Capability: Identity and Access Management

On This Page

Requirement: Directory Services for Authentication of Users


Identity and Access Management is a Core Infrastructure Optimization capability and the foundation for implementing many capabilities in the Infrastructure Optimization Model. The following table lists the high-level challenges, applicable solutions, and benefits of moving to the Standardized level in Identity and Access Management.




Users continually receive authentication prompts, have trouble logging in

Too many user identity stores to manage

No consistency in accessing resources

Risk of unauthorized access to confidential information

Difficulty implementing compliance with governmental regulations (Sarbanes – Sarbanes-Oxley, HIPAA, etc.)

Newly hired workers must wait to access crucial systems, reducing productivity

IT Challenges

Rising help desk costs associated with password resets and access requests

Lack of centrally managed identities, no clear view of identity life cycle

Orphan accounts pose a security risk

Identities vary across systems, no central repository for identities


Implement primary directory service for client authentication

Implement directory service–aware clients

Business Benefits

Increased user productivity through simplified logon process

Lower administration costs due to management of fewer identity stores

Progressing toward implementing compliance with regulations

Reduced cost of managing user accounts

IT Benefits

Reduced helpdesk volume

Fewer digital identities

Identities are centrally managed

Improved security

Ongoing Identity and Access Management focuses on the following capabilities as outlined in the Microsoft Identity and Access Management Series:

Note that the capabilities outlined above are all key parts of the Identity and Access Management service in any organization. For more information, please see the Microsoft Identity and Access Management Series.

In the Infrastructure Optimization Model, the Standardized level of Identity and Access Management addresses the need for directory services for authentication of users and requires a unified directory service for authentication of at least 80% of users. Conversely, this requirement implies that all clients are aware of the directory service.

Requirement: Directory Services for Authentication of Users


The Standardized level of optimization requires that an Active Directory directory service be in place in your organization and is used to authenticate 80 percent or more of your users. You should read this section if you do not use Active Directory for authentication of 80 percent or more of your users.


User authentication is required for many reasons during the course of a user’s workday. Network access, application access, data access, and e-mail access are typical examples. When you enable directory services for user authentication you centralize and unify all these separate authentication requirements. A single logon then gives the user access to all resources, applications, and data that the user is authorized to access.

Phase 1: Assess

The Assess phase primarily takes inventory of which directory services, if any, are used in your organization. You will define the reasons for each directory service and how they are used. If your organization does not have a directory service in place, you will need to examine how identities are currently managed and what processes are in place to secure access to data resources; these can be formal/documented or informal/undocumented processes.

Phase 2: Identify

The directory service design process begins by identifying the technologies available to provide the service and what your organization’s needs are in the implementation of a directory service.

An Active Directory infrastructure is required by the Core Infrastructure Optimization Model and provides foundational support for many services required by the organization, including messaging and collaboration, systems management, and security services. Active Directory is the network-focused directory service included in Microsoft® Windows® 2000 and Windows Server® 2003.

Phase 3: Evaluate and Plan

The Evaluate and Plan phase leads you through the planning and design process for to meet your organizations needs. It is imperative that you manage information relating to employees and their use of computing resources with a single, coherent authentication system, one that possesses the characteristics required for the most efficient management of this information.

  • It should be organized and presented as a directory.

  • A common method of querying should be supported, regardless of the type of data being requested.

  • Information with similar characteristics should be managed in a similar manner.

The ways in which information is grouped and managed should be determined by the organization, in ways that complement the organization's existing systems.

Designing the Directory Service

When designing the service, five categories of directories are used:

  • Specific-use directories

  • Application directories

  • Network-focused directories

  • General-purpose directories

  • Metadirectories

An Active Directory administrator has complete control over how information is presented in the directory. The information can be grouped into containers called organizational units (OUs) that are often arranged to facilitate the hierarchical storage of data. The types of data stored in the directory are defined using a schema specifying classes of data called objects. A user object, for example, is the User class defined in the schema. Attributes of the user object store information; for example, user name, password, and telephone number. The administrator can update the schema to include new attributes or classes as required.

For more information on defining the Active Directory directory service, go to

Designing the Active Directory Structure

The logical structure of Active Directory can be considered as a number of logical directories called domains. The collection of domains is called a forest because directory data in each domain is typically organized in a tree-like structure to reflect the organization.

The process for designing the logical structure consists of the following steps:

  1. Logical Structure Design Requirements. The Active Directory functions for administrative delegation are central to the logical structure design. Administration of specific OUs can be delegated to achieve autonomy or isolation of a service or data. Administrative delegation is done to meet the legal, operational, and organizational structure requirements.

  2. Forest Design. A forest design model is chosen after the appropriate number of forests is determined in the service design process; for example, when multiple directories are necessary or object definitions vary within an organization. With few exceptions, we recommend that you maintain a single forest to be able to standardize the directory service.

  3. Domain Design. A domain model is then chosen for each forest.

  4. Forest Root Design. Forest root decisions are based on the domain design. If a single-domain model is chosen, the single domain functions as the forest root domain. If a regional-domain model is chosen, the forest owner needs to determine the forest root.

  5. Active Directory Namespace Planning. After the domain model is determined for each forest, the namespace for the forest and domains should be defined.

  6. DNS Infrastructure to Support Active Directory. After the Active Directory forest and domain structures have been designed, the Dynamic Name System (DNS) infrastructure design for Active Directory can be completed.

  7. Creating an Organizational Unit Design. OU structures are unique to the domain, not the forest, so each domain owner is responsible for designing the OU structure for their domain.

Rendering the Logical Design

After the service design steps are completed, you can create a logical design that can be used to communicate the design to others, and to verify the integrity of the proposed design. This logical design should provide the required level of detail to allow the designers and IT professionals to understand the proposed design and to ensure that it meets the requirements of the services that they are responsible for within the overall enterprise design. The following diagram is an example of logical design. In the following example, the corporate forest uses a regional-domain model, which was chosen so that replication across the WAN could be carefully controlled.


For more information on designing the Active Directory logical structure, go to

Phase 4: Deploy

After you perform a high-level assessment of your current environment and determine your Active Directory deployment goals, you can determine the deployment strategy that works best for your environment. The following figure shows the steps for defining the Active Directory deployment process.


The Active Directory deployment strategy that you apply varies according to your existing network configuration. For example, if your organization currently runs Windows 2000, you can simply upgrade your operating system to Windows Server 2003. If your organization currently runs Microsoft Windows NT® 4.0 or a non-Windows network operating system, however, you must design an Active Directory infrastructure before you upgrade to Windows Server 2003.

Your deployment process might involve restructuring existing domains, either within an Active Directory forest or between Active Directory forests. You might need to restructure your existing domains after you deploy Windows Server 2003 Active Directory or after organizational changes or corporate acquisitions.

For more information on prerequisites for deploying the Active Directory infrastructure, go to


The goal of directory services is to ensure that information is accessible through the network by any authorized requester via a simple and organized process. The following resources provide information on operating Active Directory in your organization after it has been implemented and all objects are defined. Operating an Active Directory infrastructure requires proper administration of domain and forest trusts, Windows time service, SYSVOL, the global catalog, Active Directory backup and restore, intersite replication, the Active Directory database, and domain controllers.

For more information, visit:

Further Information

For more information on directory services and authentication, visit Microsoft TechNet and search on "Active Directory authentication."

For additional Active Directory product guidance, see

To see how Microsoft utilizes Active Directory, go to

Checkpoint: Directory Services for Authentication of Users



Implemented Active Directory directory service for authentication of 80 percent or more of connected users.

If you have completed the step listed above, your organization has met the minimum requirement of the Standardized level for this capability based on the Infrastructure Optimization model. We recommend that you follow additional best practice resources for operating your Active Directory infrastructure after it has been deployed.

Go to the next Self-Assessment question.