...Active Directory Design Guide Thursday, 25 February 2010 Version 2.0.0.0 Baseline Prepared by Microsoft Prepared by Microsoft Copyright This document and/or software (“this Content”) has been created in partnership with the National Health Service (NHS) in England. Intellectual Property Rights to this Content are jointly owned by Microsoft and the NHS in England, although both Microsoft and the NHS are entitled to independently exercise their rights of ownership. Microsoft acknowledges the contribution of the NHS in England through their Common User Interface programme to this Content. Readers are referred to www.cui.nhs.uk for further information on the NHS CUI Programme. All trademarks are the property of their respective companies. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. © Microsoft Corporation 2010. All rights reserved. Disclaimer At the time of writing this document, Web sites are referenced using active hyperlinks to the correct Web page. Due to the dynamic nature of Web sites, in time, these links may become invalid. Microsoft is not responsible for the content of external Internet sites. Page ii Active Directory – Design Guide Prepared by Microsoft, Version 2.0.0.0 Last modified on 26 February 2010 Prepared by Microsoft TABLE OF CONTENTS 1 2 Executive Summary ..............................................................................................
Words: 43732 - Pages: 175
...collection of server operating systems created by Microsoft. There are multiple editions; Windows Server 2008 Web which is designed specifically for computers functioning as Internet or intranet Web servers, including all of the Internet Information Services 7 capabilities, but cannot function as an Active Directory domain controller, Windows Server 2008 Standard (Standard edition is also limited to computers with up to 4 GB of RAM (in the x86 version) and up to four processors, Windows Server 2008 Enterprise(The Enterprise edition includes the full set of Windows Server 2008 features, and supports computers with up to eight processors and up to 64 GB of RAM (in the x86 edition). Enterprise also supports up to four virtual images with Hyper-V (in the 64-bit version) and an unlimited number of network connections), Windows Server 2008 Datacenter (Designed for large and powerful servers with up to 64 processors and fault tolerance features such as hot add processor support. This edition is available only from original equipment manufacturers (OEMs), bundled with a server), and Server Core which is a completely stripped version of windows server, only having a command prompt and limited abilities. There are major advantages and disadvantages of both Windows Server and Linux based systems depending upon the needs of your system. The majority of Linux variants are available for free or at a much lower price than Microsoft Windows. The majority of Linux variants and versions...
Words: 1301 - Pages: 6
...Project- Windows 2012 Management 12/5/14 Active Directory is a directory service that Microsoft developed for Windows domain networks and is included in most Windows Server operating systems as a set of processes and services. An Active Directory domain controller authenticates and allows all users and computers in a Windows domain type network- assigning and enforcing security policies for all computers and installing or updating software. When a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted password and determines whether the user is a system administrator or normal user. Active Directory makes use of Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft's version of Kerberos, and DNS. Active Directory, like many information-technology efforts, originated out of a democratization of design using Request for Comments or RFCs. The Internet Engineering Task Force (IETF), which oversees the RFC process, has accepted numerous RFCs initiated by widespread participants. Active Directory incorporates decades of communication technologies into the overarching Active Directory concept then makes improvements upon them. Microsoft previewed Active Directory in 1999, it was first released with Windows 2000 Server edition, and revised it to extend functionality and improve administration in Windows Server 2003. Additional improvements came with Windows Server 2003 R2, Windows Server 2008, and Windows...
Words: 627 - Pages: 3
...Explain the function of the following Windows Server 2008 Services: A. Active Directory Federation Services B. Active Directory Lightweight Directory Services C. Active Directory Certificate Services D. Active Directory Rights Management Services AD FS is composed of three different server components: Federation Server, Federation Proxy server, and ADFS Web Agents. A federation server is the main AD FS component, which holds the Federation Service role. These servers route authentication requests between connected directories. A federation proxy server acts as a reverse proxy for AD FS authentication requests. This type of server normally resides in the demilitarized zone (DMZ) of a firewall, and is used to protect the back-end AD FS server from direct exposure to the untrusted Internet. The Web Agents component of AD FS hosts the claims-aware agent and the Windows token-based agent components that manage authentication cookies sent to web server applications. The Active Directory Lightweight Directory Services server role is a Lightweight Directory Access Protocol directory service. It provides data storage and retrieval for directory-enabled applications, without the dependencies that are required for Active Directory Domain Services. Active Directory Certificate Services provides customizable services for issuing and managing public key infrastructure (PKI) certificates used in software security systems that employ public key technologies. The digital certificates...
Words: 1307 - Pages: 6
...Riordan Active Directory Migration Tyler Dresslar POS 421 September 3, 2012 R.Chung Riordan Active Directory Migration Introduction With regards to Riordan Manufacturing acquiring new severs with Active Directory Technology, the company must look at migrating to Windows Server 2008 R2 in order facilitate the streamlining of work for the Information Technology Department. Moving to Active Directory will save Riordan TIME and MONEY, the benefits of such a move and implementation will be explained in the following paragraphs. Microsoft Active Directory Domain Services are the foundation for distributed networks built on Windows 2000 Server, Windows Server 2003 and Microsoft Windows Server 2008 operating systems that use domain controllers. Active Directory Domain Services provide secure, structured, hierarchical data storage for objects in a network such as users, computers, printers, and services. Active Directory Domain Services provide support for locating and working with these objects. Windows 2000 Server and later operating systems provide a user interface for users and administrators to work with the objects and data in Active Directory Domain Services. Network administrators write scripts and applications that access Active Directory Domain Services to automate common administrative tasks, such as adding users and groups, managing printers, and setting permissions for network resources. Independent software vendors and end-user developers can use Active...
Words: 603 - Pages: 3
...Probing using Common Tools 2 Performing a Vulnerability Assessment 3 Enabling Windows Active Directory and User Access Controls 4 Using Group Policy Objects and Microsoft Baseline Security Analyzer for Change Control 5 Performing Packet Capture and Traffic Analysis 6 Implementing a Business Continuity Plan 7 Using Encryption to Enhance Confidentiality and Integrity 8 Performing a Web Site and Database Attack by Exploiting Identified Vulnerabilities 9 Eliminating Threats with a Layered Security Approach 10 Impementing an Information Systems Security Policy# Lab Title 1 Performing Reconnaissance and Probing using Common Tools 2 Performing a Vulnerability Assessment 3 Enabling Windows Active Directory and User Access Controls 4 Using Group Policy Objects and Microsoft Baseline Security Analyzer for Change Control 5 Performing Packet Capture and Traffic Analysis 6 Implementing a Business Continuity Plan 7 Using Encryption to Enhance Confidentiality and Integrity 8 Performing a Web Site and Database Attack by Exploiting Identified Vulnerabilities 9 Eliminating Threats with a Layered Security Approach 10 Impementing an Information Systems Security Policy# Lab Title 1 Performing Reconnaissance and Probing using Common Tools 2 Performing a Vulnerability Assessment 3 Enabling Windows Active Directory and User Access Controls 4 Using Group Policy Objects and Microsoft Baseline Security Analyzer for Change Control 5 Performing Packet Capture and Traffic Analysis 6 Implementing...
Words: 426 - Pages: 2
... Active Directory Benefits for Smaller Enterprises Microsoft Corporation Published: September 2004 Abstract Microsoft® Active Directory® (AD) has been available since early 2000, and while most organizations have completed their AD deployment and are realizing the many business benefits of having deployed Active Directory, there are still organizations that have either not completed their deployment or have yet to take advantage of some of the important features of Active Directory that yield the greatest business benefits. This whitepaper is designed to help small and medium-sized organizations understand the business advantages that can be realized quickly and easily through the use of Windows Server 2003 and Active Directory. This paper was written based on feedback from hundreds of business executives on the reasons they chose to migrate to Active Directory, and the ongoing benefits they have realized. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO...
Words: 7075 - Pages: 29
...will be placed for each domain in each forest. Determine Operations Master Role Placement. This step involves deciding the placement of the operations master roles for the forest and each domain. Determine Domain Controller Configuration. This step involves determining the disk space, memory, processor, and the network requirements for each domain controller. How would you implement and configure the AD domain for these offices? When implementing AD for these offices I would configure first a forest or domain. Then I would configure trust, sites, and active directory replication. Then I would configure the global catalog and master operations. What would you implement to allow access between domains? Which type would you recommend and why? Selective authentication By creating Selective authentication, when a user authenticates across a trust with the Selective authentication option enabled, an Other Organization security ID (SID) is added to the user's authorization data. The presence of this SID prompts a check on the resource domain to ensure that the user is allowed to authenticate to the particular service. Once the user is authenticated, if the Other...
Words: 918 - Pages: 4
...Microsoft has introduced numerous administrative tools to simplify and enhance management of Windows Server 2008. One of the functions is Active Directory Federation Services. Active Directory Federation Services (ADFS for short) is a software component developed by Microsoft that can be installed on Windows Server operating systems to provide users with Single Sign-On access to systems and applications located across organizational boundaries. It uses a claims-based access control authorization model to maintain application security and implement federated. Claims based authentication is the process of authenticating a user based on a set of claims about its identity contained in a trusted token. Such a token is often issued and signed by an entity that is able to authenticate the user by other means, and that is trusted by the entity doing the claims based authentication. In AD FS, identity federation is established between two organizations by establishing trust between two security realms. A federation server on one side (the Accounts side) authenticates the user through the standard means in Active Directory Domain Services and then issues a token containing a series of claims about the user, including its identity. On the other side, the Resources side, another federation server validates the token and issues another token for the local servers to accept the claimed identity. This allows a system to provide controlled access to its resources or services to a user that...
Words: 1556 - Pages: 7
...study indicate a direct correlation between the number of best practices adopted, the management technologies used, and the positive impact on reducing PC-related labor costs. Technical decision makers, especially those responsible for desktop PC environments, will gain insight into how they can better manage their IT environment with fewer financial resources. April 2006 William Barna, MBA Senior Program Manager Windows Enterprise Management Division The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft or its respective suppliers cannot guarantee the accuracy of any information presented after the date of publication. This white paper is for informational purposes only. MICROSOFT AND ITS RESPECTIVE SUPPLIERS MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into...
Words: 10459 - Pages: 42
...Example, Active Directory Federation Services which is a software component that can be installed on windows server 2008. Federation Services provides users with single-sign-on access. It uses a claims-based access control authorization model to maintain application security and implement federated identity ("Microsoft Server"). Active Directory Lightweight Directory Services is also an improved service. It is a Lightweight Directory Access Protocol directory service designed for use with directory-enabled applications ("Server 2008"). It is also one of two identity providers that are supported by Active Directory Federation Services. Active Directory Certification Services provides customizable services for issuing and managing public key certificates used in software security systems that employ public key technologies ("ACDS Overview"). It contains certificate authorities which are broken down to Root and subordinate CAs. Then they issue certificates to users, computers, and services, and to manage certificate validity. With Active Directory Rights Management Service you can plan an organization's security strategy by protecting information through persistent usage policies, which remain with the information, no matter where it is moved. You can use ADRMS to help prevent sensitive information, such as financial reports, product specifications, customer data, and confidential e-mail messages from intentionally or accidentally getting into the wrong hands("Active Directory Rights...
Words: 843 - Pages: 4
...administrators according Microsoft wizard. According to Microsoft TechNet with RODC organizations can easily deploy domain controllers in locations. Which security can be guaranteed. It differs by having better security, faster login time, and more efficient access to resource on the network. Background loading is a new feature on Windows Server 2008. When this service starts, it creates one or more threads of execution to load the zones that are stored in Active Directory. After the Global Names zone is deployed, when a Windows Vista-based DNS client attempts to resolve a single-label name, it appends the primary DNS suffix to the single-label name and submits the name query request to its DNS server. IPv6, which has been covered in previous editions of this column, is a new suite of Internet standard protocols. IPv6 is designed to address many of the issues of the current version—IPv4—such as address depletion, security, auto configuration, and the need for extensibility. One difference in IPv6 is that its addresses are 128 bits long, while IPv4 addresses are only 32 bits. IPv6 addresses are expressed in colon-hexadecimal notation. According to Microsoft TechNet. Microsoft’s Active Directory Federation Services (AD FS) 2.0 promises to simplify secure authentication to multiple systems. It will also do the same for the cloud-based Microsoft portfolio. Active Directory Lightweight Directory was originally known as Active Directory Application Mode (ADAM)....
Words: 578 - Pages: 3
...Microsoft 70-640 TS: Windows Server 2008 Active Directory, Configuring Version: 30.6 Microsoft 70-640 Exam Topic 1, Exam Set 1 QUESTION NO: 1 You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008. Only one Active-Directory integrated zone has been configured in the ABC.com domain. ABC.com has requested that you configure DNS zone to automatically remove DNS records that are outdated. What action should you consider? A. You should consider running the netsh /Reset DNS command from the Command prompt. B. You should consider enabling Scavenging in the DNS zone properties page. C. You should consider reducing the TTL of the SOA record in the DNS zone properties page. D. You should consider disabling updates in the DNS zone properties page. Answer: B Explanation: In the scenario you should enable scavenging through the zone properties because scavenging removes the outdated DNS records from the DNS zone automatically. You should additionally note that patience would be required when enabling scavenging as there are some safety valves built into scavenging which takes long to pop. Reference: http://www.gilham.org/Blog/Lists/Posts/Post.aspx?List=aab85845-88d2-4091-8088a6bbce0a4304&ID=211 QUESTION NO: 2 You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008. The ABC.com network...
Words: 34198 - Pages: 137
...Windows Authentication on Microsoft SQL Server Introduction Microsoft SQL Server offers two types of security authentication: SQL Server authentication and Windows authentication. SQL Server authentication authenticates the user to the database using a database user name and password. Windows authentication is also referred to as "Windows Integrated Security" or a "trusted connection" because it relies on the user being authenticated, or “trusted,” by the operating system. Windows authentication is the authentication mode recommended by Microsoft. Windows authentication takes advantage of Windows user security and account mechanisms. By allowing Microsoft SQL Server to share the user name and password used for Windows, users with a valid Windows account can log into Microsoft SQL Server without supplying a user name and password. In addition to a single login within a Windows domain, Windows authentication provides a more secure mechanism for logging into Microsoft SQL Server. Standard Windows security mechanisms also provide the added advantages of auditing, password aging, minimum password length, and account lockout after multiple invalid login requests. The DataDirect Connect® for JDBC® SQL Server driver is the only JDBC driver for Microsoft SQL Server that provides two methods for supporting Windows authentication, a Pure Java (Type 4) implementation and a Windows-specific (Type 2) implementation. The Windows-specific implementation requires minimal configuration to enable...
Words: 2311 - Pages: 10
...Managing Access to an Active Directory Environment Managing Access to an Active Directory Environment A group is a combination of users and computers with some authentication to control usage. The group is controlled by IT administrators who manage everything including users, data, and computers. At the time of creating a group, there are certain limitations that are set to decide who and how access will be delegated to a resource. With these limitations, it makes it very easy and effective to mitigate discrepancies as there are certain authentications to each user. There are two types of such groups that Microsoft Windows has: * Security Group * Distribution Group Distribution groups can be used only with email applications, such as Exchange to send email to user pools. Distribution groups are not security-enabled, which means that they cannot be listed in discretionary access control lists (DACLs). The resources on a network are secured via security groups. This group determines to give authentications and user permissions to reach the data on the Active Directory, and such groups give authentications to access the resources and are to be found on Discretionary Access Control Lists. The group can have a control that encompasses everything, can be limited to a certain extent or can be further narrowed down as well. It has a universal level of control that share data with every domain on the network. The Active Directory administrator can manage the groups as...
Words: 621 - Pages: 3
