Archive for January 5, 2011


Active Directory is Microsoft’s implementation of a directory service. A directory service holds information about resources within the domain. Resources are stored as objects and include users, computers, groups, printers, and more.

In Windows Server 2008, five different server roles support Active Directory:


>Active Directory Domain Services

>Active Directory Certificate Services

>Active Directory Federation Services

>Active Directory Lightweight Directory Services

>Active Directory Rights Management Services


The primary role is Active Directory Domain Services. The other roles add to the capabilities of Active Directory. Objects include users, computers, groups, and more. The Active Directory database is stored only on servers holding the role of domain controllers.


A significant benefit of using Active Directory Domain Services is that it enables you as an administrator to manage desktops, network servers, and applications all from a centralized location.



A read-only domain controller (RODC) hosts a read-only copy of the Active Directory database. This is somewhat of an untrue, because changes can be made to the database. However, the changes can come only from other domain controllers, and the entire database isn’t replicated; instead, only a few select objects are replicated.


Usually, domain controllers are considered peers where they are all equal (with a few exceptions). Any objects can be added or modified such as adding a user or a user changing their password on any domain controller. These changes are then replicated to other domain controllers. However, with RODCs, changes to the domain controller can come only from other domain controllers. Moreover, the changes are severely restricted to only a few select objects.


The huge benefit of the RODC is that credentials of all users and computers in Active Directory are not replicated to the RODC. This significantly improves the security of domain controllers that are placed at remote locations.


Network Access Protection (NAP) is an added feature that can help protect your network

from remote access clients. NAP helps you protect the network from the clients.

Within a local area network (LAN), you can control client computers to ensure they are safe and healthy. You can use Group Policy to ensure that it’s locked down from a security perspective and that it is getting the required updates. Antivirus and spyware software can be pushed out, regularly updated and run on clients. You can run scripts to ensure that all the corporate policies remain in place.


However, you can’t control a client accessing your network from a hotel or someone other Place. It’s entirely possible for a virus-ridden computer to connect to your network and cause significant problems. The solution is NAP, which is a set of technologies that can be used to check the health of a client. If the client is healthy, it’s allowed access to the network. If unhealthy, it’s quarantined and allowed access to remediation servers that can be used to bring the client into Compliance with the requirements. Health policies are determined and set by the administrator.


In the network you  use Windows Software Update Services (WSUS) to approve and  install the updates on clients. Since the VPN client isn’t in the network, they might not have the required updates. The client would be quarantined, and a WSUS server could be used as a remediation server to push the updates to the client. Once the updates are installed, the client could be rechecked and issued a health certificate and then granted access to the network.