The first thing that struck me was how many good resources are available for learning Microsoft’s PKI. Back in 2000 when I first installed a Microsoft CA (Certificate Authority) there didn’t seem to be enough detailed information and over the past eleven years I have only had infrequent occasions to use the software. At this point I want to recommend Brian Komar’s book Windows Server 2008 PKI and Certificate Security (I got the Kindle version for about $39). I also wanted to mention Vadim Podans’ white paper on PKI and using the Quest AD Commandlets to managed. You can download the white paper here and you can get the latest version of the AD CMDLETS here.

I also wanted to give a special thanks to Chen and John from SafeNet for hooking me up with SafeNet middle-ware tools (above) and smart cards that I used for to prep for the session. The software was both intuitive and easy to deploy.

1. Purpose Built for Active Directory -Unlike other solutions, ActiveRoles was purpose built for Active Directory while other solutions were built to manage the Windows NT account database.  Because solutions originally built for Windows NT could only be retrofitted to perform AD management they are not able to take advantage of core AD features many of which are discussed in this brief.
    
2. Integrated and timely support for key Microsoft platforms -Active Directory, Exchange, ADLDS SharePoint, ADSI and PowerShell are critical platform components that must be supported. While other products may take years to support the latest versions of these products, ActiveRoles typically supports them on the day they are released or at a maximum of 60 days post release.
    
3. Compatibility with Active Directory’s Security Model – The Active Directory permission model is based on a set of Access Control Lists that link directory rights to delegate trustees allowing the delegated admin to exercise those rights to perform some task in AD. Unlike ActiveRoles Server, most solutions require the use of a proprietary permission that have little or no understandable correlation to AD rights they grant. When the ActiveRoles service starts, the service creates a virtualized version of the AD rights used in the ACLs and then extends the list with several virtual permissions. To the person administrating security in ActiveRoles they seen an almost identically list of rights with the same look and feel of the native AD rights. ActiveRoles Server also has the added advantage of combining these rights into Roles for clarity and accuracy of security assignment and easy delegation of administration. A side benefit of compatibility with the Active Directory Security Model is the vast knowledge available on how AD permissions work and which permissions are required to perform specific tasks.
    
4. Compatibility with Active Directory Service Connection Points – A standard Active Directory service known as Service Connection Points (SCPs) allow applications to inform Active Directory of the applications presence in the enterprise. It is important to note that SCPs require no agents, customer configuration or changes to Active Directory. When the ActiveRoles Service executes it registers an SCP so that any console or web UI can locate the service instantly.
    
5. Compatibility with Active Directory’s DirSync service – A standard Active Directory services known as DirSync allow applications to instantly see what changes are happening within AD. This is the same service Domain Controllers use to exchange change information to determine what items need to be replicated. . It is important to note that the DirSync service requires no agents, customer configuration or changes to Active Directory. The ActiveRoles service listens to the DirSync service for changes made directly to Active Directory that may require ActiveRoles to perform some action such as enforce a group’s membership or send a change notification.
    
6. Virtual Unified Schema – Unlike other solutions that use a fixed schema and won’t recognize schema extensions, ActiveRoles uses a virtual unified schema built from the schemas of the domains being managed. When the ActiveRoles service starts it reads the schema of each domain being managed and adds that schema the ActiveRoles unified virtual schema. This unified virtual schema also includes any schema extensions that may be present in a particular domain so that applications that require data be populated during user provisioning or cleared during user deprovisoning can be supported. ActiveRoles also adds a set of virtual attributes to allow for more granular delegation over attributes or to allow other data not stored in AD to be associated with an object.
    
7. Real-time vs. Cached Data -To avoid the chance that two administrators open an AD object and view different information the retrieval of AD data must be done without caching of the data. Unlike many solutions that either load object data into a cache or into a separate database before an administrator accesses the object,  the ActiveRoles service retrieves the data in real-time.
    
8. Security Integrated Workflow -The role based delegation of administration provided by ActiveRoles Server not only allows the customer to control what AD operations each administrator, help desk admin or end user can perform it also provides the security context for change approval and workflow. By integrating a workflow engine and workflow editor directly into ActiveRoles, the customer avoids the need to configure and maintain multiple products and maintain multiple delegation models.
    
9. Unified Storage -Unlike other solutions that may require both Microsoft SQL and Microsoft AD LDS or Microsoft Access, ActiveRoles requires only Microsoft SQL Server for operation. Both ActiveRoles Configuration and reporting utilize Microsoft SQL Server. Less moving parts make ActiveRoles is simpler to deploy and maintain.
    
10. Embedded Extensibility - Because no off the shelf product will meet every need a customer may have the ability for the solution to be extended easily and in a maintainable way. In addition to both an external ADSI and PowerShell interface, ActiveRoles provides an embedded script editor, script library directly in the product so that the system can run a script in response to some event such as when a user performs an operation in Active Directory.

Set-QADInactiveAccountsPolicy

 Set the current user preference on what accounts to consider inactive by default.

Syntax

Two things of which you should be aware regarding AD CMDLETS & ActiveRoles Server:

1) If you try to install the 1.3 version of the cmdlets on a server running any version other than 6.5 you will get an error that warns you of the incompatibility.

2) If you try using the 1.3 version of the cmdlets to connect to a server running any version other than ActiveRoles Server 6.5 you will recieve an error.

To download the new version go to: http://www.quest.com/powershell/activeroles-server.aspx