Active Directory Active Directory Application Mode: Application Mode: Introduction And Introduction And Usage ScenariosUsage Scenarios

AgendaAgenda

Need for ADAMNeed for ADAM Usage scenariosUsage scenarios ArchitectureArchitecture Tech drilldownTech drilldown SummarySummary

Active Directory, Circa 1997Active Directory, Circa 1997

““Enterprise directory” + “NOS directory”Enterprise directory” + “NOS directory” Repository of consolidated informationRepository of consolidated information Centralized management, provisioningCentralized management, provisioning Single-sign-onSingle-sign-on Data re-used by many applicationsData re-used by many applications

Active DirectoryActive Directory Portal Portal applicationapplication

Whitepages/Whitepages/GALGAL

Generic appGeneric appusing single-using single-

sign-onsign-onHR/ERP HR/ERP

applicationapplication

Automated provisioningAutomated provisioning

LDAP,LDAP,KerberosKerberos

Centralized Centralized managementmanagement

LDAP,LDAP,KerberosKerberos

Policy-based admin,Policy-based admin,single-sign-on, forsingle-sign-on, forWindows-based Windows-based resourcesresources

Where We Are TodayWhere We Are Today

Directories deployed per-app; little re-useDirectories deployed per-app; little re-use Provisioning, sync are ad-hocProvisioning, sync are ad-hoc

Active DirectoryActive Directory

Portal Portal applicationapplication

WhitepagesWhitepages

GenericGenericLDAP-basedLDAP-based

appappHR/ERP HR/ERP

appapp

LDAPLDAP

Policy and SSOPolicy and SSOfor Windowsfor Windows

LDAPLDAP

Generic Generic dumpdump

(Non-existent)(Non-existent)

Ad-hoc Ad-hoc syncsync

iPlanetiPlanet

eDirectoryeDirectory

Outlook/Outlook/ExchangeExchange

LDAPLDAP

iPlanetiPlanet

MAPIMAPI

DatabaseDatabase

Centralized Centralized managementmanagement

The SolutionThe Solution

Integrated product suite for full range of usage scenariosIntegrated product suite for full range of usage scenarios

DS-enabledDS-enabledappapp

HR/ERP HR/ERP appapp

CentralizedCentralizedidentity identity

managementmanagement

DatabaseDatabase

MIIS 2003MIIS 2003

MetadirectoryMetadirectory

App DSApp DS

App DSApp DSADAMADAM

UDDIUDDI

Web Service DSWeb Service DS

Infrastructure DirectoryInfrastructure Directory

ActiveActiveDirectoryDirectory

DS-enabledDS-enabledappapp

App DSApp DSADAMADAM

DS-enabledDS-enabledappapp

Third-party DSThird-party DS

accessaccess

syncsync

AgendaAgenda

Need for ADAMNeed for ADAM Usage scenariosUsage scenarios

1.1. App-specific local directoryApp-specific local directory DEMODEMO

2.2. Developer prototyping DS-enabled appDeveloper prototyping DS-enabled app3.3. Supporting legacy applicationsSupporting legacy applications

ArchitectureArchitecture Tech drilldownTech drilldown SummarySummary

ADAM Usage ScenariosADAM Usage Scenarios1. App-specific local directory1. App-specific local directory

Example: Web portal with Example: Web portal with personalizationpersonalization Store personalization info in ADAMStore personalization info in ADAM Use AD for authenticationUse AD for authentication

ADAMADAM

Infrastructure Infrastructure Active DirectoryActive Directory

WebWebportalportal

Store/Store/retrieveretrieve

datadata

ClientClient

AuthenticationAuthentication

ServerServer

DemoDemo

Install ADAMInstall ADAM Extend schemaExtend schema Import dataImport data Take well-behaved LDAP app and Take well-behaved LDAP app and

retarget to ADAMretarget to ADAM Retrieve data importedRetrieve data imported Easy to install, configure and useEasy to install, configure and use

Store app data without extending Store app data without extending infrastructure directoryinfrastructure directory

App data keyed off identifier from infra directoryApp data keyed off identifier from infra directory

AD/AMAD/AM

Infrastructure Infrastructure DirectoryDirectory

WebWebportalportal

Store/Store/retrieveretrieve

datadata

ClientClient

ServerServer

Data specific Data specific to portal appto portal app

Data shared Data shared by multiple appsby multiple apps

User (right) User (right) and “shadow” (left)and “shadow” (left)

ADAM Usage ScenariosADAM Usage ScenariosApp-specific local directory – factoring identityApp-specific local directory – factoring identity

MIIS 2003 optional, for provisioningMIIS 2003 optional, for provisioning Provision objects in ADAM as objects added/removed from Provision objects in ADAM as objects added/removed from

infrastructure ADinfrastructure AD Publish select data from ADAM objects into infrastructure ADPublish select data from ADAM objects into infrastructure AD Create aggregate view of object in AD/AMCreate aggregate view of object in AD/AM

Abstract infrastructure environment (domains, forests) Abstract infrastructure environment (domains, forests) from developerfrom developer

AD/AMAD/AM

Infrastructure Infrastructure DirectoryDirectory

WebWebportalportal

Store/Store/retrieveretrieve

datadata

ClientClient

ServerServer

MIIS 2003MIIS 2003(optional)(optional)

ADAM Usage ScenariosADAM Usage ScenariosApp-specific local directory – arbitrary catalogApp-specific local directory – arbitrary catalog

Can be used before Infrastructure AD deployedCan be used before Infrastructure AD deployed Just need WindowsJust need Windows®® security infrastructure security infrastructure Can be NT 4.0 domains, or local security database on a Can be NT 4.0 domains, or local security database on a

workgroup machineworkgroup machine Peace of mind for app developerPeace of mind for app developer

App deployment not blockedApp deployment not blocked

Windows NT 4.0 domainsWindows NT 4.0 domains

MUDMUD MUDMUD MUDMUD

RDRD RDRD RDRD RDRD RDRD

ADAMADAMWebWeb

portalportal

LDAPLDAP

ClientClient (Authentication)(Authentication)

ServerServer

ADAM Usage ScenariosADAM Usage ScenariosApp-specific local directory – domain independentApp-specific local directory – domain independent

ADAM Usage ScenariosADAM Usage ScenariosDeveloper Prototyping DEADeveloper Prototyping DEA

Very low barrier to entryVery low barrier to entry Install ADAM on Windows XPInstall ADAM on Windows XP®®

No server or domain controller requiredNo server or domain controller required No OS reinstall required to wipe schemaNo OS reinstall required to wipe schema Multiple instances means easy to follow different Multiple instances means easy to follow different

design paths while prototypingdesign paths while prototyping

When done experimenting, app easily ported When done experimenting, app easily ported to Active Directoryto Active Directory™™

Port to domain partition/global catalogPort to domain partition/global catalog Port to application partition (WS2003)Port to application partition (WS2003) … … or just leave it as an ADAM appor just leave it as an ADAM app

ADAM Usage ScenariosADAM Usage ScenariosSupporting legacy applicationsSupporting legacy applications

MIIS 2003 can transform data in representation MIIS 2003 can transform data in representation expected by legacy appexpected by legacy app

ExamplesExamples O=, C= namingO=, C= naming Specific OU structure expected by appSpecific OU structure expected by app

MIIS 2003MIIS 2003(transform(transform

data)data)

ADAMADAM

Infrastructure Active DirectoryInfrastructure Active Directory

Store/Store/retrieveretrieve

datadata

AuthNAuthN

Legacy LDAPLegacy LDAPappapp

What ADAM Is NotWhat ADAM Is Not

Not usable by Exchange 2000Not usable by Exchange 2000 Exchange requires security principalsExchange requires security principals Exchange requires MAPI protocol supportExchange requires MAPI protocol support Factoring application data and infrastructure data Factoring application data and infrastructure data

is part of philosophy for next generationis part of philosophy for next generation

Not a Windows logon serverNot a Windows logon server Not a KDC (although can Kerberos authenticate if Not a KDC (although can Kerberos authenticate if

pass creds of AD-based user)pass creds of AD-based user)

AD/AM does not diminish the need for NOS AD/AM does not diminish the need for NOS Active directory!Active directory!

When To Use ADAMWhen To Use ADAM Database versus DirectoryDatabase versus Directory

Highly volatile, transactional data -> DatabaseHighly volatile, transactional data -> Database Store once and retrieve many times ->DirectoryStore once and retrieve many times ->Directory

AD versus ADAMAD versus ADAM AD – for identity management, security enabled apps AD – for identity management, security enabled apps

(Exchange)(Exchange) AD App partitions versus ADAM AD App partitions versus ADAM

Globally interesting data versus local dataGlobally interesting data versus local data Central Management versus autonomyCentral Management versus autonomy

App forest versus ADAMApp forest versus ADAM Users need network presence, constrained Users need network presence, constrained

delegation – App forestdelegation – App forest Simple authentication support – ADAMSimple authentication support – ADAM

AgendaAgenda

Need for ADAMNeed for ADAM Usage scenariosUsage scenarios ArchitectureArchitecture

ComponentsComponents CapabilitiesCapabilities Platforms supportPlatforms support

Tech drilldownTech drilldown SummarySummary

ArchitectureArchitecture

Same code as Active Directory in WS2003 – just a new modeSame code as Active Directory in WS2003 – just a new mode Programming model, admin tools virtually identical to Programming model, admin tools virtually identical to

Infrastructure AD – familiarity means skill sets easily transferableInfrastructure AD – familiarity means skill sets easily transferable

Infrastructure Active DirectoryInfrastructure Active Directory Active Directory in Application ModeActive Directory in Application Mode

LSASSLSASS

DSADSA

LDAPLDAP

SAMSAM

MAPIMAPI REPLREPL KDCKDC LanmanLanman

DNSDNS FRSFRS

dependenciesdependencies

ADAMADAM

DSADSA

LDAPLDAP REPLREPL

(traditional AD minus (traditional AD minus infrastructure mgmt)infrastructure mgmt)

Just A New Mode !Just A New Mode !

Same programming model as ADSame programming model as AD Replication and Administration model Replication and Administration model

similar to ADsimilar to AD Same store as in AD – same storage Same store as in AD – same storage

management toomanagement too DIT file and Log file layout is sameDIT file and Log file layout is same

Same as WS2003 AD in every other Same as WS2003 AD in every other way exceptway except No locator via DNS SRV records – instead No locator via DNS SRV records – instead

uses Service Connection Pointsuses Service Connection Points No MAPI protocol supportNo MAPI protocol support

New CapabilitiesNew Capabilities

Simple install and setup Simple install and setup No DCPROMONo DCPROMO Wizard with defaults, just “Next” throughWizard with defaults, just “Next” through Does not turn machine into DCDoes not turn machine into DC

Restart or reinstall without rebootRestart or reinstall without reboot Multiple instances on single machineMultiple instances on single machine Each instance with own schemaEach instance with own schema X.500-style O=, C= namingX.500-style O=, C= naming

Platforms SupportPlatforms Support

Windows Server 2003Windows Server 2003 Standard, Enterprise and DatacenterStandard, Enterprise and Datacenter

Windows XPWindows XP ProfessionalProfessional

32-bit and 64-bit support32-bit and 64-bit support

AgendaAgenda

Need for ADAMNeed for ADAM Usage scenariosUsage scenarios ArchitectureArchitecture Tech drilldownTech drilldown

New conceptsNew concepts Default configurationDefault configuration SecuritySecurity ReplicationReplication Administration experienceAdministration experience

SummarySummary

New ConceptsNew Concepts

InstanceInstance Identified by name and portsIdentified by name and ports Name ties the files, service, registry and Name ties the files, service, registry and

ports together ports together Ports: configurable LDAP and SSL portPorts: configurable LDAP and SSL port Event logEvent log

One per instance for application data; uses the shared One per instance for application data; uses the shared security log for security loggingsecurity log for security logging

Configuration set Configuration set collection of instances that replicate with collection of instances that replicate with

one another – they share Configuration and one another – they share Configuration and schema partitionsschema partitions

Default ConfigurationDefault ConfigurationSchema, partitions and rootDSESchema, partitions and rootDSE

Fully extensible schemaFully extensible schema Default schema much smaller (~30 objects and <200 attributes)Default schema much smaller (~30 objects and <200 attributes) Ships LDIF files to extend schema forShips LDIF files to extend schema for

RFC compliance, RFC compliance, e.g., InetOrgPerson supporte.g., InetOrgPerson support Auxiliary classes, schema activation and deactivation same as ADAuxiliary classes, schema activation and deactivation same as AD

Configuration and schema partitions onlyConfiguration and schema partitions only App partitions created via setup or laterApp partitions created via setup or later Any object class and naming schemeAny object class and naming scheme

rootDSE changesrootDSE changes Domain attributes pruned, tokenGroups addedDomain attributes pruned, tokenGroups added

supportedCapabilitiessupportedCapabilities New OID for ADAM: 1.2.840.113556.1.4.1851New OID for ADAM: 1.2.840.113556.1.4.1851

SecuritySecurityAuthenticationAuthentication

Windows security principalsWindows security principals SASL binds; simple binds through proxy SASL binds; simple binds through proxy Authentication: get token on bind from Windows and Authentication: get token on bind from Windows and

augmented with ADAM groups the Windows principal (SID) augmented with ADAM groups the Windows principal (SID) is a member of, in all NCsis a member of, in all NCs

ADAM security principalsADAM security principals Users and groupsUsers and groups Built-in groups (administrators, readers, users) Built-in groups (administrators, readers, users) Scope limited to application partitionScope limited to application partition ADAM users: any class, have SID, Simple Bind only, ADAM users: any class, have SID, Simple Bind only,

account and password policyaccount and password policy

Windows principal needed to be admin Windows principal needed to be admin in config containerin config container

SecuritySecurityBind proxy to Windows principalsBind proxy to Windows principals

Scenario benefits from consolidation of identities – only Scenario benefits from consolidation of identities – only windows identity is used; ADAM DN is just a manifestation windows identity is used; ADAM DN is just a manifestation of Windows identityof Windows identity

AD/AMAD/AM

InfrastructureInfrastructureDirectoryDirectory

WebWebportalportal

1. Pass flat string1. Pass flat string

ClientClient

ServerServer

Bind calls Bind calls redirectedredirected2. Get DN2. Get DN

3. Bind as DN, pwd3. Bind as DN, pwd4. Access object data4. Access object data

SecuritySecurityBind proxy to Windows principalsBind proxy to Windows principals

Proxy object in ADAM Proxy object in ADAM local manifestation of Windows objectlocal manifestation of Windows object augmented with app-specific local dataaugmented with app-specific local data

Redirect bind calls to WindowsRedirect bind calls to Windows Single password experience by consolidating identity Single password experience by consolidating identity

in AD - password not stored in ADAMin AD - password not stored in ADAM Decommissioning is automaticDecommissioning is automatic

No changes needed to the appNo changes needed to the app Abstract infrastructure environment from developer Abstract infrastructure environment from developer

(domains, forests)(domains, forests) Works with any trusted domains and forestsWorks with any trusted domains and forests

SecuritySecurityAuthorizationAuthorization

Default ACLs made simpleDefault ACLs made simple Authorization for ADAM objects Authorization for ADAM objects

same as ADsame as AD ACLs have SIDs from ADAM or WindowsACLs have SIDs from ADAM or Windows Tokens matched against ACLs to grant or Tokens matched against ACLs to grant or

deny accessdeny access

Applications can implement their own Applications can implement their own authorization scheme, same as with ADauthorization scheme, same as with AD

ReplicationReplication

Multi master replicationMulti master replication Same as ADSame as AD Fully functional, updateable replicasFully functional, updateable replicas

Concept of sites, KCC same as ADConcept of sites, KCC same as AD Schedules can be set independent Schedules can be set independent

of other instancesof other instances Set replication schedules in ADSIEdit Set replication schedules in ADSIEdit Repadmin tool availableRepadmin tool available

Replicas can host any subset of Replicas can host any subset of application partitionsapplication partitions

Can replicate between instances regardless of Can replicate between instances regardless of domain/workgroup or trustsdomain/workgroup or trusts

Administration ExperienceAdministration ExperienceToolsTools

Administration model similar to AD - familiar tools to Administration model similar to AD - familiar tools to do familiar tasksdo familiar tasks

GUI toolsGUI tools LDP LDP ADSIEdit - new functionality to manage ADSIEdit - new functionality to manage

replication schedulesreplication schedules Schema Manager Snap-inSchema Manager Snap-in

Command Line tools - Ntdsutil, LDIFDE, Dcdiag, Command Line tools - Ntdsutil, LDIFDE, Dcdiag, Dsacls, Repadmin equivalentsDsacls, Repadmin equivalents

Backup and restore through ntbackupBackup and restore through ntbackup Snapshot writer based backupsSnapshot writer based backups System state backup not needed – store onlySystem state backup not needed – store only Auth Restore, Create replica from media availableAuth Restore, Create replica from media available

Administration ExperienceAdministration ExperienceCentralized managementCentralized management

Easy to setup and manage “ADAM Farms” centrally Easy to setup and manage “ADAM Farms” centrally much like SQL Servermuch like SQL Server Installation, configuration geared for thisInstallation, configuration geared for this Server consolidation Server consolidation

multiple instances and multiple partitions supportmultiple instances and multiple partitions support

Control services centrally through SMSControl services centrally through SMS Controlled deploymentControlled deployment

ADAM registers SCP in AD (optional)ADAM registers SCP in AD (optional) DNS for load balancing with referralsDNS for load balancing with referrals Group policy controlledGroup policy controlled

service accounts, bind options can be controlledservice accounts, bind options can be controlled

AgendaAgenda

Need for ADAMNeed for ADAM Usage ScenariosUsage Scenarios ArchitectureArchitecture Tech DrilldownTech Drilldown SummarySummary

ADAM As App DirectoryADAM As App Directory

Dedicated store for app dataDedicated store for app data Standalone or replicatedStandalone or replicated Independent of domain setupIndependent of domain setup Local control and autonomyLocal control and autonomy Schema and naming flexibilitySchema and naming flexibility Everyone can have many!Everyone can have many!

Benefits SummaryBenefits Summary

Ease of deploymentEase of deployment Install, reinstall, removeInstall, reinstall, remove .NET Server and XP Pro platforms.NET Server and XP Pro platforms

Reduced infrastructure costs Reduced infrastructure costs Single directory technologySingle directory technology Same admin modelSame admin model

Increased security Increased security Integration with Windows principalsIntegration with Windows principals

Increased flexibility Increased flexibility Install anywhere without affecting ADInstall anywhere without affecting AD

Reliability and scalability Reliability and scalability Same as ADSame as AD

© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.