The latest version of Active Directory (AD) in Windows Server 2008 R2
Not much is known about what Microsoft is calling Next Generation Active Directory, which isn't due out for a few years. The company has said it is working on an add-on for the existing Active Directory that will allow integration with Microsoft's identity management software and other technologies. It will also include a SQL-like front-end for directory information, according to Laura Hunter, an AD architect, author and principal of LHA Consulting Inc.
"This is happening with an eye towards aligning with the claims-based model, a la [Active Directory Federation Services] ADFS, where managing identity can be abstracted away from the applications that are consuming those identities," Hunter said.
Microsoft delivered the release candidate test build of Active Directory Federation Services 2.0 on Dec. 18 and is scheduled to deliver the final version within the first quarter of this year.
With a claims-based identity model, applications such as SharePoint won't need to know or care if a user was authenticated from AD, from OpenID or from some custom authentication store; all the application knows is that it's being presented with claims -- basically SAML tokens transmitted in a standards-based format. The application makes its authorizations based on those claims, Hunter explained.
"This layer of abstraction lets admins and developers construct claims that would be very difficult to obtain natively out of AD in the way we're currently familiar with doing so," Hunter said. "Imagine an app that can make an authorization decision based on 'Is the user less than 21 years old?' or 'Can the user approve an expense report for Joe Smith?' [It is] very difficult, if not impossible, to make these kinds of decisions today by querying Active Directory directly."
Hunter said the expected integration improvements will be appreciated by users.
"Probably the biggest thing that could happen in upcoming versions that would make admins happy would be better integration with supporting technologies, most notably PKI," Hunter said. "So many Microsoft technologies have taken a dependency on PKI -- IPsec and [Systems Center Configuration Manager] to name two major ones -- where admins need to be able to deploy an 'internal-only' PKI in a way that doesn't make them want to eat their own young."
Active Directory single sign-on
In addition to smoother integration, a single sign-on capability would be an appreciated time saver, said Michael Cherry, an analyst at Directions on Microsoft in Kirkland, Wash. "There are so many areas that I have to sign on to again and again. It would be great if I didn't have to keep doing that."
Workflow capabilities would also be a boon to Active Directory, said Jeffery Hicks, a Microsoft MVP and head of Jamesville, N.Y.-based JDH Information Technology Solutions.
"When I create a new user in a sales organization, they need to be set up in certain shared folders, certain groups and permissions. I would like to see some workflow capabilities added into AD so that I can easily provision new users," said Hicks, who uses many versions of Active Directory, including the most recent features for Windows Server 2008 R2.
It is possible to create that type of capability using Windows PowerShell scripting, Hicks said, "but a built-in workflow for managing things stored in AD, beyond just passwords, would be tremendously useful for users that don't have the time or the scripting skills."
Hicks added, "There are things that are easy to do if you know how to run PowerShell commands, and I am sure there are third-party tools you can buy for the things that aren't. But for people who don't work for Fortune 500 companies, and without the budget for those tools, having some built-in features would be nice."
Michael Kline, an IT pro who writes a blog about Active Directory, concurred that buying third-party tools is a problem for many customers.
Kline supports a federal agency using Windows Server 2003 domain controllers and plans to roll out Windows Server 2008 R2 this year. He said he's like to see a better delegation model and controls that match the functionality of third-party provisioning tools on the market such as NetIQ Directory and Resource Administrator and Quest's ActiveRoles Server.
"I'm not saying build something to try and make those tools obsolete, [but] just something better than what is there now," Kline said. "Sort of how we have [Advanced Group Policy Management] for Group Policy."
Suggestions aside, IT pros interviewed for this article said the latest version of Active Directory with Windows Server 2008 R2 has many important features that they hope Microsoft continues to build upon.
"What they have done so far is important and it is better, but certain areas are still bizarrely complex," Cherry said. "Making Active Directory processes a bit easier to work with would certainly be good for users."
Let us know what you think about the story; email Bridget Botelho, News Writer