Capability: Identity and Access Management
On This Page
Introduction
Requirement: Directory Services for Authentication of Users
Introduction
Identity and Access Management is a Core Infrastructure Optimization capability and the foundation for implementing many capabilities in the Infrastructure Optimization Model. The following table lists the high-level challenges, applicable solutions, and benefits of moving to the Standardized level in Identity and Access Management.
Challenges |
Solutions |
Benefits |
|---|---|---|
Users continually receive authentication prompts, have trouble logging in Too many user identity stores to manage No consistency in accessing resources Risk of unauthorized access to confidential information Difficulty implementing compliance with governmental regulations (Sarbanes – Sarbanes-Oxley, HIPAA, etc.) Newly hired workers must wait to access crucial systems, reducing productivity IT Challenges Rising help desk costs associated with password resets and access requests Lack of centrally managed identities, no clear view of identity life cycle Orphan accounts pose a security risk Identities vary across systems, no central repository for identities |
Projects Implement primary directory service for client authentication Implement directory service–aware clients |
Business Benefits Increased user productivity through simplified logon process Lower administration costs due to management of fewer identity stores Progressing toward implementing compliance with regulations Reduced cost of managing user accounts IT Benefits Reduced helpdesk volume Fewer digital identities Identities are centrally managed Improved security |
Ongoing Identity and Access Management focuses on the following capabilities as outlined in the Microsoft Identity and Access Management Series:
The Foundation for Identity and Access Management
Identity Life-Cycle Management
Access Management and Single Sign On
Note that the capabilities outlined above are all key parts of the Identity and Access Management service in any organization. For more information, please see the Microsoft Identity and Access Management Series.
In the Infrastructure Optimization Model, the Standardized level of Identity and Access Management addresses the need for directory services for authentication of users and requires a unified directory service for authentication of at least 80% of users. Conversely, this requirement implies that all clients are aware of the directory service.
Requirement: Directory Services for Authentication of Users
Audience
The Standardized level of optimization requires that an Active Directory directory service be in place in your organization and is used to authenticate 80 percent or more of your users. You should read this section if you do not use Active Directory for authentication of 80 percent or more of your users.
Overview
User authentication is required for many reasons during the course of a user’s workday. Network access, application access, data access, and e-mail access are typical examples. When you enable directory services for user authentication you centralize and unify all these separate authentication requirements. A single logon then gives the user access to all resources, applications, and data that the user is authorized to access.
Phase 1: Assess
The Assess phase primarily takes inventory of which directory services, if any, are used in your organization. You will define the reasons for each directory service and how they are used. If your organization does not have a directory service in place, you will need to examine how identities are currently managed and what processes are in place to secure access to data resources; these can be formal/documented or informal/undocumented processes.
Phase 2: Identify
The directory service design process begins by identifying the technologies available to provide the service and what your organization’s needs are in the implementation of a directory service.
An Active Directory infrastructure is required by the Core Infrastructure Optimization Model and provides foundational support for many services required by the organization, including messaging and collaboration, systems management, and security services. Active Directory is the network-focused directory service included in Microsoft® Windows® 2000 and Windows Server® 2003.
Phase 3: Evaluate and Plan
The Evaluate and Plan phase leads you through the planning and design process for to meet your organizations needs. It is imperative that you manage information relating to employees and their use of computing resources with a single, coherent authentication system, one that possesses the characteristics required for the most efficient management of this information.
It should be organized and presented as a directory.
A common method of querying should be supported, regardless of the type of data being requested.
Information with similar characteristics should be managed in a similar manner.
The ways in which information is grouped and managed should be determined by the organization, in ways that complement the organization's existing systems.
Designing the Directory Service
When designing the service, five categories of directories are used:
Specific-use directories
Application directories
Network-focused directories
General-purpose directories
Metadirectories
An Active Directory administrator has complete control over how information is presented in the directory. The information can be grouped into containers called organizational units (OUs) that are often arranged to facilitate the hierarchical storage of data. The types of data stored in the directory are defined using a schema specifying classes of data called objects. A user object, for example, is the User class defined in the schema. Attributes of the user object store information; for example, user name, password, and telephone number. The administrator can update the schema to include new attributes or classes as required.
For more information on defining the Active Directory directory service, go to https://www.microsoft.com/technet/itsolutions/wssra/raguide/DirectoryServices/igdrbp_2.mspx#E4F.
Designing the Active Directory Structure
The logical structure of Active Directory can be considered as a number of logical directories called domains. The collection of domains is called a forest because directory data in each domain is typically organized in a tree-like structure to reflect the organization.
The process for designing the logical structure consists of the following steps:
Logical Structure Design Requirements. The Active Directory functions for administrative delegation are central to the logical structure design. Administration of specific OUs can be delegated to achieve autonomy or isolation of a service or data. Administrative delegation is done to meet the legal, operational, and organizational structure requirements.
Forest Design. A forest design model is chosen after the appropriate number of forests is determined in the service design process; for example, when multiple directories are necessary or object definitions vary within an organization. With few exceptions, we recommend that you maintain a single forest to be able to standardize the directory service.
Domain Design. A domain model is then chosen for each forest.
Forest Root Design. Forest root decisions are based on the domain design. If a single-domain model is chosen, the single domain functions as the forest root domain. If a regional-domain model is chosen, the forest owner needs to determine the forest root.
Active Directory Namespace Planning. After the domain model is determined for each forest, the namespace for the forest and domains should be defined.
DNS Infrastructure to Support Active Directory. After the Active Directory forest and domain structures have been designed, the Dynamic Name System (DNS) infrastructure design for Active Directory can be completed.
Creating an Organizational Unit Design. OU structures are unique to the domain, not the forest, so each domain owner is responsible for designing the OU structure for their domain.
Rendering the Logical Design
After the service design steps are completed, you can create a logical design that can be used to communicate the design to others, and to verify the integrity of the proposed design. This logical design should provide the required level of detail to allow the designers and IT professionals to understand the proposed design and to ensure that it meets the requirements of the services that they are responsible for within the overall enterprise design. The following diagram is an example of logical design. In the following example, the corporate forest uses a regional-domain model, which was chosen so that replication across the WAN could be carefully controlled.
.jpg "image005.jpg")
For more information on designing the Active Directory logical structure, go to https://www.microsoft.com/technet/itsolutions/wssra/raguide/DirectoryServices/igdrbp_2.mspx#EELAE.
Phase 4: Deploy
After you perform a high-level assessment of your current environment and determine your Active Directory deployment goals, you can determine the deployment strategy that works best for your environment. The following figure shows the steps for defining the Active Directory deployment process.
.jpg "image006.jpg")
The Active Directory deployment strategy that you apply varies according to your existing network configuration. For example, if your organization currently runs Windows 2000, you can simply upgrade your operating system to Windows Server 2003. If your organization currently runs Microsoft Windows NT® 4.0 or a non-Windows network operating system, however, you must design an Active Directory infrastructure before you upgrade to Windows Server 2003.
Your deployment process might involve restructuring existing domains, either within an Active Directory forest or between Active Directory forests. You might need to restructure your existing domains after you deploy Windows Server 2003 Active Directory or after organizational changes or corporate acquisitions.
For more information on prerequisites for deploying the Active Directory infrastructure, go to http://technet2.microsoft.com/WindowsServer/en/library/e0966784-1185-4b41-a259-68513689493b1033.mspx.
Operations
The goal of directory services is to ensure that information is accessible through the network by any authorized requester via a simple and organized process. The following resources provide information on operating Active Directory in your organization after it has been implemented and all objects are defined. Operating an Active Directory infrastructure requires proper administration of domain and forest trusts, Windows time service, SYSVOL, the global catalog, Active Directory backup and restore, intersite replication, the Active Directory database, and domain controllers.
For more information, visit:
Microsoft Operations Framework Directory Services Administration
Windows Server 2003 Technical Library:
The Technology Center for Active Directory in Windows Server 2003 contains information on implementing Active Directory in Windows Server 2003:
The Product and Technology Security Center for Active Directory and Kerberos is a consolidated list of resources that can be consulted for security updates and “how-to” guidance:
For information on Active Directory on the Microsoft Support Web site, visit https://support.microsoft.com/default.aspx?scid=fh;EN-US;winsvr2003ad .
Windows Server 2003 Technical Library:
The Technology Center for Active Directory in Windows Server 2003 contains information on implementing Active Directory in Windows Server 2003:
The Product and Technology Security Center for Active Directory and Kerberos is a consolidated list of resources that can be consulted for security updates and “how-to” guidance:
For information on Active Directory on the Microsoft Support Web site, visit https://support.microsoft.com/default.aspx?scid=fh;EN-US;winsvr2003ad .
The Technology Center for Active Directory in Windows Server 2003 contains information on implementing Active Directory in Windows Server 2003:
The Product and Technology Security Center for Active Directory and Kerberos is a consolidated list of resources that can be consulted for security updates and “how-to” guidance:
For information on Active Directory on the Microsoft Support Web site, visit https://support.microsoft.com/default.aspx?scid=fh;EN-US;winsvr2003ad .
https://www.microsoft.com/windowsserver2003/technologies/activedirectory/default.mspx
The Product and Technology Security Center for Active Directory and Kerberos is a consolidated list of resources that can be consulted for security updates and “how-to” guidance:
For information on Active Directory on the Microsoft Support Web site, visit https://support.microsoft.com/default.aspx?scid=fh;EN-US;winsvr2003ad .
For information on Active Directory on the Microsoft Support Web site, visit https://support.microsoft.com/default.aspx?scid=fh;EN-US;winsvr2003ad .
Further Information
For more information on directory services and authentication, visit Microsoft TechNet and search on "Active Directory authentication."
For additional Active Directory product guidance, see
To see how Microsoft utilizes Active Directory, go to https://www.microsoft.com/technet/itshowcase/content/managead.mspx.
Checkpoint: Directory Services for Authentication of Users
|
Requirements |
|---|---|
Implemented Active Directory directory service for authentication of 80 percent or more of connected users. |
.gif "Bb821256.tick(en-us,TechNet.10).gif")
If you have completed the step listed above, your organization has met the minimum requirement of the Standardized level for this capability based on the Infrastructure Optimization model. We recommend that you follow additional best practice resources for operating your Active Directory infrastructure after it has been deployed.
Go to the next Self-Assessment question.