Contact Us

Microsoft Active Directory

Challenge
Microsoft Active DirectoryMicrosoft Active Directory® (AD) is a fundamental part of the identity infrastructure that many organizations use to authenticate users across Windows® domains. While Active Directory has numerous advantages, its limitations and complexities can make management and administration of multiple domains very complicated and often quite difficult.

As your infrastructure become more complex your Active Directory deployments and their relationships will become increasingly difficult to manage. While Microsoft often provides excellent tools to overcome many of the difficulties involved in handling complex domain environments, the tools will not always meet your requirements. For instance, while it is possible to allow for cross-domain authentication by configuring trust relationships across domains, this is not always practical. You may be working with 3rd parties to which you only need to provide a common authentication framework for a single application. Providing a complete trust relationship may be outside of your security requirements, too complex to implement and manage and have many other undesirable consequences.

Another common problem occurs even with a single domain because Microsoft Active Directory administrators are encouraged to store user data in separate organizational unit containers, so most Active Directory deployments have several branches within the directory. Some applications have no trouble with this, but many require all users to be found in one branch or create performance issues by querying the root of the tree. For these situations, a method is needed to flatten the directory structure and present it to applications as if all users were stored in a single place.

Schema changes under Active Directory are also notoriously complicated. To begin with, any schema change within a forest will affect all of the members of your forest. This may have dire consequences for applications working within specific areas of your organization. Furthermore, there is no possibility of rollback. A single error in a schema modification will affect your entire organization and short of reinstalling Active Directory and starting again, you will have no way to remove undesirable changes to the schema.

Finally, there are a variety of encryption requirements that applications require to interact properly with Active Directory. Running TLS/SSL on an Active Directory server can adversely affect performance of core infrastructure components, and is complicated to configure. Providing 3rd party access to your Active Directory systems may be necessary, but it is certain that you will need to encrypt communications. You could simply live with the performance hit, but a better approach would be to provide a TLS-enabled proxy in your DMZ that provisions exactly the level of access that you require.

In the same vein, while most Windows applications can take advantage of Kerberos to handle encryption and authentication within a domain, it is quite possible that you may want to provide access to non-Kerberos capable applications. And of course, there is the possibility that you may want to provide cross-domain authentication and Single Sign-On facilities that would not normally be possible using your usual Active Directory Configuration.

Solution
Microsoft Active Directory Authentication SolutionSymlabs Virtual Directory Server is a swiss-army knife that can resolve all of these problems, and more, for Microsoft Active Directory administrators. It can consolidate data stored across multiple AD servers, establishing a single resource that provides authentication service for all of members of a forest, or across multiple forests, eliminating any need to implement complicated trust relationships for AD servers. Configuration is very simple, and it can easily accommodate additional domains as an infrastructure scales. Plug-ins bundled with Symlabs Virtual Directory Server make routing automatic, regardless of the format applications use to authenticate. They also allow data contained in different organizational units or on different servers to be presented as a single merged container, so applications that expect a flat structure of all users in one domain work, even if users are really stored as discrete groups.

About Microsoft Active Directory
Active Directory is a registered trademark of Microsoft, Inc. An LDAP-based directory services product developed by Microsoft, Active Directory is a central component of the Windows platform that provides a means to manage identities and relationships that make up network environments. Active Directory Service is commonly used to manage the Windows® domain infrastructure.

Benefits
  • Enable global authentication without any complex AD trust relationships
  • Merge organization unit containers to present a flat view of all users
  • Fully integrate LDAP user management applications in AD environment
  • Facilitate simple user management and increase overall performance
Related Solutions
This list of solutions may be of interest to you as a user of Microsoft Active Directory. Symlabs Virtual Directory Server and LDAP Proxy have been used to solve problems for a wide variety of platforms, and the solutions listed above have been tried and tested with Microsoft Active Directory.

Symlabs is now part of Quest Software. A leader in simplifying and reducing the cost of IT management, Quest’s innovative solutions make solving the toughest IT management problems easier, enabling more than 100,000 customers worldwide to save time and money across physical, virtual and cloud environments. The addition of Symlabs virtual directory and federation technology will enhance the overall architecture of the Quest® One Identity Solution and Quest migration products. Learn more at www.quest.com/symlabs.