facet of an integrated security solution. In addition, each technology can be identified with a key worda key word that outlines the purpose of the technology (see graphic). Together, these technologies help you design a complete security, data protection and identity management solution.
The Integration of the Five AD Technologies
Active Directory Domain Services (AD DS), the new name for the former Active Directory technology, is focused on Identity. AD DS continues to be designed to provide a central repository for identity management within an organization. It provides authentication and authorization services in a network and supports object management through the use of Group Policy.
AD DS is the primary AD technology and should be deployed in every network that runs Windows Server 2008 operating systems.
Active Directory Lightweight Directory Services (AD LDS) is focused on Applications. AD LDS was formerly known as Active Directory Application Mode (ADAM) is designed to provide identity and configuration management support for directory-enabled applications on a per application basis.
AD LDS is designed to support applications without having to modify the database schema of your NOS directory running on AD DS. AD LDS is lightweight and portable and can also be used to provide authentication services in exposed networks such as Extranets.
Active Directory Certificate Services (AD CS) is focused on Trust. AD CS is designed to provide support for Public Key Infrastructures (PKI) and provides absolute identity for its users through the use of trusted Certificate Authorities (CA). It can be used to digitally sign software and system drivers, integrate with smart card authentication, and generally provide non-repudiation services to a community of users both internal and external.
When it is used to provide these services to external communities, it should be linked with an external, renowned CA that will prove to others you are who you say you are. In internal networks, AD CS can integrate with AD DS to automatically provision users and computers with certificates.
Active Directory Rights Management Services (AD RMS) is focused on Integrity. AD RMS is designed to provide absolute integrity for the data you generate, letting you precisely control who can do what with the documents your organization produces. As such it provides protection for intellectual property and can rely on AD CS to embed certificates within documents as well as AD DS to manage access rights to documentation.
Active Directory Federation Services (AD FS) is focused on Partnerships. AD FS provides a secure method to federate identities in external networks through the use of internal AD DS infrastructures without exposing these infrastructures to the outside world.
One of the key facets of AD FS is the ability to provide Single Sign On (SSO) for Web applications. AD FS supports partnerships because it allows different organizations to share access to Extranet applications while relying on their own internal AD DS structures to provide the actual authentication process. AD FS can rely on AD CS to create trusted servers and AD RMS to provide external protection for intellectual property.
Together, these roles form the identity management infrastructure Microsoft provides to organizations running Windows Server 2008 all through common TCP/IP ports such as 80 (Hypertext Transfer ProtocolHTTP) and 443 (Secure HTTP or HTTPS). This is the most powerful IDA on the market today.