Wed 25 Jul 2007
Microsoft offers quite few Active Directory related products which can be generally described as Identity and Access (IDA) solutions. It is sometimes difficult to keep track with Microsoft’s enterprise products, not only because MS extends their functionality or releases new ones, but also because their names are constantly changing. In Windows Server 2008, there will be many such changes. In this post I summarized all of Microsoft’s IDA solutions with their new names.
Active Directory Domain Services (AD DS)
This is certainly the most central service. It provides authentication and authorization services and stores information about users and network objects such as computers, printers or shared folders. If you are a Window admin, I don’t have to tell you what AD DS is. If you are not, then you can check out this Wikipedia article for an introduction into Active Directory. I’ve been blogging about some of the new AD DS features in Windows Server 2008 before: I’ll probably discuss some more new features soon. Note that there also is a slight change of the name. In previous Windows version we were speaking of Active Directory Service (ADS) and now it is called Active Directory Domain Services (AD DS).
Active Directory Lightweight Directory (AD LDS)
Active Directory Lightweight Directory (AD LDS) is the new name for Active Directory Application Mode (ADAM). That is quite a change of name even though the change in functionality is negligible. ADAM is available as an out-of-band download since Windows Server 2003 R2. In Windows Server 2008 AD LDS, it is a built-in server role which can be installed with Server Manager. It is a light version of AD DS which is essentially independent of its bigger brother. AD LDS can store directory-related application data, but not network objects such as computers, printers etc. These Technet articles provide more detailed information.
Active Directory Certificate Services (AD CS)
Since Windows 2000 they were just called Certificate Services. Now, you can use the acronym AD CS which will identify you as a Windows Server 2008 insider. AD CS issues and stores digital certificates that are needed for many cryptographic applications such as the Encrypting File System (EFS) or smartcard authentication. In the Windows world, AD CS is used for building up a Public Key Infrastructure (PKI). There are a couple of new features in Windows Server 2008. This article has more.
Active Directory Rights Managements Services (AD RMS)
When this IDA solution was first introduced with Windows Server 2003 it was called Windows Rights Management Service (RMS). AD RMS is sort of a digital rights management solution for corporate use. Basically, it controls access and usage of digital documents within the enterprise. It also can be used as a DRM solution for exchanging documents with business partners. For example, you can specify who is allowed to print a certain document within an AD RMS enabled application such as Microsoft Word or who is allowed to forward a certain e-mail using Outlook. AD RMS also got improved in several ways.
Active Directory Federation Services (AD FS)
Only a minimal name change here. Actually, only the acronym has changed. ADFS now just becomes AD FS. ADFS has been introduced as an optional component in Windows Server 2003 R2. It provides single sign-on (SSO) functionality for Web based applications across enterprise boundaries. You can create trust relationships between your Active Directory (AD DS and AD LDS) and the directory service of business partners allowing their users to authenticate for your Web applications using their internal credentials. Since Web Services get more and more popular, AD FS will probably play a more important role in the near future. You can read more about the new features of AD FS in Windows Server 2008 here.
Identity Lifecycle Manager (ILM)
ILM 2007 is the successor of Microsoft’s Identity Integration Server 2003 (MIIS 2003), formerly called Meta-directory Services (MMS), and Certificate Lifecycle Manager (CLM). ILM 2007 has been released recently for Windows Server 2003, Enterprise Edition. There will be a new version of ILM for Windows Server 2008. The current code name is just Identity Lifecycle Manager “2″, but I suppose its real name will be ILM 2008 when it comes out. The IDA solutions discussed above are components of Windows Servers 2008, whereas ILM is an independent product. Essentially, ILM helps big companies with multiple directories to reduce the complexity of user provisioning. For example, it can help administrators to supply a new employee with all the rights she needs to authenticate against all the different systems within the organizational hierarchy. One interesting new feature of ILM 2 is that these tasks are supported by Office applications. For instance, a user can request to join a group by sending an email to an administrator who can approve this request by just clicking on an approve bottom in Outlook. More information about ILM 2 can be found in this PDF file.
Leave a Comment | 
Subscribe RSS
| 
Newsletter
