Extending the Directory Beyond Active Directory


With the Windows 2003 R2 update, Microsoft has added three new directory services to help organizations better expand the way the organization shares information and how users access information managed by Active Directory. These three directory services are Active Directory Federation Services (ADFS), Active Directory in Application Mode (ADAM), and Identity Management for Unix (IdMU). All these directory services are included in the Windows 2003 R2 update and can be added to an existing Windows 2003 Active Directory environment. More information about ADFS, ADAM, and IdMU is covered in Chapters 5 and 8.

Active Directory Federation Services (ADFS)

One of the new directory services in Windows 2003 R2 is Active Directory Federation Services (ADFS). ADFS provides a way for an organization to effectively join multiple Active Directories into a common, shared authentication and resource sharing environment. Rather than creating a blind trust between the directories of two or more organizations, an organization can build a federated directory between the two organizations that specifically identifies which users can share which resources in the other environment.

This resource sharing is managed through encrypted security tokens with granular security authentication and rights management, where the administrator of one environment can pick the users and choose which resources in another environment those users may access. As an example, one organization may choose a group of eight users who can access a portal in another organization. Rather than adding the eight users to the other organization or creating a blind trust between the two organizations, a federation between the two directories can be created that identifies the eight users in one forest and the portal in the other forest, and provides access rights for the users to the portal on an isolated basis.

Because the federation is managed, administrators can log and track resource access and information sharing. This can help auditors and security management teams understand who had access to which resources for reporting purposes. ADFS is commonly used when there are two organizations with completely separate directories already in existence, or for an organization that needs to clearly maintain two or more directories for information distribution.

Active Directory in Application Mode (ADAM)

Active Directory in Application Mode (ADAM) enables organizations to set up a separate subforest for application schema information while still accessing the main Active Directory for resource sharing. Unlike ADFS, which assumes an organization wants or needs two or more completely independent directories, ADAM assumes that the organization really needs only one directory to manage and administer, but wants to partition the directory in a manner that clearly denotes a separation of individuals and resources within the organization.

ADAM eliminates the need for organizations to set up completely separate forests for external contractors or vendors, for application development testing, or for adding external contractors and users to the Active Directory, which creates a security concern as non-employees are added into the main organizational directory.

Instead, an organization can set up ADAM where an external user can log on to the network, read and write application directory information in the ADAM directory, and access shared resources with Active Directory users, but can do so from a completely separate directory. Organizations that must demonstrate separation between employees and non-employees for regulatory compliance purposes and for separation of security events and services can show that ADAM is managed and maintained separately from core internal Active Directory employees.

Note

Active Directory in Application Mode was a feature pack add-in to Windows 2003. However, with the release of Windows 2003 R2, the Active Directory in Application Mode tool is now included as part of the Windows 2003 R2 update.


Identity Management for Unix (IdMU)

Identity Management for Unix (IdMU) is a Windows 2003 R2 service that provides integration between Windows Active Directory and Unix-based Network Information System (NIS). Rather than having a user log on to Active Directory and then have separate security rights and access resources on Unix systems managed by NIS, IdMU provides an integration between the two directories. Users in Active Directory can be directly assigned rights and privileges to Unix-based resources, and passwords can be automatically synchronized between Active Directory user and NIS user accounts.

This consolidation of resource security and account management functions enhances an organization's capability to centralize and standardize on access rights, password management, and user privileges.

IdMU is discussed in Chapter 8.




Microsoft Windows Server 2003 Unleashed(c) R2 Edition
Microsoft Windows Server 2003 Unleashed (R2 Edition)
ISBN: 0672328984
EAN: 2147483647
Year: 2006
Pages: 499

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net