Quality of Usage Scenarios Copyright, 2000 © Jerzy R. Nawrocki [email protected] Quality Management.
Active Directory Application Mode: Introduction And Usage Scenarios.
-
date post
19-Dec-2015 -
Category
Documents
-
view
234 -
download
5
Transcript of Active Directory Application Mode: Introduction And Usage Scenarios.
Active Directory Active Directory Application Mode: Application Mode: Introduction And Introduction And Usage ScenariosUsage Scenarios
AgendaAgenda
Need for ADAMNeed for ADAM Usage scenariosUsage scenarios ArchitectureArchitecture Tech drilldownTech drilldown SummarySummary
Active Directory, Circa 1997Active Directory, Circa 1997
““Enterprise directory” + “NOS directory”Enterprise directory” + “NOS directory” Repository of consolidated informationRepository of consolidated information Centralized management, provisioningCentralized management, provisioning Single-sign-onSingle-sign-on Data re-used by many applicationsData re-used by many applications
Active DirectoryActive Directory Portal Portal applicationapplication
Whitepages/Whitepages/GALGAL
Generic appGeneric appusing single-using single-
sign-onsign-onHR/ERP HR/ERP
applicationapplication
Automated provisioningAutomated provisioning
LDAP,LDAP,KerberosKerberos
Centralized Centralized managementmanagement
LDAP,LDAP,KerberosKerberos
Policy-based admin,Policy-based admin,single-sign-on, forsingle-sign-on, forWindows-based Windows-based resourcesresources
Where We Are TodayWhere We Are Today
Directories deployed per-app; little re-useDirectories deployed per-app; little re-use Provisioning, sync are ad-hocProvisioning, sync are ad-hoc
Active DirectoryActive Directory
Portal Portal applicationapplication
WhitepagesWhitepages
GenericGenericLDAP-basedLDAP-based
appappHR/ERP HR/ERP
appapp
LDAPLDAP
Policy and SSOPolicy and SSOfor Windowsfor Windows
LDAPLDAP
Generic Generic dumpdump
(Non-existent)(Non-existent)
Ad-hoc Ad-hoc syncsync
iPlanetiPlanet
eDirectoryeDirectory
Outlook/Outlook/ExchangeExchange
LDAPLDAP
iPlanetiPlanet
MAPIMAPI
DatabaseDatabase
Centralized Centralized managementmanagement
The SolutionThe Solution
Integrated product suite for full range of usage scenariosIntegrated product suite for full range of usage scenarios
DS-enabledDS-enabledappapp
HR/ERP HR/ERP appapp
CentralizedCentralizedidentity identity
managementmanagement
DatabaseDatabase
MIIS 2003MIIS 2003
MetadirectoryMetadirectory
App DSApp DS
App DSApp DSADAMADAM
UDDIUDDI
Web Service DSWeb Service DS
Infrastructure DirectoryInfrastructure Directory
ActiveActiveDirectoryDirectory
DS-enabledDS-enabledappapp
App DSApp DSADAMADAM
DS-enabledDS-enabledappapp
Third-party DSThird-party DS
accessaccess
syncsync
AgendaAgenda
Need for ADAMNeed for ADAM Usage scenariosUsage scenarios
1.1. App-specific local directoryApp-specific local directory DEMODEMO
2.2. Developer prototyping DS-enabled appDeveloper prototyping DS-enabled app3.3. Supporting legacy applicationsSupporting legacy applications
ArchitectureArchitecture Tech drilldownTech drilldown SummarySummary
ADAM Usage ScenariosADAM Usage Scenarios1. App-specific local directory1. App-specific local directory
Example: Web portal with Example: Web portal with personalizationpersonalization Store personalization info in ADAMStore personalization info in ADAM Use AD for authenticationUse AD for authentication
ADAMADAM
Infrastructure Infrastructure Active DirectoryActive Directory
WebWebportalportal
Store/Store/retrieveretrieve
datadata
ClientClient
AuthenticationAuthentication
ServerServer
DemoDemo
Install ADAMInstall ADAM Extend schemaExtend schema Import dataImport data Take well-behaved LDAP app and Take well-behaved LDAP app and
retarget to ADAMretarget to ADAM Retrieve data importedRetrieve data imported Easy to install, configure and useEasy to install, configure and use
Store app data without extending Store app data without extending infrastructure directoryinfrastructure directory
App data keyed off identifier from infra directoryApp data keyed off identifier from infra directory
AD/AMAD/AM
Infrastructure Infrastructure DirectoryDirectory
WebWebportalportal
Store/Store/retrieveretrieve
datadata
ClientClient
ServerServer
Data specific Data specific to portal appto portal app
Data shared Data shared by multiple appsby multiple apps
User (right) User (right) and “shadow” (left)and “shadow” (left)
ADAM Usage ScenariosADAM Usage ScenariosApp-specific local directory – factoring identityApp-specific local directory – factoring identity
MIIS 2003 optional, for provisioningMIIS 2003 optional, for provisioning Provision objects in ADAM as objects added/removed from Provision objects in ADAM as objects added/removed from
infrastructure ADinfrastructure AD Publish select data from ADAM objects into infrastructure ADPublish select data from ADAM objects into infrastructure AD Create aggregate view of object in AD/AMCreate aggregate view of object in AD/AM
Abstract infrastructure environment (domains, forests) Abstract infrastructure environment (domains, forests) from developerfrom developer
AD/AMAD/AM
Infrastructure Infrastructure DirectoryDirectory
WebWebportalportal
Store/Store/retrieveretrieve
datadata
ClientClient
ServerServer
MIIS 2003MIIS 2003(optional)(optional)
ADAM Usage ScenariosADAM Usage ScenariosApp-specific local directory – arbitrary catalogApp-specific local directory – arbitrary catalog
Can be used before Infrastructure AD deployedCan be used before Infrastructure AD deployed Just need WindowsJust need Windows®® security infrastructure security infrastructure Can be NT 4.0 domains, or local security database on a Can be NT 4.0 domains, or local security database on a
workgroup machineworkgroup machine Peace of mind for app developerPeace of mind for app developer
App deployment not blockedApp deployment not blocked
Windows NT 4.0 domainsWindows NT 4.0 domains
MUDMUD MUDMUD MUDMUD
RDRD RDRD RDRD RDRD RDRD
ADAMADAMWebWeb
portalportal
LDAPLDAP
ClientClient (Authentication)(Authentication)
ServerServer
ADAM Usage ScenariosADAM Usage ScenariosApp-specific local directory – domain independentApp-specific local directory – domain independent
ADAM Usage ScenariosADAM Usage ScenariosDeveloper Prototyping DEADeveloper Prototyping DEA
Very low barrier to entryVery low barrier to entry Install ADAM on Windows XPInstall ADAM on Windows XP®®
No server or domain controller requiredNo server or domain controller required No OS reinstall required to wipe schemaNo OS reinstall required to wipe schema Multiple instances means easy to follow different Multiple instances means easy to follow different
design paths while prototypingdesign paths while prototyping
When done experimenting, app easily ported When done experimenting, app easily ported to Active Directoryto Active Directory™™
Port to domain partition/global catalogPort to domain partition/global catalog Port to application partition (WS2003)Port to application partition (WS2003) … … or just leave it as an ADAM appor just leave it as an ADAM app
ADAM Usage ScenariosADAM Usage ScenariosSupporting legacy applicationsSupporting legacy applications
MIIS 2003 can transform data in representation MIIS 2003 can transform data in representation expected by legacy appexpected by legacy app
ExamplesExamples O=, C= namingO=, C= naming Specific OU structure expected by appSpecific OU structure expected by app
MIIS 2003MIIS 2003(transform(transform
data)data)
ADAMADAM
Infrastructure Active DirectoryInfrastructure Active Directory
Store/Store/retrieveretrieve
datadata
AuthNAuthN
Legacy LDAPLegacy LDAPappapp
What ADAM Is NotWhat ADAM Is Not
Not usable by Exchange 2000Not usable by Exchange 2000 Exchange requires security principalsExchange requires security principals Exchange requires MAPI protocol supportExchange requires MAPI protocol support Factoring application data and infrastructure data Factoring application data and infrastructure data
is part of philosophy for next generationis part of philosophy for next generation
Not a Windows logon serverNot a Windows logon server Not a KDC (although can Kerberos authenticate if Not a KDC (although can Kerberos authenticate if
pass creds of AD-based user)pass creds of AD-based user)
AD/AM does not diminish the need for NOS AD/AM does not diminish the need for NOS Active directory!Active directory!
When To Use ADAMWhen To Use ADAM Database versus DirectoryDatabase versus Directory
Highly volatile, transactional data -> DatabaseHighly volatile, transactional data -> Database Store once and retrieve many times ->DirectoryStore once and retrieve many times ->Directory
AD versus ADAMAD versus ADAM AD – for identity management, security enabled apps AD – for identity management, security enabled apps
(Exchange)(Exchange) AD App partitions versus ADAM AD App partitions versus ADAM
Globally interesting data versus local dataGlobally interesting data versus local data Central Management versus autonomyCentral Management versus autonomy
App forest versus ADAMApp forest versus ADAM Users need network presence, constrained Users need network presence, constrained
delegation – App forestdelegation – App forest Simple authentication support – ADAMSimple authentication support – ADAM
AgendaAgenda
Need for ADAMNeed for ADAM Usage scenariosUsage scenarios ArchitectureArchitecture
ComponentsComponents CapabilitiesCapabilities Platforms supportPlatforms support
Tech drilldownTech drilldown SummarySummary
ArchitectureArchitecture
Same code as Active Directory in WS2003 – just a new modeSame code as Active Directory in WS2003 – just a new mode Programming model, admin tools virtually identical to Programming model, admin tools virtually identical to
Infrastructure AD – familiarity means skill sets easily transferableInfrastructure AD – familiarity means skill sets easily transferable
Infrastructure Active DirectoryInfrastructure Active Directory Active Directory in Application ModeActive Directory in Application Mode
LSASSLSASS
DSADSA
LDAPLDAP
SAMSAM
MAPIMAPI REPLREPL KDCKDC LanmanLanman
DNSDNS FRSFRS
dependenciesdependencies
ADAMADAM
DSADSA
LDAPLDAP REPLREPL
(traditional AD minus (traditional AD minus infrastructure mgmt)infrastructure mgmt)
Just A New Mode !Just A New Mode !
Same programming model as ADSame programming model as AD Replication and Administration model Replication and Administration model
similar to ADsimilar to AD Same store as in AD – same storage Same store as in AD – same storage
management toomanagement too DIT file and Log file layout is sameDIT file and Log file layout is same
Same as WS2003 AD in every other Same as WS2003 AD in every other way exceptway except No locator via DNS SRV records – instead No locator via DNS SRV records – instead
uses Service Connection Pointsuses Service Connection Points No MAPI protocol supportNo MAPI protocol support
New CapabilitiesNew Capabilities
Simple install and setup Simple install and setup No DCPROMONo DCPROMO Wizard with defaults, just “Next” throughWizard with defaults, just “Next” through Does not turn machine into DCDoes not turn machine into DC
Restart or reinstall without rebootRestart or reinstall without reboot Multiple instances on single machineMultiple instances on single machine Each instance with own schemaEach instance with own schema X.500-style O=, C= namingX.500-style O=, C= naming
Platforms SupportPlatforms Support
Windows Server 2003Windows Server 2003 Standard, Enterprise and DatacenterStandard, Enterprise and Datacenter
Windows XPWindows XP ProfessionalProfessional
32-bit and 64-bit support32-bit and 64-bit support
AgendaAgenda
Need for ADAMNeed for ADAM Usage scenariosUsage scenarios ArchitectureArchitecture Tech drilldownTech drilldown
New conceptsNew concepts Default configurationDefault configuration SecuritySecurity ReplicationReplication Administration experienceAdministration experience
SummarySummary
New ConceptsNew Concepts
InstanceInstance Identified by name and portsIdentified by name and ports Name ties the files, service, registry and Name ties the files, service, registry and
ports together ports together Ports: configurable LDAP and SSL portPorts: configurable LDAP and SSL port Event logEvent log
One per instance for application data; uses the shared One per instance for application data; uses the shared security log for security loggingsecurity log for security logging
Configuration set Configuration set collection of instances that replicate with collection of instances that replicate with
one another – they share Configuration and one another – they share Configuration and schema partitionsschema partitions
Default ConfigurationDefault ConfigurationSchema, partitions and rootDSESchema, partitions and rootDSE
Fully extensible schemaFully extensible schema Default schema much smaller (~30 objects and <200 attributes)Default schema much smaller (~30 objects and <200 attributes) Ships LDIF files to extend schema forShips LDIF files to extend schema for
RFC compliance, RFC compliance, e.g., InetOrgPerson supporte.g., InetOrgPerson support Auxiliary classes, schema activation and deactivation same as ADAuxiliary classes, schema activation and deactivation same as AD
Configuration and schema partitions onlyConfiguration and schema partitions only App partitions created via setup or laterApp partitions created via setup or later Any object class and naming schemeAny object class and naming scheme
rootDSE changesrootDSE changes Domain attributes pruned, tokenGroups addedDomain attributes pruned, tokenGroups added
supportedCapabilitiessupportedCapabilities New OID for ADAM: 1.2.840.113556.1.4.1851New OID for ADAM: 1.2.840.113556.1.4.1851
SecuritySecurityAuthenticationAuthentication
Windows security principalsWindows security principals SASL binds; simple binds through proxy SASL binds; simple binds through proxy Authentication: get token on bind from Windows and Authentication: get token on bind from Windows and
augmented with ADAM groups the Windows principal (SID) augmented with ADAM groups the Windows principal (SID) is a member of, in all NCsis a member of, in all NCs
ADAM security principalsADAM security principals Users and groupsUsers and groups Built-in groups (administrators, readers, users) Built-in groups (administrators, readers, users) Scope limited to application partitionScope limited to application partition ADAM users: any class, have SID, Simple Bind only, ADAM users: any class, have SID, Simple Bind only,
account and password policyaccount and password policy
Windows principal needed to be admin Windows principal needed to be admin in config containerin config container
SecuritySecurityBind proxy to Windows principalsBind proxy to Windows principals
Scenario benefits from consolidation of identities – only Scenario benefits from consolidation of identities – only windows identity is used; ADAM DN is just a manifestation windows identity is used; ADAM DN is just a manifestation of Windows identityof Windows identity
AD/AMAD/AM
InfrastructureInfrastructureDirectoryDirectory
WebWebportalportal
1. Pass flat string1. Pass flat string
ClientClient
ServerServer
Bind calls Bind calls redirectedredirected2. Get DN2. Get DN
3. Bind as DN, pwd3. Bind as DN, pwd4. Access object data4. Access object data
SecuritySecurityBind proxy to Windows principalsBind proxy to Windows principals
Proxy object in ADAM Proxy object in ADAM local manifestation of Windows objectlocal manifestation of Windows object augmented with app-specific local dataaugmented with app-specific local data
Redirect bind calls to WindowsRedirect bind calls to Windows Single password experience by consolidating identity Single password experience by consolidating identity
in AD - password not stored in ADAMin AD - password not stored in ADAM Decommissioning is automaticDecommissioning is automatic
No changes needed to the appNo changes needed to the app Abstract infrastructure environment from developer Abstract infrastructure environment from developer
(domains, forests)(domains, forests) Works with any trusted domains and forestsWorks with any trusted domains and forests
SecuritySecurityAuthorizationAuthorization
Default ACLs made simpleDefault ACLs made simple Authorization for ADAM objects Authorization for ADAM objects
same as ADsame as AD ACLs have SIDs from ADAM or WindowsACLs have SIDs from ADAM or Windows Tokens matched against ACLs to grant or Tokens matched against ACLs to grant or
deny accessdeny access
Applications can implement their own Applications can implement their own authorization scheme, same as with ADauthorization scheme, same as with AD
ReplicationReplication
Multi master replicationMulti master replication Same as ADSame as AD Fully functional, updateable replicasFully functional, updateable replicas
Concept of sites, KCC same as ADConcept of sites, KCC same as AD Schedules can be set independent Schedules can be set independent
of other instancesof other instances Set replication schedules in ADSIEdit Set replication schedules in ADSIEdit Repadmin tool availableRepadmin tool available
Replicas can host any subset of Replicas can host any subset of application partitionsapplication partitions
Can replicate between instances regardless of Can replicate between instances regardless of domain/workgroup or trustsdomain/workgroup or trusts
Administration ExperienceAdministration ExperienceToolsTools
Administration model similar to AD - familiar tools to Administration model similar to AD - familiar tools to do familiar tasksdo familiar tasks
GUI toolsGUI tools LDP LDP ADSIEdit - new functionality to manage ADSIEdit - new functionality to manage
replication schedulesreplication schedules Schema Manager Snap-inSchema Manager Snap-in
Command Line tools - Ntdsutil, LDIFDE, Dcdiag, Command Line tools - Ntdsutil, LDIFDE, Dcdiag, Dsacls, Repadmin equivalentsDsacls, Repadmin equivalents
Backup and restore through ntbackupBackup and restore through ntbackup Snapshot writer based backupsSnapshot writer based backups System state backup not needed – store onlySystem state backup not needed – store only Auth Restore, Create replica from media availableAuth Restore, Create replica from media available
Administration ExperienceAdministration ExperienceCentralized managementCentralized management
Easy to setup and manage “ADAM Farms” centrally Easy to setup and manage “ADAM Farms” centrally much like SQL Servermuch like SQL Server Installation, configuration geared for thisInstallation, configuration geared for this Server consolidation Server consolidation
multiple instances and multiple partitions supportmultiple instances and multiple partitions support
Control services centrally through SMSControl services centrally through SMS Controlled deploymentControlled deployment
ADAM registers SCP in AD (optional)ADAM registers SCP in AD (optional) DNS for load balancing with referralsDNS for load balancing with referrals Group policy controlledGroup policy controlled
service accounts, bind options can be controlledservice accounts, bind options can be controlled
AgendaAgenda
Need for ADAMNeed for ADAM Usage ScenariosUsage Scenarios ArchitectureArchitecture Tech DrilldownTech Drilldown SummarySummary
ADAM As App DirectoryADAM As App Directory
Dedicated store for app dataDedicated store for app data Standalone or replicatedStandalone or replicated Independent of domain setupIndependent of domain setup Local control and autonomyLocal control and autonomy Schema and naming flexibilitySchema and naming flexibility Everyone can have many!Everyone can have many!
Benefits SummaryBenefits Summary
Ease of deploymentEase of deployment Install, reinstall, removeInstall, reinstall, remove .NET Server and XP Pro platforms.NET Server and XP Pro platforms
Reduced infrastructure costs Reduced infrastructure costs Single directory technologySingle directory technology Same admin modelSame admin model
Increased security Increased security Integration with Windows principalsIntegration with Windows principals
Increased flexibility Increased flexibility Install anywhere without affecting ADInstall anywhere without affecting AD
Reliability and scalability Reliability and scalability Same as ADSame as AD
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.