A large corporate IT infrastructure includes several resources connected via a local network (LAN). These resources include files, folders, volumes, printers, users, groups, devices, telephone numbers and other objects. Streamlining resources over a large network and making the best use of them can be an overwhelming task. On a large IT infrastructure, different resources may be located at different places, floors, buildings and even in different geographic locations. However, regardless of their physical location, a user or resource may seek access to another user or resource on a network. When a network and resource on it grow large, it requires a network operating system that can share services with multiple users and provide extensive administrative control of data storage, applications and other resources. A Large IT infrastructure often contains one or more server computers than provides functionality for other programs or devices called clients.
A network operating system is mostly installed with a comparatively much more capable hardware than client computers, so that it can hand multiple request without getting bottlenecked. Servers are often found to contain resources that are accessed by multiple clients as well as other servers, for example a server may contain centralized database, shared storage, server module of an application, etc. Network operating systems also contain other important components, directory service is one of such components.
Directory service and Active Directory
Directory service aka name service is a service found on network operating systems that maps the names of network resources to their respective network addresses. It is a shared information infrastructure for locating, managing, administering and organizing everyday items and network resources, which can include volumes, folders, files, printers, users, groups, devices, telephone numbers and other objects. Each resource on the network is considered an object by the directory service. Directory service has a set of rules to determine how resources on a network are named and identified. Directory service eliminates the need of remembering physical address of a network resource, providing a much easier name to identify that resource.
Active Directory is a directory service developed by Microsoft for Windows domain networks. A Windows domain is a form of a computer network in which all user accounts, computers, printers and other security principals, are registered with a central database located on one or more clusters of central computers known as domain controllers. A domain controller (DC) is a server computer that responds to security authentication requests (logging in, checking permissions, etc.) within a Windows domain. Active Directory is included is most of the Server OS products from Microsoft.
Domain service (AD DS)
It stores information about members of the domain, including devices and users, verifies their credentials and defines their access rights.
Lightweight directory services (AD LDS)
Active Directory Lightweight Directory Services (AD LDS) is a light-weight implementation of AD DS. AD LDS runs as a service on Windows Server. Unlike AD DS multiple AD LDS instances can run on the same server. AD LDS were earlier known as Active Directory Application Mode (ADAM).
Certificate services (AD CS)
Active Directory Certificate Services (AD CS) establishes an on-premise public key infrastructure. It can create, validate and revoke public key certificates for internal uses of an organization.
Federation service (AD FS)
Active Directory Federation Services (AD FS) is a single sign-on service. With an AD FS infrastructure in place, users may use several web-based services (e.g. webmail, blog, internet forum, online shopping) or network resources using only one set of credentials stored at a central location.
Rights management service (AD RMS)
AD RMS takes care of information rights management.
Active Directory goes cloud
To maintain a central repository of network resources, windows domain networks have been dependent on Active Directory. Now when cloud computing is ready to take over the world, applications are increasingly going cloud and the day is not far when cloud applications will completely replace traditional on-premise application. When applications, which have been dependent on Active Directory for authentication and access permissions, go cloud, it becomes imperative to take Active Directory functionality to the cloud.
Windows server Active Directory on cloud VMs
A Windows Server running as a domain controller in a virtual machine can be hosted in a public cloud to achieve this. Any public cloud service like Amazon Web Services or Microsoft Azure can be used for the purpose. This option provides the ability to host a full instance of Windows Server Active Directory, running on Windows Server 2008 R2 SP1 or Windows Server 2012, as a virtual machine in the cloud.
Following exercises are done to achieve this:
- Configuring On-Premise Active Directory Sites and Subnets
- Registering DNS Servers on Public Cloud (e.g. Azure or AWS)
- Building Windows Azure Virtual Network with Site-to-Site VPN connectivity
- Provisioning a new Replica Domain Controller in Windows Azure
Windows Azure Active Directory
The method leverages Windows Azure cloud-based authentication service that is similar to on-premise Active Directory, but primarily intended for new applications that are developed for the cloud. Azure AD combines core directory services, advanced identity governance, and application access management. Azure AD also offers a rich, standards-based platform that enables developers to deliver access control to their applications, based on centralized policy and rules.
Active Directory fingerprint login for cloud
Extending Active Directory to cloud with site-to-site VPN will provide all the capabilities of on-premise Active Directory over the cloud. Setting up a fingerprint scanning hardware for cloud applications becomes as easy as on-premise apps, which follows the same steps of integration as in on-premise AD. Azure Active Directory as well supports Azure Multi-factor authentication (MFA), which you can use to make access to the cloud-based applications and services more secure. This also helps to protect Azure administrator accounts from compromise. It also works with Office 365 and other SaaS applications and can be built into your applications with the SDK. MFA is available with Azure Active Directory Premium.
Once the Active Directory is extended into the cloud, using cloud VMs or by using Windows Azure Active Directory, fingerprint authentication can be setup for cloud applications just like for on-premise applications. Many existing on-premise applications expect Windows Server Active Directory to be available for identity management and authentication, and when migrating these applications to a virtual machine in the Windows Azure cloud, we’ll need to continue to provide a Windows Server Active Directory infrastructure for these applications to continue to work properly. This is exactly what Windows Server Active Directory on Windows Azure VMs allows us to do.
Taking Active Directory to cloud is one of these challenges that organizations face when migrating to cloud services or applications. Fortunately, it has become fairly easy with the knowledge base provided by Microsoft to extend on-premise AD to cloud or using Azure AD for cloud first applications. Integrating Biometric Fingerprint authentication for cloud applications become easy to setup one AD is over the cloud.
Managing several network resources on a corporate network can be largely complicated without a feature rich and efficient network operating system. Directory Services is an important component on a network OS, from which users can locate resources and services distributed throughout the network. This customizable information store also gives administrators a single point for managing its objects and their attributes. Now when services and applications making a shift towards cloud computing, it has presented new challenges for IT managers as well as programmers to keep the functionality and user experience intact during and after this shift.