Information Technology Reference
In-Depth Information
the client record. Note that if you attempt to create a new DNS zone on an RODC, you can
create only a standard primary, secondary, or stub zone. You can't create a new Active
Directory-integrated zone on an RODC.
AD LDS is based on LDAP and provides the functionality of AD DS without some of the
structural requirements, such as forests and domains. Multiple instances of AD LDS can
be created to support multiple directory-enabled applications.
■
AD LDS can be used for directory-enabled applications, directory consolidation, Web
application authentication, AD DS application development environments, and migration
of legacy X.500 applications.
■
AD FS allows single sign-on access to Web-based resources between business partners and
in other situations when a single sign-on to diverse Web-based resources is needed. Most
business-to-business AD FS environments involve a federation trust between an account
partner and a resource partner.
■
An AD FS installation involves four role services: Federation Service, Federation Service
Proxy, and two AD FS Web agents, Claims-aware and Windows token-based.
■
AD RMS extends document security beyond file system permissions. It can restrict not
only who can access a document, but also what users can do with a document after
accessing it. The AD RMS role requires an AD RMS-enabled application to work.
■
AD RMS consists of two distinct actions: publication of AD RMS-protected documents
and access of these documents by AD RMS-enabled clients. An AD RMS deployment
involves an AD RMS server, an AD RMS database server, an AD DS domain controller,
and an AD RMS-enabled client computer.
■
RODCs were developed to provide secure Active Directory support in branch office installa-
tions where physical server security is lax and there are no on-site server administrators.
Before installing an RODC, make sure there's a writeable Windows Server 2008 DC the
RODC can replicate with. The forest functional level must be at least Windows Server 2003,
and you must run adprep /rodcprep if the functional level isn't Windows Server 2008.
■
12
Replication on an RODC is unidirectional and user passwords aren't stored on the RODC
by default. You can configure credential caching if you want the RODC to store pass-
words of selected users locally. Additionally, you can use administrator role separation to
assign administrative roles to local users, but the assigned rights and permissions don't
extend beyond the RODC.
■
If the DNS Server role is installed on an RODC, Active Directory-integrated zones stored
on the RODC are read only, but client computers can use the DNS server for DNS queries.
■
account partner
In a federation trust, it's the trusted company whose users will be accessing
resources of the trusting company (resource partner).
See also
resource partner.
AD LDS instance
A copy of Active Directory Lightweight Directory Services running on a
server that has its own data store and communication ports and a unique service name.
AD RMS root cluster
One or more servers configured with the AD RMS server role. Multiple
servers can be used for redundancy and load balancing.
ADFS-enabled Web servers
Web servers that host an AD FS Web agent.
administrator role separation
A feature available for RODCs in which a user can be granted
local administrative rights on the RODC without needing broader domain administrator
capabilities.
claim
An agreed-on set of user attributes that both parties in a federation trust use to
determine a user's credentials.
Search WWH ::
Custom Search