Maual Upgradig your MCSE o Server 2003 to Server 2008 (70-649) 1-800-418-6789 Cofigurig Additioal Active Directory Server Roles Active Directory Lightweight Directory Services Backgroud ad Cofiguratio Active Directory Lightweight Directory Services (AD LDS) is a server role that provides cetralized directory access ad maagemet usig the Lightweight Directory Access Protocol, ( LDAP). It provides autheticatio, directory data storage ad allows query ad retrieval of iformatio by directory eabled applicatios, ad does ot require the heavy overhead of the Active Directory Domai Services (AD DS). I Widows Server 2008 operatig system, the AD LDS provides all the fuctioality that was provided by the Active Directory Applicatio Mode ( ADAM) i Widows Server 2003 ad XP Professioal. The AD LDS is optimized for speed of read access, ad provides a optimized eviromet for itegratig eterprise applicatios that require directory services, such as: lie of busiess systems, customer relatioship maagemet systems, global iformatio maagemet systems ad Huma Resources Maagemet applicatios. The ADLDS is primarily desiged for use by applicatios, as a cetral directory store for iformatio. Widows 2008 does ot require the deploymet of domais or domai cotrollers, as required by Active Directory Domai Services. The same fuctioality will be provided by AD LDS,ad ca be used as a totally separate ifrastructure for custom applicatio deploymet ad developmet. The followig ca be cofigured to ru the AD LDS server role: Member Servers Domai Cotrollers Stad-aloe Servers AD LDS retais may of the fuctios of AD DS, icludig: Applicatio directory partitios LDAP over SSL Support for the Active Directory API, or AD Services Iterfaces Multi-master replicatio AD LDS differs from AD DS i may ways, icludig the followig: AD LDS does ot support domais ad forests AD LDS does ot support Group Policy AD LDS does ot support Global Catalogs AD LDS does ot store security pricipals Widows caot autheticate users stored i AD LDS, or use AD LDS users i Access Cotrol Lists LearSmart Cloud Classroom: Video Traiig Mauals
Maual Upgradig your MCSE o Server 2003 to Server 2008 (70-649) 1-800-418-6789 There are may special cosideratios whe implemetig AD LDS: AD LDS is desiged to be a provide directory services for applicatios, ad the creatio, maagemet ad removal of directory objects will be doe through these applicatios. AD LDS does ot support domai cetric maagemet tools such as Active Directory Users ad Computers ad Active Directory Domais ad Trusts. AD LDS directories ca be maaged through the use of directory tools, such as: Ldp.exe - is a support utility that provides the ability to search directories for iformatio. ADSI Edit - Ca be used for creatig, deletig, viewig ad overall modificatio of objects withi the directory. Other schema ad directory maagemet utilities. There are several istaces where AD LDS is preferred over AD DS, ad it should be cosidered i the followig situatios: Whe support is required for specific applicatios that have a limited scope of users. Whe distributed applicatios support a broad geographic user base, ad data access is required i divers locatios. Whe legacy applicatios require LDAP support. Specific applicatios rely o LDAP, ad eed high speed, local directory access. For exteral facig applicatios that reside withi a perimeter etwork or DMZ. Applicatios that require extesive LDAP schema alteratios. Whe a custom developmet eviromet for directory applicatios is required. Before creatig a AD LDS istace, you eed to do a bit of plaig, ad preparatio: 1. Create a data drive o the server. You eed to place the directory stores o a drive that is separate from the operatig system. 2. You will eed to decide o a uique ame for the istace, ad this will idetify the istace, ad ame all of the required files. 3. Create a admiistrative group for the AD LDS, typically a domai group. 4. Desigate the applicatio partitio withi Active Directory with a Distiguished Name (DN). The partitio ca be created i ay oe of 3 ways: a. Whe you create the istace b. Whe you istall a applicatio that is boud to the istace c. Maually through a LDAP tool 5. Esure the appropriate TCP/IP ports ca be used through the service. Ad LDS uses the followig port umbers: a. 389 Stadard LDAP port b. 636 Secure LDAP LearSmart Cloud Classroom: Video Traiig Mauals
Maual Upgradig your MCSE o Server 2003 to Server 2008 (70-649) 1-800-418-6789 Note: These are the same ports used by AD DS. It is ot recommeded to have AD DS ad AD LDS o the same server. 6. Create/Desigate the AD LDS Service Accout. 7. Create/Add ay additioal LDIF files required for the istace. Note: LDIF files are imported durig the creatio of the istace, ad ca set sychroizatio guidelies, create customizatios ad provide itegratio (to ame a few). Below are some specific LDIF files ad their purpose: a. MS-IetOrgPerso.ldf Cotais the defiitio of the ietorgperso LDAP class. b. MS-User.ldf Cotais all user classes ad attributes. c. MS-ADLDS-DisplaySpecifiers.ldf this ldf is required for sap-i operatios ad is required if you pla to maage your istace with the Active Directory Sites ad Services Sap-i. d. MS-adamschemaw2k3.ldf required if you are goig to be sychroizig with Ad DS i Server 2003. e. MS-adamschemaw2k8.ldf - required if you are goig to be sychroizig with Ad DS i Server 2008. f. MS-AZMa.ldf supports the Widows Autheticatio Maager. Below are the steps required to create a ew LDS istace: 1. Click Start, go to Admiistrative Tools, ad the click o Active Directory Lightweight Directory Services Setup Wizard, ad click Next. 2. O the Setup Optios page, click o A uique istace, ad the click Next. 3. O the Istace Name page, provide a ame for the AD LDS istace. This ame will be used o the local computer to uiquely idetify the AD LDS istace, ad ame the files ad services associated with it. 4. O the Ports page, specify the commuicatios ports that the AD LDS istace uses to commuicate. AD LDS ca commuicate by usig both LDAP (389) ad Secure Sockets Layer (SSL) (636). 5. Withi the Applicatio Directory Partitio step, you ca create a applicatio directory partitio by clickig Yes, create a applicatio directory partitio. Or, you ca select No, do ot create a applicatio directory partitio. If you choose No, you must the create a applicatio directory partitio maually after the istallatio wizard. 6. O the File Locatios page, you ca chage the default istallatio directories for the AD LDS data ad recovery (log) files. By default, the AD LDS data ad recovery files are istalled i %ProgramFiles%\Microsoft ADAM\istaceame\data. 7. Withi the Service Accout Selectio page, you will select the service accout for AD LDS. The AD LDS service will ru uder this accout s security cotext. Like most etwork services, the Active Directory Lightweight Directory Services Setup Wizard defaults to the Network Service accout. LearSmart Cloud Classroom: Video Traiig Mauals
Maual Upgradig your MCSE o Server 2003 to Server 2008 (70-649) 1-800-418-6789 8. Select a user or group to become the default admiistrator for the AD LDS istace o the AD LDS Admiistrators page. This user/group will have full admiistrative cotrol of the AD LDS istace. By default, the Active Directory Lightweight Directory Services Setup Wizard specifies the curretly logged o user. 9. O the Importig LDIF Files page, you ca import schema LDAP Data Iterchage Format (LDIF) files, ad use them i the setup ad operatios of the istace. 10. The Ready to Istall allows you a opportuity to review your istallatio selectios. Click Next, ad the Active Directory Lightweight Directory Services Setup Wizard copies files ad sets up AD LDS o your computer. Click Fiish whe doe. Directory Rights Maagemet Service (AD RMS) Backgroud ad Cofiguratio The Active Directory Rights Maagemet Service provides a framework to create solutios to protect iformatio. It works had i had with AD RMS-eabled applicatios to protect sesitive iformatio by providig cosistet usage policies ad rights maagemet for several cotet types icludig office documets, web sites, itraet cotet ad email. Like may of the other ehacemets i Widows Server 2008, it provides developers ad applicatios the developmet hooks to add iformatio protectio fuctioality. The AD RMS protects ad maages iformatio through the followig elemets: Trusted Etities These etities ca be specified, ad iclude: applicatios, users, groups ad computers that are a trusted part of a AD RMS system. These etities are the grated rights to specific cotet. Usage coditios ad rights Oce trusted etities are established, they ca the be assiged rights ad coditios that specify how they ca iteract with specific rights protected cotet. Specific rights ca iclude save, forward, read, write, copy prit, etc. Alog with rights, certai coditios ca be specified that add a additioal dimesio to the cotrol. A example of a coditio would be a rights expiratio date. Ecryptio Ecryptio allows data to be locked through the use of a electroic key, ad provides aother level of validatio of the trusted etity. Decryptio of cotet by users with appropriate rights ca be accomplished through the user of a browser or applicatio that is AD RMS eabled. There are several ways to implemets AD RMS: Iteral use At its simplest, AD RMS is used to maage ad protect the rights o iteral documets. It ca provide a vehicle to protectig cotet from uauthorized employee access, protect cotet that is copied to USB hard drives ad eve prevet uauthorized email distributio. Iteral ad Exteral use While AD RMS ca be used just to protect iformatio ad cotet withi a orgaizatio, it ca also be used i sharig cotet with trusted parters ad third parties. Oce agai, oly privileges/rights authorized ca be used o specific cotet. LearSmart Cloud Classroom: Video Traiig Mauals
Maual Upgradig your MCSE o Server 2003 to Server 2008 (70-649) 1-800-418-6789 The AD RMS provides a hierarchy of maaged etities to provide persistece of policies across all maaged etities: AD RMS Deploymet this is the overall process by which ADRMS is deployed across a orgaizatio. AD RMS Web Services this provides a commuicatio medium for computers withi a AD RMS cluster. AD RMS Loggig Service this rus o each computer withi a cluster ruig AD RMS ad provides loggi iformatio from which reports ca be geerated. Server 2008 provides may ew features that were abset i previous versios of the Widows Rights Maagemet Services (RMS). The ew features were added to exted the use of the service beyod your orgaizatio ad ease the admiistrative overhead. The ew features provided by 2008, iclude: Microsoft Maagemet Cosole (MMC) admiistrative iterface earlier versios of RMS used a web iterface, which was difficult to maage. Istallatio The AD RMS is provided as a server role i 2008, providig simplified istallatio, ad maagemet. The server role automatically istalls all required services, icludig message queuig ad IIS. AD RMS server self-erollmet the erollmet process is ow all doe locally, removig the requiremet for havig to coect to MS Erollmet Services. Additioal admiistrative roles that allow for resposibility delegatio three ew roles: AD RMS Eterprise Admiistrators AD RMS Template Admiistrators AD RMS Auditors Active Directory Federatio Services (AD FS) itegratio AD FS allows orgaizatios to collaborate with exteral etities with their rights-protected cotet without the eed for AD RMS deploymet i both locatios. AD RMS server role A AD RMS system performs the followig processes, ad icludes cliet ad server pieces: Creatig rights templates ad rights-protected files Cetralized templates ca cotrol usage, ad provide a seamless ad efficiet way to stadardize the applicatio of privilege through policy. Licesig of rights-protected iformatio Provides a mechaism to issue certificates ad idetify trusted etities. Oce trusted, a user/group/service ca the publish rights protected cotet ad assig rights to protect that cotet. These rights are the pervasive, ad persist iterally ad exterally. Licesig for the decryptio of rights-protected cotet Liceses ca be issued to etities which are the iterpreted, ad applied to the cotet to provide adequate access. LearSmart Cloud Classroom: Video Traiig Mauals