Tag Archives: active directory

Active Directory Basics

New to Active Directory?  Just want some basic information?  A refresher?  Let’s start with some Active Directory basics.

What is Active Directory?

Active Directory is a collection of services used for centralized identity and access management for and to resources on a network. Active Directory stores and manages information about network resources. Continue reading Active Directory Basics

Get User Account Expiration Date

Our security team implemented a rule that all vendor user accounts must be reviewed and renewed every 30 days.  To facilitate this process, I created a script to automate retrieval of the expiration date of the vendor accounts based on the description and/or title fields which is where the company name of the vendor was stored.  The resulting .csv file was then used to review the accounts and to open a ticket for renewal of the current accounts. Continue reading Get User Account Expiration Date

Active Directory Federated Services Overview

  • Active Directory Federated Services (AD FS) is a server role for Windows Server 2008 (AD FS 1.1); AD FS v2 is a separate download.
  • No Schema update is required.
  • There is no additional licensing charge to use the product on top of the Windows Server license.
  • Deployment of AD FS requires at least two servers; one AD FS server in your environment and one AD FS server in the partner organization’s environment.
  • AD FS has fairly minimal usage requirements; the documentation calls for a single core 1GHz CPU with 1GB of RAM and 50MB of disk space.
  • AD FS also leverages certificates to establish its trusts and encapsulate the authentication information being exchanged with SSL.
  • From a client perspective, any browser that is relatively current and supports JavaScript should work without issue.
Federating with Office 365

AD FS version 2.0 must be used with Office 365 – earlier versions are not supported. The big differentiator for AD FS configuration in an Office 365 environment is that AD FS federation proxies must be used to allow clients to connect from outside the corporate network.  Microsoft recommends multiple servers in the AD FS configuration making up what’s referred to as an AD FS farm.

Active Directory Federated Services
On-premises / Office 365 identity exchange via AD FS
Microsoft Example of Federation

AD FS 2.0 Architecture

Microsoft IT achieves high availability in the AD FS 2.0 architecture through the implementation of mirrored systems located in cities on two different continents: Redmond, Washington in North America and Dublin, Ireland in Europe. This approach provides several advantages, including continuous service in the event of a server outage. For example, if something happens to servers in Redmond, users are redirected to the Dublin cluster and vice versa.

Figure 1 shows the AD FS 2.0 architecture.

Active Directory Federated Services \
Figure 1. AD FS 2.0 architecture

Note: The server requirements for an organization depend on the organization’s enterprise environment.

The AD FS infrastructure includes the following components:

  • Hardware load-balancer. The hardware load-balancer optimizes geographical load balancing among servers.
  • AD FS federation proxy servers. The AD FS federation proxy servers host the Federation Server Proxy role. These servers sit in the perimeter network in front of the AD FS federation servers. They allow users to access AD FS federation servers without requiring the federation servers to be exposed to a perimeter network or the Internet.
  • AD FS federation servers. The AD FS federation servers host the AD FS Federation Server role. These servers authenticate users against an account store and issue claims to the RP.
  • SQL Server database. Prior to AD FS 2.0, configuration data was stored in an XML file. With AD FS 2.0, the SQL Server database stores the AD FS configuration data. Microsoft IT leverages the AD FS SQL Server configuration database as a data source to provide overall metrics reporting for the service.
  • Automatic Failover. Automatic failover is accomplished by using SQL Server Synchronous Database Mirroring between the two clusters. In the event of a complete failure of the primary SQL Server cluster, the mirror automatically takes over as the primary database.

For more information about Active Directory Federation Services, visit the AD FS page at the Microsoft Technet site.