Windows Server 2022 & Powershell All-in-One For Dummies. Sara Perrott
Читать онлайн книгу.
5.
Active Directory Federation Services
Active Directory Federation Services (AD FS) can provide single sign-on capabilities to organizations that are utilizing AD DS. It allows those with an Active Directory account to use that account on applications that are outside the boundaries of their Active Directory (for example, a web application hosted by a business partner), or applications that don’t rely on Active Directory accounts for authentication at all. By creating a federation (the sharing of identity information), the user can be authenticated via his company’s Active Directory and can then be authenticated to the business partner’s web application with a claim. The business partner simply has to configure their web application to trust the incoming claims.
Active Directory Lightweight Directory Services
Active Directory Lightweight Directory Services (AD LDS) is a Lightweight Directory Access Protocol (LDAP)–based directory service similar to AD DS. It’s designed to be used with directory-enabled applications, and it’s especially handy for an organization that may want to establish a directory of customer accounts, but keep that directory separate from the organization’s AD DS infrastructure.
It can be used as an identity provider with AD FS for both authentication and the generation of claims to web applications that are configured to understand federation.
Active Directory Rights Management Services
Active Directory Rights Management Services (AD RMS) allows businesses to create and enforce policies to protect their data. The rules are created on the AD RMS server but continue to protect documents even if they leave the premises. For example, you can set the policy to allow documents to only be accessible for a brief amount of time, after which the recipient can no longer open them. You can take away the ability to print the document or copy text out of it with copy/paste.
AD RMS is not perfect. It won’t prevent someone from taking a screenshot of the data in a sensitive document (there aren’t many rights management products that can prevent this activity). Plus, the applications on the client side must support RMS. The functionality exists in the Microsoft Office suite of applications, SharePoint, and Exchange Server. You can also make Internet Explorer compatible with an add-on.
Device Health Attestation
The Device Health Attestation role was added in Windows Server 2016. It gives administrators a way to verify that a device is healthy as it boots. It can measure several different settings and is configured with whichever settings the system administrator or network administrator wants to track. This role is often used for systems to validate that they’re safe before they’re allowed to connect through remote access services like DirectAccess or other virtual private network (VPN) services.
The settings Device Health Attestation can validate include the following:
Is BitLocker enabled?
Is Early Launch Anti-Malware (ELAM) enabled?
Is Secure Boot enabled?
Is Code Integrity enabled?
Dynamic Host Configuration Protocol
Dynamic Host Configuration Protocol (DHCP) is a system administrator’s best friend for sure. Without DHCP, you had to manually assign an IP address and track which IP addresses were assigned. DHCP automates that process. It can automatically assign IP addresses out to systems on a lease-based system. When the lease has gotten to 50 percent of the configured lease duration time, the client will request that the IP address be renewed. If a system needs to keep the same IP address, you can set a reservation for that IP address. For as long as the system in question has the same network interface card, it will get the same IP address. As an additional bonus, you can set DHCP options for each scope that is defined. These options may tell the systems in the scope where they can find their gateway server, their DNS servers, where an imaging server might reside, and so on.
If you’re interested in finding out more about DHCP, check out Book 2, Chapter 5, where I cover installing DNS and DHCP. Be sure to also check out Book 2, Chapter 6.
Domain Name System
Domain Name System (DNS) is a very useful service that helps map hostnames to IP addresses. It’s because of DNS that you can type www.dummies.com in your web browser, which is really easy to remember, instead of having to remember an IP address like 13.32.254.23. Let’s face it, the human brain remembers words and phrases better than numbers.
DNS can resolve hostnames to IP addresses and also can do reverse lookups, which map IP addresses to hostnames. When dealing with network devices that deal only with IP addresses, this can be extremely useful.
If you’re interested in finding out more about DNS, check out Book 2, Chapter 5, where I cover installing DNS and DHCP. Be sure to also check out Book 2, Chapter 6. In addition, there is a whole section on securing your DNS infrastructure in Book 5, Chapter 7.
Fax Server
The Fax Server role can give a server the ability to act as a fax machine. The server enables users on the network to send and receive fax messages. The server is handling the actual message transmission and requires a fax modem with a connection to a telephone line, as well as a network connection so that it can communicate with your users on the network.
This type of setup is far more efficient than having multiple physical fax machines hanging around the office. The coolest thing about this role is that it can be configured to send faxes to your users by email, and they can send an email or Word document to the server and have it faxed out.
File and Storage Services
The File and Storage Services role has quite a few components that you can install. By default, on a fresh install of Windows Server 2022, the Storage Services component is installed. None of the following components under File and iSCSI Services is installed:
File Server: Manages folder shares and lets users access those shares from the network.
BranchCache for Network Files: A bandwidth optimization technology that caches the contents of servers at your main site with servers at branch sites.
Data Deduplication: Saves disk space by eliminating duplicate data on drives; a single copy is left intact and links are put in place of the file in the other locations.
DFS Namespaces: Allows you to use a logical namespace to access groups of shared folders on different servers, but it appears to be a single folder with multiple subfolders to end users.
DFS Replication: Synchronizes folders across multiple servers.
File Server Resource Manager: Allows you to manage and classify data on your file servers.
File Server VSS Agent Service: Allows you to enable volume shadow copies on your system, which will take backup copies (snapshots) of your files and/or volumes even if something is using them.
iSCSI Target Server: Services and management tools for iSCSI targets. iSCSI allows you to send SCSI commands for storage over regular TCP/IP networks and enables organizations to have