|
Longhorn Beta 2 to See New Active Directory Features
Published: March 1, 2006
by Alex Woodie
With Active Directory becoming the de-facto corporate standard for storing identity-related information used by Windows and non-Windows applications alike, Microsoft has an opportunity to cement its hold on the directory services market with the next release of Windows Server, codenamed "Longhorn." To that end, the company announced last month that the second Longhorn beta, which is due in the second quarter, will bring changes and enhancements to Active Directory.
Active Directory has its roots back in 1996, when Microsoft unveiled a product based on "Cascade," the product's codename. The software was first unveiled as a product with Windows 2000, was bolstered with Windows Server 2003, and gained more capabilities with Windows Server 2003 Release 2 (R2), which is just now shipping.
Windows Server 2003 R2 introduced a new role for the product called Active Directory Federation Services (ADFS), which brought additional authentication and single sign-on (SSO) capabilities. R2 also brought us Active Directory Application Mode (ADAM), a stripped-down version of Active Directory that was previously available as a separate download, and Unix Identity Management, which allowed Active Directory to function as the primary domain controller for Unix environments.
Two weeks ago, Microsoft published its vision and roadmap for the development of Active Directory. The document outlines in broad strokes Microsoft's general goals for the next release of Active Directory in Windows Server Longhorn, which basically involve making Active Directory the center of users' identity management and SSO strategies, providing greater security, and making the product more integrated and easier to use.
In the ease of use department, Microsoft says it will be "aligning . . . services around a unified architecture," and this goal is reflected in some of the name changes the new version will see. Active Directory Domain Controller (ADDS), what had been the core of the product, will become Active Directory Domain Services, while ADAM, the lightweight version of the ADDS, will be called Active Directory Lightweight Directory Services.
Windows Rights Management Services (RMS), a security option with Windows Server 2003 that requires Active Directory but is not part of the Active Directory product family, will become part of the Active Directory family with the next release, and will be known as Active Directory Rights Management Services (ADRMS). Microsoft plans to more deeply integrate ADRMS with Active Directory Federation Services (ADFS) "to enable businesses to protect their sensitive information across forest boundaries with their business partners and customers," said Michael Atalla, Microsoft's group product manager for identity and access, last week in an online technical chat called "The Future of Active Directory".
Additional Windows security technology will be integrated into Active Directory. Windows Certificate Services, a Windows public key infrastructure (PKI) encryption technology, will become Active Directory Certificate Services with Longhorn, Microsoft says. "Active Directory Certificate Services will include a number of new features intended to provide a more comprehensive digital certificate platform for Windows environments, including, but not limited to, the addition of an OCSP [online certificate status protocol] Responder and network device enrollment services," Atalla says.
The OSCP protocol allows real-time validation of a certificate's status, and should enable faster validation of PKI certificates. Atalla added that, over time, Microsoft plans to even further streamline the PKI experiences in Windows, "but [we] have no plans to eliminate support for the stand-alone [Certification Authorities] CAs."
Another new feature bolstering the security of Active Directory in Longhorn is the capability to run the Domain Controllers on "server core," which, according to Levon Esibov, group program manager for the directory services team, is a bare-bones implementation of the operating system that "contains absolute minimum binaries that are required for running mission critical server roles." Running in "server core" reduces the attack surface and reduces the number of patches you need to apply, Esibov said.
Microsoft will also eliminate the 300MB limit of event logs in Active Directory.
Microsoft plans to deliver these new Active Directory capabilities and server role names with the second beta release of Windows Server Longhorn, which is expected sometime before the end of June. These new features will also be made available to Windows Server 2003 users, Microsoft said.
Microsoft is also working on some post-Longhorn features, including the Security Token Service, which be a key product enabling the InfoCard technology Microsoft has been pushing as a replacement for password-based authentication (see "Gates Makes Case for 'Trust Ecosystem'").
|
