 Hi there. My name is Ken Mayer and I'm going to be your instructor through this course. Now I've been involved in the IT industry since the very early 80s and I've had the opportunity to watch a lot of different technologies come and go and working with things like the mainframes from IBM, working in Unix systems, getting into this cool little creation called Novell while it was kind of the king of the networking world, and then right around the mid 90s out came Windows NT4 and I started getting out of that bandwagging, seeing all the great features and really falling in love with the product and kind of have followed it ever since that. That means going through the generations of NT4, going in through 2000, 2003 server, and of course here we are 2008 R2. During that time I had a lot of experience in other areas of the network. Of course that means the routing and the switching, working with large corporations such as Cisco and Juniper, working a lot in the security field, doing a lot of the ethical hacking adventures, doing some auditing. And so generally what I'm hoping is that as we're talking about our course that I'll be able to take the experiences from all of these different areas that I've had experience in and to be able to bring that and share that with you as we continue on throughout our course here on the Windows Server 2008. This chapter is going to focus on installing the Active Directory role. Now it's important that when we talk about it that we actually talk about where Active Directory is now situated inside of the world of Microsoft as a part of the IDA, the identity and access. Now this is one of six different parts of Active Directory that we're going to focus on, which is Directory Services. So we'll look at how to install the Active Directory Directory Services role. We'll talk about some of the new options you have with the 2008 Server Core acting as a domain controller. And of course talk about how to do that installation into the Server Core, which is a GUI-less version of Windows. We're going to take a look at exactly what IDA is, this thing called Identity and Access. And we're going to talk about how Active Directory is a part of this identity and access. Then it kind of makes sense as we're talking about Directory Services because that is about identifying the user accounts and groups and computers and the type of access that are allowed into your network. We'll briefly discuss the five components of the IDA infrastructure and we're going to take a look at what Windows Server 2008 offers beyond IDA as well. Now Active Directory itself is providing for us this thing that we call the IDA, the IDA, or however you want to say it, the identity and access solution for enterprise networks. Now this is an important part to be able to kind of break it down and to actually for the first time when talking about Microsoft, and I'm not saying this is the first time Microsoft has implemented this idea, but the first time that we've actually been technically specific about identities. And that's what Active Directory Directory Services does for us, is it's storing information about these different identities, what we often still call Active Directory objects. Things like users, groups, computer accounts, and other types of identities. Now not only are we storing this, but we're also providing the mechanism by which that we can offer to keep the passwords intact so we can authenticate somebody who presents us with an identity. So Active Directory Directory Services then is sometimes called the identity store. Every object, every identity is going to have a security ID or a secure ID that we call the SID. Now at this point, think of it this way that identity is one thing, authentication is something else. We'll look at that as we break it down, but it's just important to remember that an identity, much like a driver's license is your way of saying this is who I am, but now of course today we have all of the stripes or the encoding on the back that we can run and verify that it's a legitimate ID card or legitimate identification. And so now we see finally the technical separation as we have these discussions that identity is what you provide and the authentication is the verification of your identity. And that's what we're trying to keep track of as we work with Active Directory. Now authentication is, as I said, verification of your identity. We're going to see a lot of times that as you access resources that you don't have to re-authenticate. That's some of the benefits of having the use of Kerberos in our Active Directory scheme is that we can further on provide tickets to be able to get access to our servers or resources as opposed to having to be authenticated over and over again. Alright, so let's talk about Active Directory, the identity and access control. Now with the identity, as I said, we had the Directory Services, which was a store of all of the information, all of the objects that we wanted to be able to verify later. We store with these objects with these identities in Active Directory the passwords. So that as you as a user log in and present your username and you present your password, your identity, that those pieces of information can be passed on to the director or the domain controller. And it can be compared with what's in the identity store to see if what you've provided is authentic. And that, of course, would be the authentication process that we go through. Now the other benefit that we have is that Active Directory is going to help us in controlling access to all of the resources. The idea of access control lists is to say that we have the ability to create a lot of entries, what they call ACEs, access control entries that say user can has read permission, user can has write permission. And you can go through that access control list, all of those ACEs, access control entries. And when you take my identity that has been authenticated, you can then compare who I am with that access control list to see what permissions I have on a particular resource. Now in Windows, we use what's called a discretionary access control list. Now that's different than a mandatory access control list, or some of the other ACLs. But let me just give you the basic definition. A discretionary access control list is a security model that says that if you create a file, you are the owner of that file. And as the owner, you then have the choice of giving whatever permissions you want for access to your own file. That means as an ordinary user, if you create a Word document, you're the owner of that file. You can, if you choose to do so, deny the administrator of your network the ability to even read that file. Now Windows of course does allow administrators to take ownership of a file. And once they take ownership then as owner they can change it and give themselves permission. But that's the only one that gets to take the ownership or anybody with that permission. But that is the essence of discretionary access control that the owner chooses the security on each file that they create. So now how does that work with Active Directory? We are going to be able to say as the owner of a file that user can, can or can't read that file. And that is the permissions that will be enforced by Windows through Active Directory. So that when a user comes in with their access requesting access to the file, they have to present a ticket to be able to verify that they are a member of that domain. And then we can compare to the access list and we can say yes or no, you can have access to that file or to that printer or the file share or whatever resources out there. And finally, the other big thing that we want out of our Active Directory is what we call the auditing, the accounting. So really, we're looking at a full AAA type of solution. AAA meaning authentication, the authorization, and the accounting. Authentication we talked about, authorization, the access control list, what you're allowed to do, and then the accounting is the auditing to be able to keep track of what users are doing. And that's the other important part of us to be able to watch as far as security related matters to see if people are attempting to access files they shouldn't, to see if they are accessing files that they weren't supposed to, to look for signs of people hacking in or trying to break in by guessing or doing brute force attacks against user accounts with passwords. A lot of that information all here in the accounting. Now the great thing is, is we're going to get the opportunity to talk about all of these things in more detail as we move on throughout the different chapters. What we have seen with Microsoft's changes is this idea or conception of identity and access. They call it the IDA platform. And what they've done is they've looked at the roles that we are usually run, things like active directory and certificate services and those things. And it kind of makes sense to say, you know, a lot of these have to deal with ways to identify and authenticate a user, as well as then determine what access rights they have or permissions they have to different resources. And so they said, you know, they kind of fall into this category about services that deal with identities and access. And they didn't categorize them all now as active directory types of roles. So of those five we have, the one that we used to just refer to as active directory is now called ADDS, which is the active directory directory services. All right, it is what active directory is supposed to be a centralized location of user accounts and groups and computers and everything that we kind of lump under the term as a secure identity. And it's a management system for an entire enterprise, whether the enterprise is a small office or spans the world with hundreds of thousands of users. The other component they have is basically an emptied version of directory services called the lightweight directory services. Now it is a database, a hierarchical database solution that application developers can use where they need that kind of directory enabled storage. Now that might be things like a customer management system. Now what that means is if you think of how active directory stores things, you have, you know, the main domain. And in that domain you have organizational units, you have child organizational units. And all of those are containers that have different types of objects, you know, for active directory, directory services, those were users and computers and groups and printers and, you know, all sorts of things. Well, that's the same type of structure that you might need for, like I said, a customer management system. And so now Microsoft is made available to developers this database storage capability that we can host on a server just by installing the ADLDS service. Other components of the IDA platform include the certificate services. Now, again, certificate services is about authentication. It's a way of verifying an object, I shouldn't say who a user, because it can verify users and servers and web applications and firewalls and routers and all sorts of really cool stuff. But it's a way of authenticating those objects. And so the certificate services is a solution that you have to administer certificates to add or improve the security systems. Now it improves security systems by being able to make your authentication stronger. It utilizes a public key technology, as we expect with certificates. That means that there's always a private and a public key that's also assigned when a user or an object is given a certificate. Public key everybody knows about the private key, only that object keeps track of and we use that information again as a part of a way of even encrypting or digitally signing data like an email that we send. And it integrates into the entire end user experience. I mean, we see the results of certificate services if you've ever done any online banking, you're using that bank's servers certificate to verify that it is your bank and to use those keys that I talked about to help enable that secure SSL communication. The next one we see is the rights management services. Now this is again moved into Active Directory. And what it does is it's a way of being able to, I guess you could say by definition, to persistently protect and control access to sensitive information like documents and email. We call it digital rights management in the more popular term. But the goal here is to simply say, look, if I have something I've worked on that's copyrighted material, and I don't want it to be just moved out to the local file share for everybody to steal or down at the next BitTorrent site. What we know is that if that file is on my Windows server, I can protect it. But once I email that file to somebody or put it up for somebody to download, I no longer can control or keep it safe because it's now up to those people's operating systems and what their security is. But not with rights management. With rights management, we'll see that we can encrypt that file. And no matter who has that file, they can't unencrypted unless they have my specific permission by my granting them that access so that when they do decide to open the file, each and every time they try to open that file, they have to come authenticate with my server to get the permission to open it up. That's pretty cool. So that's another part of the IDA that we see here with Microsoft. The last component of the IDA platform is the Federation Services. Now it provides what they use as the nice definition, a standards-based method to establish trust relationships between different organizations. An easy way of saying it is, I have, let's say, a web application running in my forest, my network. And I want to allow users from a different network to be able to use that web application. But here's the thing, they need to sign in. It's not going to be a public consumption anonymous user type of thing. They have to have an account. In the old days, if somebody who was not in my organization had to authenticate with my domain, I had to create an entry for them. And that's kind of giving more people access to my network, potentially more access than I want. So what we see here is that, oh and also that user had to memorize more than one password, theirs for their domain and one for mine. So what we see now is that we're finding a way to give the user a single sign-on experience. They sign into their domain and we set up a type of trust relationship between their realm or forest and my realm or forest so that if they sign on on theirs and I trust their authentication process, then I can allow them access as their foreign user account into my network to have that access to that web application. Alright, so again that's kind of what the Federation Services is designed to help us do. Now if we go beyond just the idea of IDA, we know there's more to a solution with Windows 2008 server. We know that in directory services we have a set of rules that define what every identity, every object is, the thing that contains all a listing of what attributes are defined to be. We call that the schema so that when I create a user account and I know I have a username and I have a log-on time and I have an address and phone number and all these attributes, those are predefined that they exist that is in the schema. I should say there's a difference between having an attribute be predefined versus having an attribute already defined with a value. So these are just predefined that the fact that an address and phone number field exist in a user account, you as the admin have to fill in the values. We also have a policy based administration and we're going to look at that as we talk about group policy objects and how we can link those to the different types of containers that we have available for us. It also contains replication services so that I can have multiple domain controllers being able to communicate with each other on a regular basis to make sure that we're always or as closely possible to being in sync or synchronized as we can. Again a better way of being able to manage our infrastructure, our directory services, all of these extra pieces come together to make it even more secure and to make it easier for us to administer something we used to call a good total cost of ownership so that you don't have to have a lot of different people doing a lot of different things so we can minimize the amount of work and minimize the amount of people it takes to be able to implement this.