Now, I’m going to assume that you already installed Server 2008 and Active Directory and have your server set up and ready to go.

Today we’ll start with a quick review of Active Directory so you can get a good idea of what’s new in the 2008 version.

Then we’ll talk about user and group creation before jumping in to the hands-on demo portion of the video where I’ll show you how to create users and groups.

Here’s what’s covered in Lesson 3:

• AD review & what’s new in 2008 — we’ll talk about some of the new toys and capabilities that have been added to Server 2008 AD
• Server Manager — next we’ll take a tour of Server Manager to see where things are and what they do
• AD DS Auditing — using our Verde Petra scenario that we went over in Part 1 I’ll show you how to setup Active Directory auditing
• Renaming Admin user – for server hardening we’re going to rename the primary admin account; this is going to protect our server against any attacks and keep our server secure and safe
• Creating users & groups — now we’re going to create a few user accounts and then we’ll create groups for all of the accounts
• Adding users to groups — I’ll also show you how to add users to different groups
• Event Viewer — we’ll end the video with a quick look at the Event Viewer so you can see where to find all the auditing items

Free Instant Download

Download this lesson in high-quality WMV video format

Or, download in iPod/iPhone format to watch on the go

Related posts:

• Lesson 2: How to Install Server 2008 and Active Directory
• Windows Server 2008 Active Directory — Creating Users is Easy!
• Server 2008 Active Directory User Groups — the Easy Way!

You can watch the whole video below or download it and watch it at your convenience — I included iPod/iPhone files for you too.

 
Here’s what I cover in this video:

• The scenario — I’ll start off by introducing you to the scenario that we’ll be working with all throughout this training
• Quick edition check — we’ll go through the different flavors of Server 2008 and the requirements to make sure that your box is ready
• Installation & configuration — installation and initial configuration steps are explained and demonstrated on a virtual machine
• Adding Active Directory — next I’ll show you how to add the AD role by installing Active Directory Domain Services
• Promotion to Domain Controller — using dcpromo.exe we will create a new domain in a new forest and then install the DNS server

Free Instant Download

Download this lesson in high-quality WMV video format

Or, download in iPod/iPhone format to watch on the go

Related posts:

• Lesson 3: Active Directory Users and Groups in Windows Server 2008
• Lesson 8: Windows Server 2008 Terminal Services
• Lesson 6: Windows Server 2008 RODC – Read Only Domain Controllers

For a short recap, AD CS is the backbone of Microsoft’s Public Key Infrastructure (PKI) implementation. It will allow you to issue certificates for SSL/TTL user on websites or digitally sign your email.

Now let’s take a look at installing Active Directory Certificate Services.

Certain versions of Server 2008 only allow certain AD CS components to be installed; please take a look at this table for reference:

• CA – issues certificates to users, computers and services while also managing their validity; comes in root and subordinate
• Network Device Enrollment Service – allows network devices (i.e. routers) to request and receive certificates based on Simple Certificate Enrollment Protocol (SCEP)
• Online Responder Service – implements Online Certificate Status Protocol (OCSP) by evaluating certificate status, decoding revocation status requests, and sending back signed responses containing certificate status information

Install Enterprise Certificate Authority on a Windows 2008 Server

As I outlined in my earlier article, there are two varieties of root CA’s: the Enterprise and Stand-Alone. Each has their advantages and configuration, but in this case we are going to install an Enterprise CA.

I am going to be installing this root CA server in my test Active directory domain named ADExample.com on a Windows Server 2008 Enterprise version.

The server is a member of the domain, and is a domain controller. Let’s get started.

1. Open Server Manager.

2. Select Roles, then click Add Roles in the center pane.

3. The Before You Begin page may show up if you haven’t turned it off already. If you see it just click Next.

4. In the Select Server Roles window go ahead and select Active Directory Certificate Services by placing a checkmark next to it, then go ahead and click Next.

5. Now you will see an Introduction to Active Directory Certificate Services, where you can read about the good things you can do with AD CS.

The biggest thing to note here is the following:

Name & Domain settings of this computer cannot be changed after a CA has been installed. If you want to change the computer name, join a domain, or promote this server to a domain controller do so BEFORE install thing the CA.

Now with that warning out of the way, go ahead and click on Next.

6. Next you get to Select Role Services, which can include any of the following depending on what version of Windows Server 2008 you are installing this on — refer to the table above for specifics.

For this install I am going to choose the Certification Authority only.

7. Now comes the Specify Setup Type, and for this I am going to select the Enterprise radio button.

8. For the Specify CA Type, I am going to choose the Root CA radio button and then click Next.

9. In Set Up Private Key, I am going to choose Create a new private key radio button and then select Next.

10. Now you have to Configure Cryptography for CA in this window and there are quite a few to choose from.

Now I am no expert on cryptography, but some basic rules do apply … the longer the key the harder it is to crack. For our purposes I am going to use the following settings:

RSA#Microsoft Software Key Storage Provider
4096 Key Character length
md5 Hash algorithm

Now I am going to click Next.

11. In Configure CA Name you can choose to overwrite the default common name for this CA and also the Distinguished name suffix if you so choose.

I am going to overwrite the default common name with Test-Enterprise-CA, but I will leave the rest alone.

12. Next we will Set Validity Period for this CAs certificate.

Remember a root CA issues itself a certificate. The default is 5 Years so I will just leave it at that. You can change this based on any need you might have in your environment. Click Next.

13. Configure Certificate Database will let you specify where you want to put the database and log files for the CA.

I am going to leave the default in place. Click Next.

14. On the Confirm Installation Selections you can see the answers you have chosen and you will again see a warning that you cannot change the computer name or domain settings for this server after installing the CA.

Go ahead and click Install… you know you want to!

15. After a few minutes you will see the Installation Results, and with any luck you will have the message: Installation succeeded.

After your glow of certificate happiness fades go ahead and click Close.

16. Now let’s go in and take a look by clicking on Certification Authority in Administrative Tools (if you get a UAC pop up just click Ok).

17. Now you can see the snap-in is showing the CA named Test-Enterprise-CA in the left pane with a bunch of folders for certificates.

18. You can also see that if you click the Certificate Templates folder, there are quite a few default templates that are already setup and ready to go.

Summary

Now that we have installed the Active Directory Certificate Services the next step would be to request some certificates and configure them.

The installation for a stand-alone CA is very similar to this. In fact if you are not in a domain and if you are not installing as a domain admin you will not even get the option for an Enterprise CA setup, so if you see that grayed out you now know why.

In my next article we will take a look at some of the uses for certificates and how to request and install them on servers and clients.

Related posts:

• Server 2008: Active Directory Certificate Services
• Windows Server 2008: Install Active Directory Domain Services
• Active Directory Improvements in Windows Server 2008

Certificate Services are the backbone for using Public Key Infrastructures (PKI) on a Windows Server.

In case you don’t know what PKI is — it is a security system of digital certificates, certification authorities (CAs), and registration authorities. PKI verifies the identity of each side that is involved in the digital transaction by verifying the certificates they are using.

Microsoft’s implementation of PKI is in a hierarchical CA model. A very simple example will have just a single Certification Authority, but it is very scalable to contain multiple CAs with defined parent and child roles.

At the top of the hierarchy is the Root CA, with every CA that is a child under that root being called a Subordinate CA.

The root CA in this implementation is key, if you trust the root CA then you trust every subordinate CA in that hierarchy that has a valid certificate. Because of this the root CA should be highly secured as it is the pinnacle of trust in an organization.

Root Certification Authority

As we discussed, the Root CA is the highest level of trust in the organization’s Public Key Infrastructure. If it gets compromised all your subordinate CAs are vulnerable to exploitation. Because of this, not only should the root CA be secured at the system level at all times, but in the physical as well.

Best practice is to only issue certificates for other subordinate CAs from the root CA even though you could issue certificates to end users.

Subordinate Certification Authority

Really the workhorses of the PKI organization, the subordinate CAs will be the servers that should be issuing certificates for most end user needs.

Some of these needs are secure e-mail, Web-based authentication, or smart card authentication. The subordinate CA will derive its authority from either the root CA or a subordinate CA that has issued it a certificate building, another layer in the hierarchy.

Some of the reasons for setting up multiple subordinate CAs are:

• Load Balancing — If you issue a large number of certificates and they are in use constantly you will want several subordinates to issue the same kind of certificate to balance the load among multiple servers.
• Redundancy — If you only have one CA and it fails, there will be nothing to respond to user requests and that is going to be a problem. By having multiple CAs you can guarantee to have something to respond to those requests.
• Logical and Geographic Division — Whether your network is divided by logical organizations or even physical sites, it might make sense to have different CA’s available in those different divisions to service those specific users and ease administrative strain.
• Usage — You may find it advantageous to divide your CAs by their usage, such as one set only does secure e-mail and another set does network authorization. This can make delegation and administration of those functions easier to deal with.

There are also many 3rd party CA suppliers such as Verisign or GeoTrust which use various methods to verify users’ credentials before issuing a certificate to them.

It is important to stress that ANYONE can create a CA so you must decide if you are going to trust those 3rd party CAs based on their stated policies and administration.

While these 3rd party issuers are useful for certain applications like e-commerce websites, most internal company uses will not require such measures and an internal CA structure should be setup.

Enterprise Certification Authorities

These CAs are tied into the Active Directory Domain Services (AD DS) role in the domain and that gives them additional functionality. You can use an Enterprise CA to issue certificates for the following:

• Digital Signatures
• Secure E-mail Using S/MIME (Secure MultiPurpose Internet Mail Extensions)
• Authenticate to a Secure Web Server Using Secure Socket Layer (SSL) or Transport Layer Security (TLS)
• Logon to the Domain Using a Smart Card

To install an Enterprise CA you will need access to Active Directory Domain Services which requires a user that is a member of the Domain Admins group or an administrator with write access to AD DS.

One of the benefits of being tied into the AD DS is that it can use Group Policy to propagate its certificate to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. It will also publish user certificates and certificate revocation lists (CRLs) to AD DS.

Enterprise CAs can issue certificates based on templates which will do the following:

• Enforce credential checks on users during enrollment. Every certificate will have permissions set in AD DS that will determine if the requester has authorization to receive the type of certificate they are trying to request.
• Subject name can be generated in the template from information in AD DS or it can be supplied by the user requesting the certificate.
• Predefined list of extensions to be used by the certificate which will reduce the information the user has to supply to receive the requested certificate.
• Users can be issued certificates through Autoenrollment

Stand-Alone Certification Authorities

These CAs share many similarities with their Enterprise cousins but not all of the functions. They also require more administration then an Enterprise CA because there is no verification of the users credentials from the AD DS.

You can use the Stand-Alone CAs for the following:

• Digital Signatures
• Secure E-mail Using S/MIME (Secure MultiPurpose Internet Mail Extensions)
• Authenticate to a Secure Web Server Using Secure Socket Layer (SSL) or Transport Layer Security (TLS)

Some of the characteristics of a Stand-Alone CA are as follows:

• All certificate requests are set to pending for the administrator to manually review. This is the default action and it is recommended that you use this mode especially if you are installing a stand-alone CA in a domain.
• Templates are not used
• Administrator has to specifically distribute the stand-alone CA’s certificate to the users’ trusted root store or users will have to do it themselves

As mentioned above, a stand-alone CA can be installed in a domain and will gain these additional functions:

• If a Domain Admin or an administrator with write access installs the stand-alone root CA, it will publish its certificate to the Trusted Root Certification Authorities certificate store for all domain users and computers.
  
  Because of this reason it is well advised that you leave all requests to pending to verify identity otherwise any requested certificate will be trusted by the entire domain.
• A stand-alone CA will also publish its certificate and certification revocation list (CRL) to AD DS if it is installed by a Domain Admin or account with write access to AD DS.

Summary

This article has given you a broad overview of Active Directory Certificate Services and hopefully gotten you ready to take the next step and start to look at how to implement.

In my next article I will show you how to install the services on a Windows 2008 Server and create a certificate.

Related posts:

• Server 2008: Install Active Directory Certificate Services
• Active Directory Improvements in Windows Server 2008
• Active Directory Rights Management Services: System Requirements & Other Considerations

Auditing is exactly what it sounds like — it keeps a record of things that have been modified in Active Directory.

In previous versions of Windows Server there was not a lot of granular control in what you were auditing. Let’s explore some of the new auditing features in Server 2008.

Auditing Changes in Windows Server 2008

One of the most significant changes over the Server 2000 and Server 2003 versions of auditing is that now you can not only audit who and what attribute was changed but also what the new and old value was.

This is significant because you can now tell why it was changed and if something doesn’t look right you’re able to easily find what it should be restored to.

Another significant change is that in the past you were only able to turn auditing policy on or off for the entire Active Directory structure. In Windows Server 2008 the auditing policy is configurable for four subcategories:

• Directory Service Access
• Directory Service Changes
• Directory Service Replication
• Detailed Directory Service Replication

This article will focus on enabling auditing on Directory Service Changes which will show us the ability to audit changes to Active Directory Domain Services.

Implementing Auditing on Windows Server 2008

In Server 2008 when setting up auditing there are three places you can modify to implement controls:

• Global Audit Policy – In Server 2008 the Global Audit Policy is not on by default and must be enabled.
• System Access Control List (SACL) – Is the ultimate authority if an access check gets audited or not.
  
  The SACL is part of the security descriptor for an active directory object and specifies which operations should be audited. These are set by the security administrators who have been assigned Manage Auditing and Security Log privileges. It is assigned automatically to the Administrators Group.
• Schema – To protect administrators from generating too many auditing events there is an override that can be set in the schema to exclude any events that have an attribute set.
  
  We will not be covering the Schema modification in this article, but this is important for you to know.

Enable Global Audit Policy on Windows Server 2008

The first step is to enable the audit policy. I will walk you through both doing it through the GUI and then through the command line:

1. Go to Start, Administrative Tools, and then click on Group Policy Management.

2. Navigate down through your Forest, to the Domains, then Domain Controllers and left click on Default Domain Controllers Policy.

You will get a warning that changes here will impact all other locations that the GPO is linked to. Click Ok.

3. Right click on Default Domain Controllers Policy and then left click on Edit…

4. Navigate under Computer Configurations → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy

5. Right click on Audit Directory Service Access, and then click Properties.

6. Select Define these policy settings and then select Success. Click on Apply and then Ok.

That’s it! You now have configured auditing via GUI.

Let’s take a look at the command line method (much faster):

1. Start Command Prompt with elevated rights.

2. Type in the following command and hit Enter:

auditpol /set /subcategory:”directory service changes” /success:enable

I told you it was much faster! You should see The command was successfully executed. Now let’s move on to the next step.

Setup Auditing in System Access Control List (SACL)

As was mentioned earlier, the SACLs do most of the work in determining what gets auditing and what doesn’t.

Please note that there are many different types of SACLs that can be setup; we are only using one as an example.

1. Open Active Directory Computers and Users.

2. Click on View and make sure that Advanced Features is enabled. If not left click on it to place a check next to it.

3. Right click on any of the Organizational Units you want to audit; in our example I am going to audit Users. Then click on Properties.

4. In the Properties window click on Security.

5. Next click on Advanced.

6. Click the Auditing tab, then click Add.

7. Under Enter the object name to select:, type in Authenticated Users and click Ok.

8. In the next window under Apply onto:, select Descendant User Objects and under Access check the box for Successful next to Write all properties and click Ok.

9. Click Ok until you are out of any dialog boxes.

Now that we have enabled auditing in a SACL let’s go ahead and give it a test.

Example Security Events with Auditing Enabled

With auditing enabled, all events will be logged under the Security Event Viewer. Let’s see what happens when you change a value on an object.

For brevity sake, I am going to create a user called audittest, change his name from Audit Test to Test Audit and then we will take a look in the security log to see what was shown.

There are two images that show the change that corresponds with Event 5136, here is the first one which shows the value being deleted, which in this case is Audit Test:

The next image shows the changed object’s new value which in our case is Test Audit:

So you can see that it is very helpful if you are watching these types of things to know what the old value was compared to the new value, in case you need to quickly and easily reset the attribute without having to go to a backup.

There are a ton of things you can audit depending on the situation and your need.

Related posts:

• Active Directory Improvements in Windows Server 2008
• Windows Server 2008: Install Active Directory Domain Services
• Lesson 3: Active Directory Users and Groups in Windows Server 2008

Active Directory provides the structure to centralize the network and store information about network resources across the entire domain. Active Directory uses Domain Controllers to keep this centralized storage available to network users.

In this scenario we are going to install Active Directory fresh with a brand new Domain Controller after a fresh install of Windows Server 2008.

Requirements for Active Directory Domain Services

Let’s go through some of the requirements for a fresh install of Active Directory Domain Services. Some of these will be required to be done before hand; others as noted can be done during the install:

• Install Windows Server 2008
• Configure TCP/IP and DNS networking configurations
• The disk drives that store SYSVOL must be on a local drive configured NTFS
• Active Directory requires DNS to be installed in the network. If it is not already installed you can specify DNS server to be installed during the Active Directory Domain Services installation.

Once you verify that these requirements have been met we can get started.

Install Active Directory Domain Services via Server Manager

For the first example let’s start by installing Active Directory through Server Manager. This is the most straight forward way, as a wizard will guide you through the steps necessary.

1. Start Server Manager.

2. Select Roles in the left pane, then click on Add Roles in the center console.

3. Depending on whether you checked off to skip the Before You Begin page while installing another service, you will now see warning pages telling you to make sure you have strong security, static IP, and latest patches before adding roles to your server.

If you get this page, then just click Next.

4. In the Select Server Roles window we are going to place a check next to Active Directory Domain Services and click Next.

5. The information page on Active Directory Domain Services will give the following warnings, which after reading, you should click Next:

• Install a minimum of two Domain Controllers to provide redundancy against server outage (which would prevent users from logging in with only one)
• AD DS requires DNS which if not installed you will be prompted for
• After installing AD DS you must run dcpromo.exe to upgrade to a fully functional domain controller
• Installing AD DS will also install DFS Namespaces, DFS Replication, and Filer Replication services which are required by Directory Service

6. The Confirm Installation Selections screen will show you some information messages and warn that the server may need to be restarted after installation.

Review the information and then click Next.

7. The Installation Results screen will hopefully show Installation Succeeded, and an additional warning about running dcpromo.exe (I think they really want us to run dcpromo).

After you review the, click Close.

8. After the Installation Wizard closes you will see that server manager is showing that Active Directory Domain Services is still not running. This is because we have not run dcpromo yet.

9. Click on the Start button, type dcpromo.exe in the search box and either hit Enter or click on the search result.

10. The Active Directory Domain Services Installation Wizard will now start.

There are links to more information if you want to learn a bit more you can follow them or you can go ahead and click Use advanced mode installation and then click Next.

11. The next screen warns about some operating system compatibility with some older clients.

For more information you can view the support documentation from Microsoft and after you have read through it go ahead and click Next.

12. Next is the Choose Deployment Configuration screen and you can choose to add a domain to an existing forest or create a forest from scratch.

Choose Create a new domain in a new forest and click Next.

13. The Name the Forest Root Domain wants you to name the root domain of the forest you are creating.

For the purposes of this test we will create ADExample.com. After typing that go ahead and click Next.

14. The wizard will test to see if that name has been used, after a few seconds you will then be asked for the NetBios name for the domain.

In this case I will leave the default in place of ADEXAMPLE, and then click Next.

15. The next screen is the Set Forest Functional Level that allows you to choose the function level of the forest.

Since this is a fresh install and a new forest with no additional prior version domains to worry about I am going to select Windows Server 2008. If you did have other domain controllers at earlier versions or had a need to have Windows 2000 or 2003 domain controllers (because of Exchange for example), then you should select the appropriate function level.

Select Windows Server 2008 and then click Next.

16. Now we come to the Additional Domain Controller Options where you can select to install a DNS server, which is recommended on the first domain controller.

If this was not the first domain controller you would have the options of installing Global Catalog and/or setting this as a Read-only Domain Controller. Since it is the first domain controller, Global Catalog is mandatory, and a RDOC controller is not an available option.

Let’s install the DNS Server by placing a check next to it and clicking Next.

17. You will get a warning window about delegation for this DNS server cannot be created, but since this is the first DNS server you can just click Yes and ignore this warning.

18. Next you can choose to place the files that are necessary for Active Directory, including the Database, Log Files, and SYSVOL.

It is recommended to place the log files and database on a separate volume for performance and recoverability. You can just leave the defaults though and click Next.

19. Now choose a password for Directory Services Restore Mode that is different than the domain password. Type your password and confirm it before hitting Next.

Note: You should use a STRONG password for this and will be warned if it doesn’t meet criteria.

20. Next you will see a summary of all the options you have went through in the wizard.

If you plan on creating more domain controllers with the same settings hit the Export settings … button to save off a txt copy of the settings to use in an answer file for a scripted install. After exporting and reviewing settings click on Next.

21. Now the installation will start including the DNS server option if selected. You will notice a box to Reboot on completion that you can check to reboot soon as everything is installed (A reboot is required you can do it manually or use this function to do it automatically).

NOTE: This can be from a few minutes to several hours depending on different factors.

Confirming Active Directory Domain Services Install

When you reboot you will be asked to login to the domain, and be able to open Active Directory Users and Computers from the Administrative menu.

When you do you will see the domain ADExample.com and be able to manage the domain.

You have now successfully installed Active Directory Domain Services and the first Domain Controller.

Related posts:

• Server 2008 Active Directory: Adding a Child Domain
• Server 2008: Install Active Directory Certificate Services
• Install Read-Only Domain Controller on Windows Server 2008

When Active Directory was first introduced in Windows Server 2000 it quickly became the most widely implemented Network resource management system in use.

By providing a single logon process from the Windows logon prompt on the client side for authenticated access to all resources locally and on the network as well as a single point of administration, it is hard to argue with results.

The first version of Active Directory used an access control list (ACL) to provide an object based method of managing access to network resources.

Still not every business’ needs were met with the initial release of Active Directory.

Certificate Services, Windows’ method of determining access to web based resources such as email, and Microsoft Metadirectory Services (MMS), Windows’ method for providing central access to multiple network directories, were both separate components from Active Directory.

Here and Now …

When Microsoft released Windows Server 2003 Active Directory’s prominence was secured by adhering to the demands of customers for better integration with other network security components.

Microsoft improved the way Active Directory and Certificate Services worked together. MMS was replaced with Microsoft Identity Integration Server (MIIS), which provided even better integration with other directory types.

Additional features were added in the first revision of Server 2003 such as the Authorization Manager and Windows Rights Management Services (RMS).

The Authorization Manager introduces role-based access control (RBAC) which provides the ability for Administrators to group permissions based on job roles allowing for users to be associated with multiple job roles.

RMS provides the administrator with the ability to associate usage polices that adhere to the new information protection laws to resources. RMS works together with Certificate Services and IIS to uphold its policies on the local network and the World Wide Web.

In Server 2003 Revision 2, Active Directory Federation Services (ADFS) and Active Directory Applications Mode (ADAM) were introduced.

ADFS extends the convenience of Active Directory’s single sign-on authentication to the web by creating a single user session that can be used across multiple web applications.

ADAM was introduced so directory-enabled applications could take advantage of Active Directory’s access control without requiring an actual domain or domain controller.

Windows Server 2008

In Windows Server 2008 Active Directory has continued on its path of integration with its latest family of components. Active Directory components are now available as server roles, which I have listed below:

• Active Directory Domain Services (AD DS)
• Active Directory Certificate Services (AD CS)
• Active Directory Lightweight Directory Services (AD LDS)
• Active Directory Federation Services (AD FS)
• Active Directory Rights Management Services (AD RMS)

As you have probably noticed, the server roles listed above all contain Active Directory in the name. The new Active Directory roles provide the same functionality of the many identity access components from previous Windows Server versions, but with new names.

Active Directory Domain Services (AD DS)

Active Directory Domain Services is the new name for Active Directory Directory Services and remains the core Active Directory Component. Aside from the improvements to the user interface, there are four major improvements to AD DS which I will go over below.

• Read-only domain controllers (RODC) – provide reliable security to insecure environments by replicating a writable domain controller.
  
  Changes cannot be made to a RODC and only the user credentials used with the RODC are stored on the server. This makes it so the whole directory would not need to be rebuilt if security on the RODC were to be breeched.
• Auditing enhancements – there are now four different auditing categories: Directory Service Access, Directory Service Changes, Directory Service Replication and Detailed Directory Service Replication.
  
  This allows for better event searching and logging policy management.
• Granular password and account lockout policies – domains are no longer limited to a single password or lockout policy. Multiple policy objects can now be saved to a domain and applied to groups or users.
• Restartable AD DS – you can now perform maintenance on AD DS by simply stopping the Domain Controller Service.
  
  Before you had to reboot the machine and start in Directory Services Restore Mode to perform maintenance which led to more down time.

Active Directory Certificate Services (AD CS)

Certificate Services is named Active Directory Certificate Services in Server 2008. There are several notable improvements to AD CS. I have listed the major changes below.

• Certificate Web enrollment support improvements – the ActiveX control for Web enrollment, XEnroll.dll, has been replaced with the COM control, CertEnroll.dll. The new control is more secure and manageable.
• Network device enrollment support – AD CS now provides built in support for issuing certificates to network devices to allow applications using the device to interact with other network entities.
• Online certificate status protocol (OCSP) support – Server 2008 includes this as an optional role service.
  
  OCSP checks a certificates status for revocation prevent clients from having to download the entire certificate revocation list, thus improving network performance.
• Enterprise PKI (PKIView) – PKI Health has a new name and can now be used as an MMC snap-in. This tool is used for troubleshooting and monitoring the health of certificates and certificate authorities.
• CAPI2 Diagnostics – a new PKI troubleshooting feature that performs highly detailed logging for several validation processes.

Active Directory Lightweight Directory Services (AD LDS)

Active Directory Lightweight Directory Services (AD LDS) is the new name for Active Directory Application Mode (ADAM).

AD LDS is essentially the same as ADAM except for it is now available as an in-box role in Server 2008 where it needed to be downloaded from the Microsoft Download Center in Server 2003.

As mentioned previously, but referring to ADAM, AD LS is a stripped down version of AD DS designed to be used in applications. Many CRM and HR applications use Active Directory for storing their data. AD LDS can be used instead of AD DS making it possible for these applications to be used without needing to configure access to network resources.

Active Directory Federation Services (AD FS)

The name for Active Directory Federation Services (AD FS) remains the same, save the addition of a space in the acronym.

AD FS allows for businesses to set up trust relationships with other directories, thus enabling the other directory’s user’s credentials to be used across directories. While there is little change to the name, a couple notable improvements have been made which I will go over below.

• Federation trust import/export support – before the process of configuring federation trusts was a long manual process. The manual process is still long, however once set up; settings can be exported and then imported to other AD FS Servers.
• AD FS deployment limiting – a group policy can be applied to disable deployment of AD FS servers on Windows Server 2008.

Active Directory Rights Management Services (AD RMS)

The follow-up to Windows RMS is Active Directory Rights Management Services (AD RMS).

The purpose of AD RMS remains the same as its predecessor. It is now integrated with Office 2007 and Internet Explorer 7 for securing sensitive information hosted on the server. For example, rights can be applied to emails to prevent recipients from forwarding messages.

AD RMS is available as a role in Server 2008 and now includes an MMC snap-in for administration as opposed to a Web-based interface.

Still More to Come …

The Preceding components are the five Active Directory components released in Windows Server 2008. This year, MIIS has been updated for Server 2003 under the title Identity Lifecycle Manager. An updated release for Server 2008 code-named Identity Lifecycle Manager 2 is currently in beta.

Notable new features available to this release include administration from a GUI and SharePoint Services as well as an approval request process for content available from Office 2007 applications. You can find out more about Identity Lifecycle Manager 2 here.

While it would be nice to have had the release of Identity Lifecycle Manager included with Server 2008, it goes to show you that Microsoft knows it’s work is never finished and will keep improvements to Active Directory coming.

Related posts:

• Server 2008: Active Directory Certificate Services
• Server 2008: Install Active Directory Certificate Services
• Windows Server 2008: Install Active Directory Domain Services