When Active Directory was first introduced in Windows Server 2000 it quickly became the most widely implemented Network resource management system in use.

By providing a single logon process from the Windows logon prompt on the client side for authenticated access to all resources locally and on the network as well as a single point of administration, it is hard to argue with results.

The first version of Active Directory used an access control list (ACL) to provide an object based method of managing access to network resources.

Still not every business’ needs were met with the initial release of Active Directory.

Certificate Services, Windows’ method of determining access to web based resources such as email, and Microsoft Metadirectory Services (MMS), Windows’ method for providing central access to multiple network directories, were both separate components from Active Directory.

Here and Now …

When Microsoft released Windows Server 2003 Active Directory’s prominence was secured by adhering to the demands of customers for better integration with other network security components.

Microsoft improved the way Active Directory and Certificate Services worked together. MMS was replaced with Microsoft Identity Integration Server (MIIS), which provided even better integration with other directory types.

Additional features were added in the first revision of Server 2003 such as the Authorization Manager and Windows Rights Management Services (RMS).

The Authorization Manager introduces role-based access control (RBAC) which provides the ability for Administrators to group permissions based on job roles allowing for users to be associated with multiple job roles.

RMS provides the administrator with the ability to associate usage polices that adhere to the new information protection laws to resources. RMS works together with Certificate Services and IIS to uphold its policies on the local network and the World Wide Web.

In Server 2003 Revision 2, Active Directory Federation Services (ADFS) and Active Directory Applications Mode (ADAM) were introduced.

ADFS extends the convenience of Active Directory’s single sign-on authentication to the web by creating a single user session that can be used across multiple web applications.

ADAM was introduced so directory-enabled applications could take advantage of Active Directory’s access control without requiring an actual domain or domain controller.

Windows Server 2008

In Windows Server 2008 Active Directory has continued on its path of integration with its latest family of components. Active Directory components are now available as server roles, which I have listed below:

• Active Directory Domain Services (AD DS)
• Active Directory Certificate Services (AD CS)
• Active Directory Lightweight Directory Services (AD LDS)
• Active Directory Federation Services (AD FS)
• Active Directory Rights Management Services (AD RMS)

As you have probably noticed, the server roles listed above all contain Active Directory in the name. The new Active Directory roles provide the same functionality of the many identity access components from previous Windows Server versions, but with new names.

Active Directory Domain Services (AD DS)

Active Directory Domain Services is the new name for Active Directory Directory Services and remains the core Active Directory Component. Aside from the improvements to the user interface, there are four major improvements to AD DS which I will go over below.

• Read-only domain controllers (RODC) – provide reliable security to insecure environments by replicating a writable domain controller.
  
  Changes cannot be made to a RODC and only the user credentials used with the RODC are stored on the server. This makes it so the whole directory would not need to be rebuilt if security on the RODC were to be breeched.
• Auditing enhancements – there are now four different auditing categories: Directory Service Access, Directory Service Changes, Directory Service Replication and Detailed Directory Service Replication.
  
  This allows for better event searching and logging policy management.
• Granular password and account lockout policies – domains are no longer limited to a single password or lockout policy. Multiple policy objects can now be saved to a domain and applied to groups or users.
• Restartable AD DS – you can now perform maintenance on AD DS by simply stopping the Domain Controller Service.
  
  Before you had to reboot the machine and start in Directory Services Restore Mode to perform maintenance which led to more down time.

Active Directory Certificate Services (AD CS)

Certificate Services is named Active Directory Certificate Services in Server 2008. There are several notable improvements to AD CS. I have listed the major changes below.

• Certificate Web enrollment support improvements – the ActiveX control for Web enrollment, XEnroll.dll, has been replaced with the COM control, CertEnroll.dll. The new control is more secure and manageable.
• Network device enrollment support – AD CS now provides built in support for issuing certificates to network devices to allow applications using the device to interact with other network entities.
• Online certificate status protocol (OCSP) support – Server 2008 includes this as an optional role service.
  
  OCSP checks a certificates status for revocation prevent clients from having to download the entire certificate revocation list, thus improving network performance.
• Enterprise PKI (PKIView) – PKI Health has a new name and can now be used as an MMC snap-in. This tool is used for troubleshooting and monitoring the health of certificates and certificate authorities.
• CAPI2 Diagnostics – a new PKI troubleshooting feature that performs highly detailed logging for several validation processes.

Active Directory Lightweight Directory Services (AD LDS)

Active Directory Lightweight Directory Services (AD LDS) is the new name for Active Directory Application Mode (ADAM).

AD LDS is essentially the same as ADAM except for it is now available as an in-box role in Server 2008 where it needed to be downloaded from the Microsoft Download Center in Server 2003.

As mentioned previously, but referring to ADAM, AD LS is a stripped down version of AD DS designed to be used in applications. Many CRM and HR applications use Active Directory for storing their data. AD LDS can be used instead of AD DS making it possible for these applications to be used without needing to configure access to network resources.

Active Directory Federation Services (AD FS)

The name for Active Directory Federation Services (AD FS) remains the same, save the addition of a space in the acronym.

AD FS allows for businesses to set up trust relationships with other directories, thus enabling the other directory’s user’s credentials to be used across directories. While there is little change to the name, a couple notable improvements have been made which I will go over below.

• Federation trust import/export support – before the process of configuring federation trusts was a long manual process. The manual process is still long, however once set up; settings can be exported and then imported to other AD FS Servers.
• AD FS deployment limiting – a group policy can be applied to disable deployment of AD FS servers on Windows Server 2008.

Active Directory Rights Management Services (AD RMS)

The follow-up to Windows RMS is Active Directory Rights Management Services (AD RMS).

The purpose of AD RMS remains the same as its predecessor. It is now integrated with Office 2007 and Internet Explorer 7 for securing sensitive information hosted on the server. For example, rights can be applied to emails to prevent recipients from forwarding messages.

AD RMS is available as a role in Server 2008 and now includes an MMC snap-in for administration as opposed to a Web-based interface.

Still More to Come …

The Preceding components are the five Active Directory components released in Windows Server 2008. This year, MIIS has been updated for Server 2003 under the title Identity Lifecycle Manager. An updated release for Server 2008 code-named Identity Lifecycle Manager 2 is currently in beta.

Notable new features available to this release include administration from a GUI and SharePoint Services as well as an approval request process for content available from Office 2007 applications. You can find out more about Identity Lifecycle Manager 2 here.

While it would be nice to have had the release of Identity Lifecycle Manager included with Server 2008, it goes to show you that Microsoft knows it’s work is never finished and will keep improvements to Active Directory coming.

Related posts:

• Server 2008: Active Directory Certificate Services
• Server 2008: Install Active Directory Certificate Services
• Windows Server 2008: Install Active Directory Domain Services

They’re highly skilled and highly trained. You’re highly skilled and highly trained. They have to maintain tight security. You have to maintain tight security. They do more before 9:00 am than most people do all day. You read more email before 9:00 am than most people do all day. They crush the enemies of America. You crush the mouthy thirteen year-olds who are so annoying in World of Warcraft.

Ah, yes, the life of a systems administrator can be exciting and fun. But, there can be burdens. Your burden is Red.

Red is the Head Engineering Research Ombudsman. He’s savvy and clever.

If Red was in prison, he’d be the guy who could get you things. He is also a weasel. You realized just how big of a weasel, when you were updating his title for the third year in a row.

Two years ago, he got his title changed from Engineering Research Manager to Engineering Research Ombudsman. This year, he had them add on that he was the head of the department.

You figured that you would just use the acronym. But, after seeing it, you pounded the delete key and used the whole title instead.

Just What You Don’t Need … Another HERO

Red doesn’t like messing around with passwords, but as the company H.E.R.O., he has certain duties that require administrative level access. (For crying out loud! Who started abbreviating his title?)

At security training you emphasized how important password security is because of the admin access and told him to change his password every 30 days.

When you reviewed the security logs, you noticed that not only did he not change his password every 30 days, but when the domain policy forced him to change his password after 90 days, he kept changing it every few minutes until he could go back to his original password!

Well, Army Rangers don’t let Russians cross over into Alaska, and you don’t let HEROs get away with password shenanigans. (Seriously, who started abbreviating? It doesn’t even have the periods anymore!)

You changed the password policy to only allow password changes twice a day, and you upped the unique passwords count to 200.

“Hah! Would you like a little Kryptonite with that password change Mr. HERO?” (Arrggghh! Now, you’re even doing it.)

But, there is still a problem.

You need Red to change his password every 30 days, not every 90 days like everyone else. Well, you’ll fix his little red wagon; all you have to do is change his password expiration to … Noooooooo!

You can only set the password requirements at the domain level. You can’t possibly justify creating another domain just for Red, and there is no way that management will let you change the whole domain’s password expiration to 30 days (they whine about 90!)

You can look at the security logs every 30 days and send email, but you don’t want to go adding more tasks to your 60 hour work week. So, all you can do is use your most sinister voice and shake your fist at the administration screen, “To the last, I will grapple with thee.”

Fine-Grained Passwords

There are uninspired feature names, and there are poor feature names. This one is both.

If you were using the Windows Server 2008 beta, then you first heard it called Granular Passwords. That was a terrible name, a word most non-scientists don’t really use and it wasn’t really all that descriptive.

So, someone at Microsoft decided to change it. Like a rapper to a rhyming dictionary, whoever is in charge of naming things grabbed the Thesaurus his 7th Grade English teacher gave him and found, “fine-grained.” Yeah, that’s much better.

With Fine-Grained Passwords, Windows Server 2008 finally offers something administrators have been asking for since the early days of Active Directory, a way to single out individuals or small groups for different password security than everyone else.

It makes sense if you think about it. Traditionally, there are three classifications of passwords.

The first is normal users. The second are those with administrative access. The more admin access, the more stringent you want their password requirements to be. The third are service accounts which you want to set up with ridiculously long random passwords that rarely expire.

However, you could only set password attributes at the domain level, so you just had to pick one. Not any more.

Setting Fine-Grained Passwords

Fine-grained passwords can only be used in a domain with a functional level of Windows Server 2008. Basically, all of your domain controllers need to be Server 2008 before you can implement fine-grained passwords.

You also have to be a domain admin to set password policies unless it has been specifically delegated.

Fine-grained passwords can only be set on individual users or global security groups. You cannot set fine-grained passwords on OUs. Create a shadow group that contains the same users and assign the fine-grained passwords to it. Just make sure you remember to move users out if they change OUs.

To create and assign fine-grained passwords you use the adsiedit.msc tool. It isn’t pretty.

Basically, you select your domain by right-clicking the ADSI Edit in the left-hand pane and choosing Connect To. Type the domain name in. Then, the domain controller node, CN=System, and select CN=Password Settings Container. Then, create a new msDS-Password Settings object.

When you click next, you’ll need to set the precedence value for the object. This value is used when more than one policy ends up applying to a user. The LOWER preference value wins. Then select the values you want for the attributes.

To crush that weasel Red, choose a long PasswordHistoryLength (up to 1024), a MinimumPasswordAge (set as DAYS:HOURS:MINUTES:SECONDS), and a MaximumPasswordAge.

Set the history length to 1024 and it will be a year and half before he can re-use a password. If you want to be a weasel back, you can even set his LockoutThreshold lower than everyone else’s (Just one wrong try before lock out? Heh, heh, heh.)

PowerGUI

Don’t even mess with the tools Microsoft included to manage fine-grained password policies.

You can count on updated tools in a service pack or resource kit in the future. For now, head on over to PowerGUI.org. They have a collection of open-source tools that take advantage of the Powershell, including a much better GUI interface for setting and managing fine-grained passwords.

Just search for fine-grained passwords, and you are off.

Congratulations, you are once again the master. Now, you can get back to bringing justice to WOW.

But first, you need to figure out why your parking pass isn’t working anymore. Who handles that anyway?

Let’s see … oh, no! It’s Red.

Related posts:

• Fine-Grained Gotchas and Passwords Aged in Smooth Oak Barrels
• Active Directory Improvements in Windows Server 2008
• Upgrading to Server 2008 from Server 2003