European Directory Experts Conference 23rd - 26th September 2007

The European Directory Experts Conference was held in Brussels the Capital of Belgium from the 23rd to the Th of September 2007. The AD geek show had been brought to Europe by NetPro and Gil Kirkpatrick, the NetPro CTO, and his Crew! It was a thrill to be in the midst of the guys I hang out with on the AD newsgroups on the web.

Arriving Brussels on the 23rd was something else!

 No Cars!

The city center had been closed to cars and other motor vehicles and any taxis or busses had to drive at a max of 30 miles per hour. It did feel weird watching the taxi having to weave through literally hundreds of bikes and horse drawn carts!

Car free day in Brussels!

The Keynote was given by Stuart Kwan and the Topic was the Identity Metasystem. This was the second time I was hearing Stuart give this kind of presentation but this time I think I really got it! How to get our infrastructure from being Directory Providers to Identity Providers and the "formal layers of indirection" that allow for secure transactions between organizations across insecure networks like the Internet. With connectivity being ubiquitous, the missing link is how you can be sure of the identity of the subject making a claim or assertion.

Stuart Kwan giving the keynote

He described the Identity Metasystem as being made up of

  • Identity providers which could be Kerberos or x.509 identity directories
  • Security Token Services (STS) which transforms user provided data into claims
  • Relying Parties which could be the applications using SAML which consume claims
  • The Subject or user who selects an identity, which is the data, to send to the STS
  • the WS -* protocols which glue all this together:
    • WS-Trust
    • WS-MetaDataExchange and
    • WS-SecurityPolicy

What this easily provides is apps that have identity driven behaviors based on the claims provided by a subject. 

This concept for Intranet apps is not exactly new and is well established. The clue here is extending that facility beyond the boundaries of organisations in a secure manner. The Challenge, as Stuart aptly put it, was to "Deproblematize Deperimitization":

  • Connect with people outside the network
  • Connect with less friction and increased security
  • In a situation where Knowledge Workers control trusts and are held accountable.

Products which today facilitate the Identity Metasystem in the Microsoft space include:

  • AD FS which made an entry in WS03 R2 and is "souped up" in WS08
  • Windows Cardspace which supports claims based apps
  • Windows Communication Foundation in .Net 3.0
  • AD RMS which ensures the security on data assets as they move through organisations
  • Applications like MOSS 2007 which are claims aware.

Interoperability with other directory systems and Federation Services and an extensible claims framework, the open content model, are key to getting these technologies more widely adopted.

Next up was Nathan Muggli, a Lead Program Manager in the AD Product Group at MS, who took us on a tour of AD in the WS08 Space.

Nathan Muggli

First thing he hit at was the name changes. AD Domain Services for AD as we knew it, AD Certificate Services, AD Federation services, AD Lightweight Directory Services for ADAM and AD Rights Management Services.

These AD services are now Server Roles in WS08.

They can also be run on WS08 Server Core which has a very limited UI.

Key themes in WS08 Directory Services he listed were:

1. Security

Top on his list of new security features were Fine Grained Password Polices  with Password Setting Objects (PSOs).

This feature allows, within a domain, the ability to set different password polices for individual Security Principals or Global Security groups.

No new complexity rules have been added.

Using PSOs allow for a scenario where within a domain, you can have, for example, admin password policies stipulating very strict settings such as expire every 2 weeks and require 15 character complex passwords, Service accounts to have incredibly long passwords (managed by some automated process) that expire every 90 days and still a much more lax policy for average users. This effectively puts an end to the need for a new domain where different password policies for Security Principals is a requirement.

No real restrictions exist as to the number of policies that apply to a user or global security group but the "last to apply" rule i.e. the lowest in precedence wins.

PSOs do not apply to OUs, Computers or non-domain objects.

PSOs are created using adsiedit or a similar tool in the Passwords Settings Container which can be found within the System container in the Domain.

Other tools have been created by DS MVPs notably one by Joe Richards and even a PoSH GUI utility by Dmitry Sotnikov the Quest Powershell Guru. 

Next up on his security list were the changes to Auditing. The Event logs can now tell:

  • Who made the change 
  • When the change was made
  • Object\Attribute Changed
  • Beginning and End values 

This is controlled by:

  1. A Global Audit policy
  2. System ACLs or
  3. The Schema 

2.  Manageability

- Upgrade

An in-place upgrade is allowed only from WS03 to WS08.

- NT4 Crypto is disabled by default essentially because of it weak DES encryption. this may cause issues with some apps and it can be re-enabled by group policy. An event is logged when an App tries to use NT4 Crypto and this can be used to try and track down errant -apps

- WS08 Domain and Forest Modes

Domain mode gives:

  1. DFS-R for Sysvol Replication
  2. FGPP
  3. AES 256-bit encryption for passwords

Forest mode gives:

  1. No new features
  2. Ensures Domains are at WS08 mode

- Deployment

DCpromo was completely rewritten. You can now:

  1. Decide DC role during DC Promo
  2.  Auto Configure DNS
  3. Cleanup Metadata
  4. Promote to a site
  5. Delegate the promotion of a Read Only DC (RODC) and,
  6. The Advanced Switch has also been got rid of. NTDSutil is used to create IFM staging data.

-Restartable AD

The AD service can now be stopped to install patches or do an offline defrag of the AD database.

And all this without stopping the server! Uptime stats will look a lot better.

A DC with a stopped Directory Service is similar to a member server.

To login, use the DSRM password.

- One thing that has made people unhappy though is the removal of NTbackup of yore..

Volume based backups are done in WS08 using the Volume Shadow Service.

-DR

Accidental deletion of object can now be prevented by selecting a tick box. He emphasized that this was nothing new and could be achieved using ACLs in W2K & WS03 (by setting the deny ACLs on the Delete and Delete Subtree Permissions for an object).

- Snapshots

Online Snapshots of AD can now be taken by VSS using NTDSutil. This snapshot can be mounted and browsed like a parallel AD.

That's it for PART 1

Published 06 October 2007 11:00 PM by Austin
Filed under: , ,

Comments

No Comments