148 Windows Server 2008 Reviewers Guide  A better administrative experience when you establish federated trusts. Improved trust policy import and export functionality helps to minimize partner- based configuration issues that are commonly associated with federated trust establishment. Improved Installation Active Directory Federation Services in Windows Server 2008 brings several improvements to the installation experience. To install Active Directory Federation Services in Windows Server 2003 R2, you had to go to Add/Remove Programs to find and install the Active Directory Federation Services component. However, in Windows Server 2008, you can install Active Directory Federation Services as a server role using Server Manager. You can use improved Active Directory Federation Services configuration wizard pages to perform server validation checks before you continue with the Active Directory Federation Services server role installation. In addition, Server Manager automatically lists and installs all the services that Active Directory Federation Services depends on during the Active Directory Federation Services server role installation. These services include Microsoft ASP.NET 2.0 and other services that are part of the Web Server (IIS) server role. Improved Application Support Active Directory Federation Services in Windows Server 2008 includes enhancements that increase its ability to integrate with other applications, such as Office SharePoint Services 2007 and Active Directory Rights Management Services. Integration With Office SharePoint Services 2007 Office SharePoint ® Services 2007 takes full advantage of the SSO capabilities that are integrated into this version of Active Directory Federation Services. Active Directory Federation Services in Windows Server 2008 includes functionality to support Office SharePoint Services 2007 membership and role providers. This means that you can effectively configure Office SharePoint Services 2007 as a claims-aware application in Active Directory Federation Services, and you can administer any Office SharePoint Services 2007 sites using membership and role-based access control. The membership and role providers that are included in this version of Active Directory Federation Services are for consumption only by Office SharePoint Services 2007. Integration With Active Directory Rights Management Server Active Directory Rights Management Services and Active Directory Federation Services can be integrated in such a way that organizations can take advantage of existing federated trust relationships to collaborate with external partners and share rights- protected content. For example, an organization that has deployed Active Directory Rights Management Services can set up federation with an external organization by using Active Directory Federation Services. The organization can then use this relationship to share rights-protected content across the two organizations without requiring a deployment of Active Directory Rights Management Services in both organizations. Better Administrative Experience When Establishing Federated Trusts 149 Windows Server 2008 Reviewers Guide In both Windows Server 2003 R2 and Windows Server 2008, Active Directory Federation Services administrators can create a federated trust between two organizations using either a process of importing and exporting policy files or a manual process that involves the mutual exchange of partner values, such as Uniform Resource Indicators (URIs), claim types, claim mappings, display names and so on. The manual process requires the administrator who receives this data to type all the received data into the appropriate pages in the Add Partner Wizard, which can result in typographical errors. In addition, the manual process requires the account partner administrator to send a copy of the verification certificate for the federation server to the resource partner administrator so that the certificate can be added through the wizard. Although the ability to import and export policy files was available in Windows Server 2003 R2, creating federated trusts between partner organizations is easier in Windows Server 2008 as a result of enhanced policy-based export and import functionality. These enhancements were made to improve the administrative experience by permitting more flexibility for the import functionality in the Add Partner Wizard. For example, when a partner policy is imported, the administrator can use the Add Partner Wizard to modify any values that are imported before the wizard process is completed. This includes the ability to specify a different account partner verification certificate and the ability to map incoming or outgoing claims between partners. By using the export and import features that are included with Active Directory Federation Services in Windows Server 2008, administrators can simply export their trust policy settings to an .xml file and then send that file to the partner administrator. This exchange of partner policy files provides all of the URIs, claim types, claim mappings and other values and the verification certificates that are necessary to create a federated trust between the two partner organizations. The following illustration and accompanying instructions show how a successful exchange of policies between partners — in this case, initiated by the administrator in the account partner organization — can help streamline the process for establishing a federated trust between two fictional organizations: A. Datum Corp. and Trey Research. The following flowchart shows how a domain controller running Windows Server 2008 can transition between these three possible states. 150 Windows Server 2008 Reviewers Guide 1. The account partner administrator specifies the Export Basic Partner Policy option by right-clicking on the Trust Policy folder and exports a partner policy file that contains the URL, display name, federation server proxy URL, and verification certificate for A. Datum Corp. The account partner administrator then sends the partner policy file (by e-mail or other means) to the resource partner administrator. 2. The resource partner administrator creates a new account partner using the Add Account Partner Wizard and selects the option to import an account partner 151 Windows Server 2008 Reviewers Guide policy file. The resource partner administrator proceeds to specify the location of the partner policy file and to verify that all the values which are presented in each of the wizard pages — which are pre-populated as a result of the policy import — are accurate. The administrator then completes the wizard. 3. The resource partner administrator can now configure additional claims or trust policy settings that are specific to that account partner. After this configuration is complete, the administrator specifies the Export Policy option by right-clicking on the A. Datum Corp. account partner. The resource partner administrator exports a partner policy file that contains values such as the URL, federation server proxy URL, display name, claim types and claim mappings for the Trey Research organization. The resource partner administrator then sends the partner policy file to the account partner administrator. 4. The account partner administrator creates a new resource partner using the Add Resource Partner Wizard and selects the option to import a resource partner policy file. The account partner administrator specifies the location of the resource partner policy file and verifies that all the values that are presented in each of the wizard pages — which are pre-populated as a result of the policy import — are accurate. The administrator then completes the wizard. When this process is complete, a successful federation trust between both partners is established. Resource partner administrators can also initiate the import and export policy process, although that process is not described here. New Settings You configure Windows NT token-based Web Agent settings with the IIS Manager snap- in. To support the new functionality that is provided with IIS 7.0, Windows Server 2008 Active Directory Federation Services includes UI updates for the Active Directory Federation Services Web Agent role service. The following table lists the different locations in IIS Manager for IIS 6.0 or IIS 7.0 for each of the Active Directory Federation Services Web Agent property pages, depending on the version of IIS that is used. Active Directory Federation Services Web Agent Property Pages IIS 6.0 Property Page Old Location IIS 7.0 Property Page New Location Active Directory Federation Services Web Agent tab <COMPUTERNAME>\Web Sites Federation Service URL <COMPUTERNAME> (in the Other section of the center pane) Active Directory Federation Services Web Agent tab <COMPUTERNAME>\Web Sites\<Site or Virtual Directory> Active Directory Federation Services Web Agent <COMPUTERNAME>\Web Sites\<Site or Virtual Directory> (in the IIS\Authentication section of the center pane) Note There are no significant UI differences between the Active Directory Federation Services snap-in in Windows Server 2008 and the Active Directory Federation Services snap-in in Windows Server 2003 R2. 152 Windows Server 2008 Reviewers Guide 5.12 Active Directory Lightweight Directory Services The Active Directory Lightweight Directory Services server role is an LDAP directory service. It provides data storage and retrieval for directory-enabled applications, without the dependencies that are required for Active Directory Domain Services. Active Directory Lightweight Directory Services in Windows Server 2008 encompasses the functionality that was provided by Active Directory Application Mode, which is available for Microsoft Windows XP Professional and the Windows Server 2003 operating systems. Active Directory Lightweight Directory Services gives organizations flexible support for directory-enabled applications. A directory-enabled application uses a directory — rather than a database, flat file, or other data storage structure — to hold its data. Directory services (such as Active Directory Lightweight Directory Services) and relational databases both provide data storage and retrieval, but they differ in their optimization. Directory services are optimized for read processing, whereas relational databases are optimized for transaction processing. Many off-the-shelf applications and many custom applications use a directory-enabled design. Examples include these:  Customer relationship management (CRM) applications  Human resources (HR) applications  Global address book applications Active Directory Lightweight Directory Services provides much of the same functionality as Active Directory Domain Services (and, in fact, is built on the same code base), but it does not require the deployment of domains or domain controllers. You can run multiple instances of Active Directory Lightweight Directory Services concurrently on a single computer, with an independently managed schema for each Active Directory Lightweight Directory Services instance or configuration set (if the instance is part of a configuration set). Member servers, domain controllers and stand- alone servers can be configured to run the Active Directory Lightweight Directory Services server role. Active Directory Lightweight Directory Services is similar to Active Directory Domain Services in that it provides the following:  Multimaster replication  Support for the Active Directory Service Interfaces API  Application directory partitions  LDAP over SSL Active Directory Lightweight Directory Services differs from Active Directory Domain Services primarily in that it does not store Windows security principals. Although Active Directory Lightweight Directory Services can use Windows security principals (such as domain users) in ACLs that control access to objects in Active Directory Lightweight Directory Services, Windows cannot authenticate users stored in Active Directory Lightweight Directory Services or use Active Directory Lightweight Directory Services users in its ACLs. In addition, Active Directory Lightweight Directory Services does not support domains and forests, Group Policy or global catalogs. 153 Windows Server 2008 Reviewers Guide Organizations that have the following requirements will find Active Directory Lightweight Directory Services particularly useful:  Application-specific directories that use customized schemas or that depend on decentralized directory management Active Directory Lightweight Directory Services directories are separate from the domain infrastructure of Active Directory Domain Services. As a result, they can support applications that depend on schema extensions that are not desirable in the Active Directory Domain Services directory — such as schema extensions that are useful to a single application. In addition, the local server administrator can administer the Active Directory Lightweight Directory Services directories; domain administrators do not need to provide administrative support.  Directory-enabled application development and prototyping environments that are separate from the enterprise’s domain structure Application developers who are creating directory-enabled applications can install the Active Directory Lightweight Directory Services role on any server, even on stand-alone servers. As a result, developers can control and modify the directory in their development environment without interfering with the organization’s Active Directory Domain Services infrastructure. These applications can be deployed subsequently with either Active Directory Lightweight Directory Services or Active Directory Domain Services as the application’s directory service, as appropriate. Network administrators can use Active Directory Lightweight Directory Services as a prototype or pilot environment for applications that will eventually be deployed with Active Directory Domain Services as its directory store, as long as the application does not depend on features specific to Active Directory Domain Services.  Management of external client computers’ access to network resources Enterprises that need to authenticate extranet client computers, such as Web client computers or transient client computers, can use Active Directory Lightweight Directory Services as the directory store for authentication. This helps enterprises avoid having to maintain external client information in the enterprise’s domain directory.  Enabling of earlier LDAP client computers in a heterogeneous environment to authenticate against Active Directory Domain Services When organizations merge, there is often a need to integrate LDAP client computers running different server operating systems into a single network infrastructure. In such cases, rather than immediately upgrading client computers running earlier LDAP applications or modifying the Active Directory Domain Services schema to work with the earlier clients, network administrators can install the Active Directory Lightweight Directory Services server role on one or more servers. The Active Directory Lightweight Directory Services server role acts as an interim directory store using the earlier schema until the client computers can be upgraded to use Active Directory Domain Services natively for LDAP access and authentication. Because Active Directory Lightweight Directory Services is designed to be a directory service for applications, it is expected that the applications will create, manage and 154 Windows Server 2008 Reviewers Guide remove directory objects. As a general-purpose directory service, Active Directory Lightweight Directory Services is not supported by such domain-oriented tools as these:  Active Directory Domains and Trusts  Active Directory Users and Computers  Active Directory Sites and Services However, administrators can manage Active Directory Lightweight Directory Services directories by using directory tools such as the following:  ADSI Edit (for viewing, modifying, creating and deleting any object in Active Directory Lightweight Directory Services)  Ldp.exe (for general LDAP administration)  Other schema management utilities Applications that were designed to work with Active Directory Application Mode do not require changes to function with Active Directory Lightweight Directory Services. 155 Windows Server 2008 Reviewers Guide 5.13 Active Directory Rights Management Services For Windows Server 2008, Active Directory Rights Management Services includes several new features that were not available in Microsoft Windows Rights Management Services (RMS). These new features were designed to ease administrative overhead of Active Directory Rights Management Services and to extend its use outside your organization. These new features include the following:  Inclusion of Active Directory Rights Management Services in Windows Server 2008 as a server role  Administration through an MMC  Integration with Active Directory Federation Services  Self-enrollment of Active Directory Rights Management Services servers  Ability to delegate responsibility by means of new Active Directory Rights Management Services administrative roles Note This topic concentrates on the features specific to Active Directory Rights Management Services that are being released with Windows Server 2008. Earlier versions of RMS were available as a separate download. For more information about the features that were available in RMS, see Windows Server 2003 Rights Management Services (RMS) (http://go.microsoft.com/fwlink/?LinkId=68637). Active Directory Rights Management Services, a format- and application-agnostic technology, provides services to enable the creation of information-protection solutions. It will work with any Active Directory Rights Management Services-enabled application to provide persistent usage policies for sensitive information. Content that can be protected by using Active Directory Rights Management Services includes intranet Web sites, e-mail messages and documents. Active Directory Rights Management Services includes a set of core functions that allow developers to add information protection to the functionality of existing applications. An Active Directory Rights Management Services system, which includes both server and client components, performs the following processes:  Licensing rights-protected information. An Active Directory Rights Management Services system issues rights account certificates, which identify trusted entities (such as users, groups and services) that can publish rights- protected content. Once trust has been established, users can assign usage rights and conditions to content they want to protect. These usage rights specify who can access rights-protected content and what they can do with it. When the content is protected, a publishing license is created for the content. This license binds the specific usage rights to a given piece of content so that the content can be distributed. For example, users can send rights-protected documents to other users inside or outside their organization without the content losing its rights protection.  Acquiring licenses to decrypt rights-protected content and applying usage policies. Users who have been granted a rights account certificate can access rights-protected content by using an Active Directory Rights Management 156 Windows Server 2008 Reviewers Guide Services-enabled client application that allows users to view and work with rights- protected content. When users attempt to access rights-protected content, requests are sent to Active Directory Rights Management Services to access, or ―consume,‖ that content. When a user attempts to consume the protected content, the Active Directory Rights Management Services licensing service on the Active Directory Rights Management Services cluster issues a unique use license that reads, interprets and applies the usage rights and conditions specified in the publishing licenses. The usage rights and conditions are persistent and automatically applied everywhere the content goes.  Creating rights-protected files and templates. Users who are trusted entities in an Active Directory Rights Management Services system can create and manage protection-enhanced files by using familiar authoring tools in an Active Directory Rights Management Services-enabled application that incorporates Active Directory Rights Management Services technology features. In addition, Active Directory Rights Management Services-enabled applications can use centrally defined and officially authorized usage rights templates to help users efficiently apply a predefined set of usage policies. Active Directory Rights Management Services is designed to help make content more secure, regardless of wherever the rights-protected content might be moved to. You should review this section, and additional documentation about Active Directory Rights Management Services, if you are in any of the following groups:  IT planners and analysts who are evaluating enterprise rights management products  IT professionals responsible for supporting an existing RMS infrastructure  IT security architects who are interested in deploying information protection technology that provides protection for both data at rest and in motion Active Directory Rights Management Services relies on Active Directory Domain Services to verify that the user attempting to consume rights-protected content is authorized to do so. When registering the Active Directory Rights Management Services service connection point (SCP) during installation, the installing user account must have Write access to the Services container in Active Directory Domain Services. Finally, all configuration and logging information is stored in the Active Directory Rights Management Services Logging Database. In a test environment, you can use the Windows Internal Database, but in a production environment, we recommend using a separate database server. Active Directory Rights Management Services includes a number of enhancements over earlier versions of RMS. These enhancements include the following:  Improved installation and administration experience. Active Directory Rights Management Services is included with Windows Server 2008 and is installed as a server role. In addition, Active Directory Rights Management Services administration is done through an MMC, as opposed to the Web site administration presented in the earlier versions.  Self-enrollment of the Active Directory Rights Management Services cluster. Active Directory Rights Management Services cluster can be enrolled without having to connect to the Microsoft Enrollment Service. Through the use of a 157 Windows Server 2008 Reviewers Guide server self-enrollment certificate, the enrollment process is done entirely on the local computer.  Integration with Active Directory Federation Services. Active Directory Rights Management Services and Active Directory Federation Services have been integrated such that enterprises are able to leverage existing federated relationships to collaborate with external partners.  New Active Directory Rights Management Services administrative roles. The ability to delegate Active Directory Rights Management Services tasks to different administrators is needed in any enterprise environment and is included with this version of Active Directory Rights Management Services. Three administrative roles have been created: Active Directory Rights Management Services Enterprise Administrators, Active Directory Rights Management Services Template Administrators, and Active Directory Rights Management Services Auditors. Improved Installation and Administration Experience Active Directory Rights Management Services in Windows Server 2008 brings many improvements to both the installation and administration experience. In earlier versions of RMS, a separate installation package had to be downloaded and installed, but in this version, Active Directory Rights Management Services has been integrated into the operating system and is installed as a server role through Server Manager. Configuration and provisioning is achieved through the server role installation. In addition, Server Manager automatically lists and installs all services that Active Directory Rights Management Services is dependent on, such as Message Queuing and Web Server (IIS), during the Active Directory Rights Management Services server role installation. During installation, if you do not specify a remote database as the Active Directory Rights Management Services Configuration and Logging database, the Active Directory Rights Management Services server role installation automatically installs and configures the Windows Internal Database for use with Active Directory Rights Management Services. In the earlier versions of RMS, administration was done through a Web interface. In Active Directory Rights Management Services, the administrative interface has been migrated to an MMC snap-in console. Active Directory Rights Management Services console gives you all the functionality available with the earlier version of RMS but in an interface that is much easier to use. Offering Active Directory Rights Management Services as a server role that is included with Windows Server 2008 makes the installation process less burdensome by not requiring you to download Active Directory Rights Management Services separately before installing it. Using an Active Directory Rights Management Services console for administration instead of a browser interface makes more options available to improve the user interface. The Active Directory Rights Management Services console employs user interface elements that are consistent throughout Windows Server 2008, which is designed to be much easier to follow and navigate. In addition, with the inclusion of Active Directory Rights Management Services administration roles, the Active Directory Rights Management Services console displays only the parts of the console that the user can access. For example, a user who is using the Active Directory Rights Management Services Template Administrators administration role is restricted to tasks that are specific to Active Directory Rights Management Services templates. All other administrative tasks are not available in the Active Directory Rights Management Services console. [...]... Core 168 Web Server 170 COM+ Network Access 170 Windows Process Activation Service 170 TCP Port Sharing 170 Distributed Transactions 171 6.04 Transactional NTFS 172 Windows Server 2008 Reviewers Guide 169 Application Server Core adds NET Framework 3.0 features to the baseline... security groups This will give you the ability to scale your Active Directory Rights Management Services deployment across several servers without having to add specific user accounts to each Active Directory Rights Management Services server Windows Server 2008 Reviewers Guide 160 Section 6: Web and Applications Platform Section 6: Web and Applications Platform 160 6.01 Web and Applications Platform... Management Services is installed In addition, you must use the Active Directory Rights Management Services client included with Windows Vista or RMS Client with SP2 to take advantage of the Active Directory Federation Services integration with Active Windows Server 2008 Reviewers Guide 159 Directory Rights Management Services RMS clients earlier than RMS Client with SP2 will not support Active Directory... required that either the RMS server had to have Internet connectivity to do online enrollment with the Microsoft Enrollment Service or be able to connect to another computer with Internet access that could do offline enrollment of the server In Active Directory Rights Management Services with Windows Server 2008, the requirement for Active Directory Rights Management Services server to directly contact... 163 Windows Firewall Is Turned On by Default 163 Editions 164 Configuration 164 Administration Tools 165 Core Web Server 166 Diagnostics 166 Additional Resources 1 67 6.03 Application Server 168 Application Server Core 168 Web Server ... longer required to sign the SLC Instead of requiring the Microsoft Enrollment Service to sign the Active Directory Rights Management Services server s SLC, the server self-enrollment certificate, included with Windows Server 2008, can sign the SLC locally The server self-enrollment certificate allows Active Directory Rights Management Services to operate in a network that is entirely isolated from the... (http://go.microsoft.com/fwlink/?LinkId=81263) The key components of Application Server Core are installed as a set of libraries and NET assemblies The following are the key components of Application Server Core:  Windows Communication Foundation (WCF)  Windows Workflow Foundation (WF)  Windows Presentation Foundation (WPF) The most important components for server- based applications are WCF and WF WPF is used primarily... for Active Directory Rights Management Services server to directly contact the Microsoft Enrollment Service has been removed Instead, a server self-enrollment certificate is included with Windows Server 2008 that signs the Active Directory Rights Management Services server s SLC Requiring the SLC to be signed by the Microsoft Enrollment Service introduced an operational dependency that many customers... interaction with the UI  Document-centric workflow  Human workflow  Composite workflow for service-oriented applications  Business-rule-driven workflow  Workflow for systems management Windows Server 2008 Reviewers Guide ... platforms and interoperate with existing systems and applications For more information about WCF, see What is Windows Communication Foundation? (http://go.microsoft.com/fwlink/?LinkId=81260) WF is the programming model and engine for building workflow-enabled applications quickly on Windows Server 2008 A workflow is a set of activities that describe a realworld process A workflow is commonly described . Experience When Establishing Federated Trusts 149 Windows Server 2008 Reviewers Guide In both Windows Server 2003 R2 and Windows Server 2008, Active Directory Federation Services administrators. Federation Services snap-in in Windows Server 2008 and the Active Directory Federation Services snap-in in Windows Server 2003 R2. 152 Windows Server 2008 Reviewers Guide 5.12 Active Directory. Application Server Core 168 Web Server 170 COM+ Network Access 170 Windows Process Activation Service 170 TCP Port Sharing 170 Distributed Transactions 171 6.04 Transactional NTFS 172 169 Windows