Lesson 2: Confi guring Read-Only Domain Controllers CHAPTER 5 263
NOTE DO NOT BE TOO HASTY IN RAISING DOMAIN AND FOREST FUNCTIONAL LEVELS.
It is easy to raise a functional level. It is diffi cult to reduce one—this requires a re-install or
a restore from backups of the lower functional level. If, for example, you raised the domain
functional level to Windows Server 2008 and then found you needed to add a Windows
Server 2003 domain controller to your domain, you have a serious problem. Similarly, if you
raised your organization’s forest functional level to Windows Server 2008 and your orga-
nization acquired another that had a domain that included Windows Server 2003 domain
controllers, you would have problems integrating your network. Raise functional levels
only enough to enable the features you need.
MORE INFO DOMAIN AND FOREST FUNCTIONAL LEVELS
For more information about domain and forest functional levels, see http://technet
.microsoft.com/en-us/library/cc754918.aspx.
RODCs require a forest functional level of Windows Server 2003 or higher. To determine
the functional level of your forest, open Active Directory Domains And Trusts from the
Administrative Tools group, right-click the name of the forest, choose Properties, and verify
the forest functional level, as shown in Figure 5-12. Any user can verify the forest functional
level in this way.
FIGURE 5-12 The Forest Properties dialog box.
NOTE
DO NOT BE TOO HASTY IN RAISING DOMAIN AND FOREST FUNCTIONAL LEVELS.
NOTE DO NOT BE TOO HASTY IN RAISING DOMAIN AND FOREST FUNCTIONAL LEVELS.NOTE
It is easy to raise a functional level. It is diffi cult to reduce one—this requires a re-install or
a restore from backups of the lower functional level. If, for example, you raised the domain
functional level to Windows Server 2008 and then found you needed to add a Windows
Server 2003 domain controller to your domain, you have a serious problem. Similarly, if you
raised your organization’s forest functional level to Windows Server 2008 and your orga-
nization acquired another that had a domain that included Windows Server 2003 domain
controllers, you would have problems integrating your network. Raise functional levels
only enough to enable the features you need.
MORE INFO

DOMAIN AND FOREST FUNCTIONAL LEVELS
For more information about domain and forest functional levels, see
http://technet
.microsoft.com/en-us/library/cc754918.aspx
.
.microsoft.com/en-us/library/cc754918.aspx microsoft.com/en-us/library/cc754918.aspx
2 6 4 CHAPTER 5 Confi guring Active Directory Lightweight Directory Services and Read-Only Domain Controllers
If the forest functional level is not at least Windows Server 2003, examine the properties
of each domain to identify any domains for which the domain functional level is not at least
Windows Server 2003. If you fi nd such a domain, ensure that all domain controllers in the
domain are running Windows Server 2003. Open Active Directory Domains And Trusts, right-
click the domain, and choose Raise Domain Functional Level.
When you have raised each domain functional level to at least Windows Server 2003,
right-click the root node of the Active Directory Domains And Trusts snap-in and choose
Raise Forest Functional Level. In the Select An Available Forest Functional Level drop-down
list, choose Windows Server 2003 and click Raise. You must be a domain administrator to raise
the domain’s functional level. To raise the forest functional level, you must be either a mem-
ber of the Domain Admins group in the forest root domain or a member of the Enterprise
Admins group.
Running adprep /rodcprep
If you are upgrading an existing forest to include domain controllers running Windows Server
2008, you must run adprep /rodcprep. This command confi gures permissions so that RODCs
are able to replicate DNS application directory partitions. If you are creating a new Active
Directory forest that contains only domain controllers running Windows Server 2008, you do
not need to run adprep /rodcprep.
You can fi nd the adprep command in the cdrom\Sources\Adprep folder of the Windows
Server 2008 installation DVD. Copy the folder to the domain controller acting as the schema
master, log on to the schema master as a member of the Enterprise Admins group, open a
command prompt, change directories to the Adprep folder, and enter adprep /rodcprep in
an elevated command prompt.

DNS Application Directory Partitions and Read-Only DNS
W
hen DNS data is stored within AD DS directory databases, it is replicated
by default with the directory data with which it is associated. You can also
defi ne a custom replication scope for DNS data. For example, DNS data that belongs
to a root domain in a forest must be available to the entire forest, whereas DNS data
for a specifi c domain is required only for that domain. You control DNS data replica-
tion scopes through DNS application directory partitions.
To support the RODC role, DNS has been updated to provide read-only DNS data
for primary zones hosted on the RODC. This further secures the role and ensures
that no one can create records from potentially unprotected servers to spoof the
network. A DNS server running on an RODC does not support dynamic updates, but
clients are able to use the DNS server to query for name resolution.
Because the DNS is read-only, clients cannot update records on it. If, however, a cli-
ent wants to update its own DNS record, the RODC sends a referral to a writable
DNS Application Directory Partitions and Read-Only DNS
W
hen DNS data is stored within AD DS directory databases, it is replicated
by default with the directory data with which it is associated. You can also
defi ne a custom replication scope for DNS data. For example, DNS data that belongs
to a root domain in a forest must be available to the entire forest, whereas DNS data
for a specifi c domain is required only for that domain. You control DNS data replica-
tion scopes through DNS application directory partitions.
To support the RODC role, DNS has been updated to provide read-only DNS data
for primary zones hosted on the RODC. This further secures the role and ensures
that no one can create records from potentially unprotected servers to spoof the
network. A DNS server running on an RODC does not support dynamic updates, but
clients are able to use the DNS server to query for name resolution.
Because the DNS is read-only, clients cannot update records on it. If, however, a cli-
ent wants to update its own DNS record, the RODC sends a referral to a writable

Lesson 2: Confi guring Read-Only Domain Controllers CHAPTER 5 265
DNS server. The single updated record will be replicated from the writable DNS
server to the DNS server on the RODC. This is a special single object (DNS record)
replication that keeps the RODC DNS servers up to date and gives the clients in the
branch offi ce faster name resolution.
The Schema Master Role
T
he domain controller holding the schema master role is responsible for making
any changes to the forest’s schema. All other domain controllers hold read-only
replicas of the schema. If you want to modify the schema or install an application
that modifi es the schema, Microsoft recommends you do so on the domain control-
ler holding the schema master role. Otherwise, the changes you request must be
sent to the schema master to be written into the schema.
Placing the Writable Windows Server 2008 Domain Controller
An RODC must replicate domain updates from a writable domain controller running Windows
Server 2008, and the RODC must be able to establish a replication connection with the writ-
able Windows Server 2008 domain controller. Ideally, the writable Windows Server 2008
domain controller should be in the closest site—the hub site. If you want the RODC to act as
a DNS server, the writable Windows Server 2008 domain controller must also host the DNS
domain zone.
Quick Check
n
Your domain consists of a central site and four branch offi ces. The central
site has two domain controllers. Each branch offi ce site has one domain
controller. All domain controllers run Windows Server 2003. Your company
decides to open a fi fth branch offi ce and you want to confi gure it with a new
Windows Server 2008 RODC. What must you do before confi guring the fi rst
RODC in your domain?
Quick Check Answer
n

You must ensure that the forest functional level is Windows Server 2003.
Then you need to upgrade one of the existing domain controllers to Windows
Server 2008 so there is one writable Windows Server 2008 domain controller
on the network. You must then run adprep /rodcprep on the writable Win-
dows Server 2008 domain from the Windows Server 2008 installation DVD.
DNS server. The single updated record will be replicated from the writable DNS
server to the DNS server on the RODC. This is a special single object (DNS record)
replication that keeps the RODC DNS servers up to date and gives the clients in the
branch offi ce faster name resolution.
The Schema Master Role
T
he domain controller holding the schema master role is responsible for making
any changes to the forest’s schema. All other domain controllers hold read-only
replicas of the schema. If you want to modify the schema or install an application
that modifi es the schema, Microsoft recommends you do so on the domain control-
ler holding the schema master role. Otherwise, the changes you request must be
sent to the schema master to be written into the schema.
Quick Check
n
Your domain consists of a central site and four branch offi ces. The central
site has two domain controllers. Each branch offi ce site has one domain
controller. All domain controllers run Windows Server 2003. Your company
decides to open a fi fth branch offi ce and you want to confi gure it with a new
Windows Server 2008 RODC. What must you do before confi guring the fi rst
RODC in your domain?
Quick Check Answer
n
You must ensure that the forest functional level is Windows Server 2003.
Then you need to upgrade one of the existing domain controllers to Windows
Server 2008 so there is one writable Windows Server 2008 domain controller

on the network. You must then run
adprep /rodcprep
on the writable Win-
dows Server 2008 domain from the Windows Server 2008 installation DVD.
Quick Check
2 6 6 CHAPTER 5 Confi guring Active Directory Lightweight Directory Services and Read-Only Domain Controllers
Installing an RODC
After you complete the preparatory steps, you can install an RODC on either a full or Server
Core installation of Windows Server 2008. On a full installation of Windows Server 2008, you
can use the Active Directory Domain Services Installation Wizard to create an RODC. You
select Read-Only Domain Controller (RODC) on the Additional Domain Controller Options
page of the wizard, as shown in Figure 5-13.
FIGURE 5-13 Creating an RODC with the Active Directory Domain Services Installation Wizard.
Alternatively, you can use the dcpromo command with the /unattend switch to create the
RODC. On a Server Core installation of Windows Server 2008, you must use the dcpromo
/unattend command. You can also delegate the installation of the RODC, which enables a user
who is not a domain administrator to create the RODC, by adding a new server in the branch
offi ce and running dcpromo.
EXAM TIP
Remember that if you create an RODC by using delegated installation, the server must be a
member of a workgroup, not of the domain.
Installing an RODC on Server Core
M
icrosoft recommends deploying RODCs that run on the Server Core installa-
tion whenever practicable. This improves the security of branch offi ce domain
controllers.
GUI tools are not available in Server Core, but you can use the dcpromo /unattend
command at an elevated command prompt in exactly the same way as you can to
Installing an RODC on Server Core
M

icrosoft recommends deploying RODCs that run on the Server Core installa-
tion whenever practicable. This improves the security of branch offi ce domain
controllers.
GUI tools are not available in Server Core, but you can use the
dcpromo /unattend
command at an elevated command prompt in exactly the same way as you can to
Lesson 2: Confi guring Read-Only Domain Controllers CHAPTER 5 267
install an RODC on a full Windows Server 2008 installation. The following example
creates an RODC in the contoso.internal domain in the MyBranch site, creates a
global catalog, and installs and confi gures the DNS Server service:
dcpromo /unattend /InstallDns:yes /confirmGC:yes
/replicaOrNewDomain:ReadOnlyReplica /replicaDomainDNSName:contoso.internal
/sitename:MyBranch /databasePath:"e:\ntds" /logPath:"e:\ntdslogs"
/sysvolpath:"f:\sysvol" /safeModeAdminPassword:P@ssw0rd
/rebootOnCompletion:yes
Alternatively, you can choose to use an answer fi le. In this case, fi rst create
your answer fi le by using a text editor, and then enter the command dcpromo /
unattend:<path to answer fi le>. Your answer fi le would be similar to the following:
[DCInstall]
Username=Kim_Akers
Password=P@ssw0rd
UserDomain=contoso.internal
InstallDns=yes
ConfirmGC=yes
ReplicaOrNewDomain=ReadOnlyReplica
ReplicaDomainDNSName=contoso.internal
Sitename=MyBranch
databasePath="e:\ntds"
logPath="e:\ntdslogs"
sysvolpath:"f:\sysvol"

SafeModeAdminPassword:P@ssw0rd
RebootOnCompletion:yes
MORE INFO SERVER CORE FEATURES
For more information about the features that you can install with a Server Core installation,
see
install an RODC on a full Windows Server 2008 installation. The following example
creates an RODC in the
contoso.internal
domain in the MyBranch site, creates a
contoso.internal domain in the MyBranch site, creates a contoso.internal
global catalog, and installs and confi gures the DNS Server service:
dcpromo /unattend /InstallDns:yes /confirmGC:yes
/replicaOrNewDomain:ReadOnlyReplica /replicaDomainDNSName:contoso.internal
/sitename:MyBranch /databasePath:"e:\ntds" /logPath:"e:\ntdslogs"
/sysvolpath:"f:\sysvol" /safeModeAdminPassword:P@ssw0rd
/rebootOnCompletion:yes
Alternatively, you can choose to use an answer fi le. In this case, fi rst create
your answer fi le by using a text editor, and then enter the command dcpromo /
unattend:<path to answer fi le>. Your answer fi le would be similar to the following:
[DCInstall]
Username=Kim_Akers
Password=P@ssw0rd
UserDomain=contoso.internal
InstallDns=yes
ConfirmGC=yes
ReplicaOrNewDomain=ReadOnlyReplica
ReplicaDomainDNSName=contoso.internal
Sitename=MyBranch
databasePath="e:\ntds"
logPath="e:\ntdslogs"

sysvolpath:"f:\sysvol"
SafeModeAdminPassword:P@ssw0rd
RebootOnCompletion:yes
MORE INFO
SERVER CORE FEATURES
For more information about the features that you can install with a Server Core installation,
see
/>.
/> 2 6 8 CHAPTER 5 Confi guring Active Directory Lightweight Directory Services and Read-Only Domain Controllers
MORE INFO OPTIONS FOR INSTALLING AN RODC
For more information about RODC installation, including delegated installation, see “Step-
by-Step Guide for Read-only Domain Controllers” at
/windowsserver2008/en/library/ea8d253e-0646-490c-93d3-b78c5e1d9db71033.
mspx?mfr=true.
Password Replication Policy
PRP determines which users’ credentials can be cached on a specifi c RODC. If PRP allows an
RODC to cache a user’s credentials, that user’s authentication and service ticket activities can
be processed by the RODC. If a user’s credentials cannot be cached on an RODC, authentica-
tion and service ticket activities are referred to a writable domain controller by the RODC.
An RODC PRP is determined by two multivalued attributes of the RODC computer account.
These attributes are known as the Allowed List and the Denied List. If a user’s account is on
the Allowed List, the user’s credentials are cached. You can include groups on the Allowed
List, in which case, all users who belong to the group can have their credentials cached on the
RODC. If a user is on both the Allowed List and the Denied List, that user’s credentials will not
be cached—the Denied List takes precedence.
Confi guring Domain-Wide Password Replication Policy
To facilitate the management of PRP, Windows Server 2008 creates two domain local
security groups in the Users container of AD DS. The fi rst, named Allowed RODC Password
Replication Group, is added to the Allowed List of each new RODC. By default, the group has
no members. Therefore, by default, a new RODC will not cache any user’s credentials. If there

are users whose credentials you want all domain RODCs to cache, add those users to the
Allowed RODC Password Replication Group.
The second group is named Denied RODC Password Replication Group. It is added to
the Denied List of each new RODC. If there are users whose credentials you want to ensure
domain RODCs never cache, add those users to the Denied RODC Password Replication
Group. By default, this group contains security-sensitive accounts that are members of groups
such as Domain Admins, Enterprise Admins, and Group Policy Creator Owners.
NOTE CACHING COMPUTER CREDENTIALS
In addition to branch offi ce users, branch offi ce computers also generate authentication
and service ticket activity. To improve performance of systems in a branch offi ce, allow the
branch RODC to cache both user and computer credentials.
MORE INFO
OPTIONS FOR INSTALLING AN RODC
For more information about RODC installation, including delegated installation, see “Step-
by-Step Guide for Read-only Domain Controllers” at

/windowsserver2008/en/library/ea8d253e-0646-490c-93d3-b78c5e1d9db71033.
mspx?mfr=true
.
NOTE
CACHING COMPUTER CREDENTIALS
NOTE CACHING COMPUTER CREDENTIALSNOTE
In addition to branch offi ce users, branch offi ce computers also generate authentication
and service ticket activity. To improve performance of systems in a branch offi ce, allow the
branch RODC to cache both user and computer credentials.
Lesson 2: Configuring Read-Only Domain Controllers CHAPTER 5 269
Configuring an RODC-Specific Password Replication Policy
The Allowed RODC Password Replication Group and Denied RODC Password Replication
Group provide a method of managing PRP on all RODCs. However, you typically need to
allow the RODC in each branch office to cache user and computer credentials for that specific

location. Therefore, you must configure the Allowed List and the Denied List of each RODC.
To configure an RODC PRP, open the properties of the RODC computer account in the
Domain Controllers OU. On the Password Replication Policy tab, shown in Figure 5-14, you
can view the current PRP settings and add or remove users or groups from the PRP.
FIGURE 5-14 The Password Replication Policy tab of an RODC.
Administering Credentials Caching on an RODC
When you click the Advanced button on the Password Replication Policy tab, shown in Figure
5-14, the Advanced Password Replication Policy dialog box shown in Figure 5-15 appears.
The drop-down list at the top of the Policy Usage tab enables you to select one of the fol-
lowing RODC reports:
Accounts Whose Passwords Are Stored On This Read-Only Domain Controller This report
displays the list of user and computer credentials currently cached on the RODC. You can use
this list to determine whether credentials are being cached that you do not want to be cached
on the RODC and modify the PRP accordingly.
Accounts That Have Been Authenticated To This Read-Only Domain Controller This
report displays the list of user and computer credentials that have been referred to a writable
domain controller for authentication or service ticket processing. You can use this list to iden-
tify users or computers that are attempting to authenticate with the RODC. If any of these
accounts are not being cached and you want them to be, add them to the PRP.
2 7 0 CHAPTER 5 Configuring Active Directory Lightweight Directory Services and Read-Only Domain Controllers
FIGURE 5-15 The Advanced Password Replication Policy dialog box.
The Resultant Policy tab of the Advanced Password Replication Policy dialog box enables
you to evaluate the effective caching policy for an individual user or computer. Click Add to
select a user or computer account for evaluation.
You can also use the Advanced Password Replication Policy dialog box to prepopulate
credentials in the RODC cache. If a user or computer is on an RODC Allowed list, the account
credentials can be cached on the RODC, but not until the authentication or service ticket
events cause the RODC to replicate the credentials from a writable domain controller. You can
ensure that authentication and service ticket activity will be processed locally by the RODC
even when the user or computer is authenticating for the first time by prepopulating creden-

tials in the RODC cache for users and computers in the branch office. To prepopulate creden-
tials, click Prepopulate Passwords and select the appropriate users and computers. Typically,
you would do this if a new employee is starting work at a branch office (or if you know that a
senior manager is visiting a branch office and will want to log on).
Administrative Role Separation
RODCs in branch offices can require maintenance such as the installation of an updated
device driver. Additionally, small branch offices might combine the RODC with (for example)
the file server role on a single computer, in which case, it is important that a staff member
at the branch office can back up the system. RODCs support local administration through a
feature called administrative role separation. Each RODC maintains a local database of groups
for specific administrative purposes. You can add domain user accounts to these local roles to
enable support for a specific RODC.
You can configure administrative role separation by using the dsmgmt.exe command. To
add a user to the Administrators role on an RODC, follow these steps:
1. Open an elevated command prompt on the RODC.
Lesson 2: Confi guring Read-Only Domain Controllers CHAPTER 5 271
2. Type dsmgmt.
3. Type local roles.
4. At the local roles prompt, you can type ? to obtain a list of commands. You can also
type list roles to obtain a list of local roles.
5. Type add username administrators, where username is the pre-Windows 2000 logon
name of a domain user.
You can repeat this process to add other users to the various local roles on an RODC.
MORE INFO IMPROVING AUTHENTICATION AND SECURITY
For more information about how RODCs improve authentication and security in branch
offi ces, see />-490c-93d3-b78c5e1d9db71033.mspx.
PracticE Confi guring an RODC
In this practice, you confi gure an RODC to simulate a branch offi ce scenario. You install the
RODC, confi gure password replication policy, monitor credential caching, and prepopulate
credentials.

NOTE RODC AND AD LDS
In this practice, you promote the Boston server to an RODC. If you completed the prac-
tice in Lesson 1, the AD LDS server role is already installed on this server. In a production
network, you would not promote a server that is running the AD LDS server role. In your
test environment, the exercises work as written. However, you might decide to remove the
AD LDS role on Boston before you promote the server. Lesson 1 details how to remove the
AD LDS role.
ExErcisE 1 Create Active Directory Objects
In this exercise, you create Active Directory objects that you will use in the following exercises.
1. Log on to the Glasgow domain controller with the Kim_Akers account.
2. Open Active Directory Users And Computers.
3. Create the following Active Directory objects:

n
A global security group named Branch_Offi ce_Users

n
A user named Jeff Hay
n
A user named Joe Healy
n
A user named Tanja Plate
MORE INFO
IMPROVING AUTHENTICATION AND SECURITY
For more information about how RODCs improve authentication and security in branch
offi ces, see
/>-490c-93d3-b78c5e1d9db71033.mspx
.
-490c-93d3-b78c5e1d9db71033.mspx 490c-93d3-b78c5e1d9db71033.mspx
NOTE

RODC AND AD LDS
NOTE RODC AND AD LDSNOTE
In this practice, you promote the Boston server to an RODC. If you completed the prac-
tice in Lesson 1, the AD LDS server role is already installed on this server. In a production
network, you would not promote a server that is running the AD LDS server role. In your
test environment, the exercises work as written. However, you might decide to remove the
AD LDS role on Boston before you promote the server. Lesson 1 details how to remove the
AD LDS role.
2 7 2 CHAPTER 5 Confi guring Active Directory Lightweight Directory Services and Read-Only Domain Controllers
n
Put Jeff Hay and Joe Healy in Branch_Offi ce_Users. Do not put Tanja Plate into this
group. All three accounts will be members of Domain Users by default.
4. Add the Domain Users group as a member of the Print Operators group.
NOTE PRINT OPERATORS GROUP
Adding standard user or group accounts to the Print Operators group enables users
to log on interactively at a domain controller. You would not do this in a production
environment.
5. Log off from the domain controller.
ExErcisE 2 Install an RODC
In this exercise, you confi gure the Boston server as an RODC in the contoso.internal domain.
1. Log on to the domain at Boston with the Kim_Akers account.
2. Click Start, click Run, and enter dcpromo.
A window appears, informing you that the Active Directory Domain Services binaries
are being installed. When installation completes, the Active Directory Domain Services
Installation Wizard appears.
3. Click Next.
4. On the Operating System Compatibility page, click Next.
5. On the Choose A Deployment Confi guration page, select Existing Forest, and then
select Add A Domain Controller To An Existing Domain. Click Next.
6. On the Network Credentials page, type contoso.internal.

7 Click Set.
8. In the User Name box, type Kim_Akers.
9. In the Password box, type the password for the Kim_Akers account. Click OK.
10. Click Next.
11. On the Select A Domain page, select contoso.internal, and then click Next.
12. On the Select A Site page, select Default-First-Site-Name, and then click Next.
Note that in a production environment, you would select the site for the branch offi ce
in which the RODC is being installed.
13. On the Additional Domain Controller Options page, select Read-Only Domain Control-
ler (RODC). Ensure that DNS Server and Global Catalog are selected. Click Next.
14. On the Delegation Of RODC Installation And Administration page, click Next.
15. On the Location For Database, Log Files, And SYSVOL page, click Next.
16. On the Directory Services Restore Mode Administrator Password page, type a pass-
word in the Password and Confi rm Password text boxes, and then click Next.
Choose a secure password that you will remember but others are unlikely to guess.
NOTE
PRINT OPERATORS GROUP
NOTE PRINT OPERATORS GROUPNOTE
Adding standard user or group accounts to the Print Operators group enables users
to log on interactively at a domain controller. You would not do this in a production
environment.
Lesson 2: Configuring Read-Only Domain Controllers CHAPTER 5 273
17. On the Summary page, click Next.
18. In the progress window, select the Reboot On Completion check box.
ExErcisE 3 Configure Password Replication Policy
In this exercise, you configure PRP at the domain level and for an individual RODC. PRP deter-
mines whether the credentials of a user or computer are cached on an RODC.
1. Log on to Glasgow as Kim_Akers.
2. Open the Active Directory Users And Computers snap-in.
3. Expand the domain name and select Users.

4. Examine the default membership of the Allowed RODC Password Replication Group.
5. Open the properties of the Denied RODC Password Replication Group.
6. Add the DNSAdmins group as a member of the Denied RODC Password Replication
Group, and then click OK twice.
7. Select the Domain Controllers OU.
8. Open the properties of Boston.
9. Click the Password Replication Policy tab.
10. Identify the PRP settings for the two groups, Allowed RODC Password Replication
Group and Denied RODC Password Replication Group.
11. Click Add.
12. Select Allow Passwords For The Account To Replicate To This RODC and click OK.
13. In the Select Users, Computers, Or Groups dialog box, type Branch_Office_Users and
click OK.
14. Click OK.
ExErcisE 4 Monitor Credential Caching
In this exercise, you simulate the logon of several users to the branch office server. You then
evaluate the credentials caching of the server.
1. Log on to Boston as Jeff Hay, and then log off.
2. Log on to Boston as Tanja Plate, and then log off.
3. Log on to Glasgow as Kim_Akers and open the Active Directory Users And Computers
snap-in.
4. Open the properties of Boston in the Domain Controllers OU.
5. Click the Password Replication Policy tab.
6. Click Advanced.
7. On the Policy Usage tab, in the Display Users And Computers That Meet The Following
Criteria drop-down list, select Accounts Whose Passwords Are Stored On This Read-
Only Domain Controller.
2 7 4 CHAPTER 5 Configuring Active Directory Lightweight Directory Services and Read-Only Domain Controllers
8. Locate the entry for Jeff Hay. Check that because you configured the PRP to allow
caching of credentials for users in the Branch_Office_Users group, Jeff Hay’s credentials

were cached when he logged on. Check that Tanja Plate’s credentials were not cached.
9. In the drop-down list, select Accounts That Have Been Authenticated To This Read-
Only Domain Controller.
10. Locate the entries for Jeff Hay and Tanja Plate.
11. Click Close, and then click OK.
ExErcisE 5 Prepopulate Credentials Caching
In this exercise, you prepopulate the cache of the RODC with the credentials of a user.
1. Log on to Glasgow as Kim_Akers and open the Active Directory Users And Computers
snap-in.
2. Open the properties of Boston in the Domain Controllers OU.
3. Click the Password Replication Policy tab.
4. Click Advanced.
5. Click Prepopulate Passwords.
6. Type Joe Healy and click OK.
7. Click Yes to confirm that you want to send the credentials to the RODC.
8. On the Policy Usage tab, select Accounts Whose Passwords Are Stored On This Read-
Only Domain Controller.
9. Locate the entry for Joe Healy. Check that Joe Healy’s credentials are now cached on
the RODC.
10. Click OK.
Lesson Summary
n
RODCs are designed for use in branch offices and contain a read-only copy of the
Active Directory database. An RODC replicates domain updates from a writable do-
main controller, using inbound-only replication.
n
PRP defines whether the credentials of the user or computer are cached on an RODC.
The Allowed RODC Password Replication Group and Denied RODC Password Replica-
tion Group are in the Allowed List and Denied List, respectively. You can use the two
groups to manage a domain-wide password replication policy. You can further config-

ure the individual PRP of each domain controller.
n
An RODC can be supported by configuring administrator role separation to enable one
or more users to perform administrative tasks without granting those users permis-
sions to other domain controllers or to the domain. The dsmgmt command implements
administrator role separation.
Lesson 2: Confi guring Read-Only Domain Controllers CHAPTER 5 275
n
An RODC requires a Windows Server 2008 writable domain controller in the same
domain. Additionally, the forest functional level must be at least Windows Server 2003,
and the adprep /rodcprep command must be run prior to installing the fi rst RODC.
Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 2,
“Confi guring Read-Only Domain Controllers.” The questions are also available on the com-
panion DVD if you prefer to review them in electronic form.
NOTE ANSWERS
Answers to these questions and explanations of why each answer choice is right or wrong
are located in the “Answers” section at the end of the book.
1. You want to display in report format a list of user and computer credentials that an
RODC has referred to a writable domain controller for authentication or service ticket
processing. How do you do this?
A. In Active Directory Users And Computers, open the properties of the RODC
computer account in the Domain Controllers OU. Click Advanced on the Password
Replication Policy tab. In the Advanced Password Replication Policy dialog box,
select Accounts That Have Been Authenticated To This Read-Only Domain Control-
ler from the drop-down list at the top of the Policy Usage tab.
B. In Active Directory Users And Computers, open the properties of the RODC com-
puter account in the Domain Controllers OU. Click Advanced on the Password Rep-
lication Policy tab. In the Advanced Password Replication Policy dialog box, select
Accounts Whose Passwords Are Stored On This Read-Only Domain Controller from

the drop-down list at the top of the Policy Usage tab.
C. In Active Directory Users And Computers, expand the domain name and select
Users. Examine the membership of the Allowed RODC Password Replication Group.
D. In Active Directory Users And Computers, expand the domain name and select
Users. Examine the membership of the Denied RODC Password Replication Group.
2. A new employee is joining one of the branch offi ces of Tailspin Toys. The branch offi ce
contains an RODC. You want to ensure that when the user logs on for the fi rst time,
she does not experience problems authenticating over the WAN link. You create an
account for the new user. Which other steps should you perform? (Choose two. Each
step presents part of a complete solution.)
A. Add the user’s account to the Password Replication Policy tab of the branch offi ce
RODC.
B. Add the user’s account to the Allowed RODC Password Replication Group.
NOTE
ANSWERS
NOTE ANSWERSNOTE
Answers to these questions and explanations of why each answer choice is right or wrong
are located in the “Answers” section at the end of the book.
2 7 6 CHAPTER 5 Configuring Active Directory Lightweight Directory Services and Read-Only Domain Controllers
C. Click Prepopulate Passwords.
D. Add the user’s account to the Log On Locally security policy on the Default
Domain Controllers Policy GPO.
3. During a recent burglary at a branch office of Litware, Inc., the RODC was stolen.
Where can you find out which users’ credentials were stored on the RODC?
A. The Policy Usage tab of the Advanced Password Replication Policy dialog box
B. Active Directory Domains and Trusts
C. The Resultant Policy tab of the Advanced Password Replication Policy dialog box
D. The Password Replication Policy tab of the RODC computer account Properties
dialog box
4. Your domain consists of seven domain controllers, one of which is running Windows

Server 2008. All other domain controllers are running Windows Server 2003. What
must you do before you install an RODC?
A. Run dsmgmt.
B. Run adprep /rodcprep.
C. Run dcpromo /unattend.
D. Run syskey.
Chapter Review CHAPTER 5 277
Chapter Review
To further practice and reinforce the skills you learned in this chapter, you can perform the
following tasks:
n
Review the chapter summary.
n
Complete the case scenarios. These scenarios set up real-world situations involving the
topics of this chapter and ask you to create a solution.
n
Complete the suggested practices.
n
Take a practice test.
Chapter Summary
n
You can use AD LDS rather than AD DS where Active Directory features such as Group
Policy are not required and you do not want to extend the AD DS schema. AD LDS can
be installed and configured on both full installation and Server Core.
n
After you have installed the AD LDS service, you can create an AD LDS instance. You
can create replicas of instances on other servers and configure replication. You can cre-
ate more than one AD LDS instance on the same server.
n
RODCs support branch office scenarios and reduce security risks by authenticating

users in the branch office without needing to store the entire account database. You
can configure which credentials an RODC will cache. You can also delegate both instal-
lation and administration of an RODC without granting permissions to other domain
controllers or to the domain.
Case Scenarios
In the following case scenarios, you apply what you have learned about AD LDS and RODCs.
You can find answers to the questions in these scenarios in the “Answers” section at the end
of this book.
Case Scenario 1: Create AD LDS Instances
Trey Research has upgraded all its domain controllers to Windows Server 2008, and the com-
pany wants to use AD LDS to support its applications. Specifically, they want each applica-
tion to be an AD LDS instance. Trey has employed you as a consultant to carry out this task.
Answer the following questions.
1. How should you name each instance?
2. Where should you store the files related to each instance?
3. Why should you use application directory partitions?
4. Which ports should you use to connect to the instances?
2 7 8 CHAPTER 5 Configuring Active Directory Lightweight Directory Services and Read-Only Domain Controllers
5. Which type of account should you use to run each instance?
6. How would you prevent an attacker from tampering with or detecting AD LDS data?
Case Scenario 2: Prepare to Install an RODC at a Branch Office
You are an administrator at the A. Datum Corporation and maintain the domain’s directory
service on five domain controllers at your hub site. All five domain controllers run Windows
Server 2003. A. Datum has decided to open an overseas branch office. Initially, fifteen sales-
persons and one desktop-maintenance technician will be employed at the office. You decide
to place an RODC in the branch office. Answer the following questions.
1. What preliminary tasks must you complete before installing an RODC or configuring
your network so that a non–domain administrator can install one?
2. You do not want to send one of your IT staff overseas to install an RODC. How do you
enable the local desktop-maintenance technician to create an RODC without making

this technician a domain administrator?
3. You want the technician to be able to log on to the RODC to perform regular mainte-
nance. How do you configure administrator role separation?
4. You want the RODC to cache the credentials of each of the salespersons the first time
he or she logs on. How do you achieve this?
5. You do not want the technician’s credentials to be cached. How do you achieve this?
6. Your CEO will be visiting the new branch office. How do you ensure that there is no
authentication delay over the WAN link even when he or she logs on for the first time?
Suggested Practices
To help you successfully master the exam objectives presented in this chapter, complete the
following tasks.
Work with AD LDS Instances
Do both suggested practices.
n
Practice 1 Practice connecting and working with the AD LDS instance you created
earlier in this chapter. Use the following tools to explore the instance and view its con-
tent:
•
Active Directory Schema snap-in
•
Active Directory Sites and Services
•
Ldp.exe
•
ADSI Edit
n
Practice 2 Practice creating objects within the instance. For example, create an OU
and add both a group and a user within the OU.
Take a Practice Test CHAPTER 5 279
Recover from a Stolen RODC

In this practice, you perform the processes to recover from a stolen or compromised RODC.
In this situation, any user credentials cached on the RODC should be considered suspect and
reset. You must identify the credentials that had been cached on the RODC and reset the
password of each account. Do both practices.
n
Practice 1 Determine the user and computer accounts that had been cached on
Boston by examining the Policy Usage tab of the Boston Advanced Password Replica-
tion Policy dialog box. Use the steps in Exercise 4, “Monitor Credential Caching,” in the
Lesson 2 practice, “Confi guring an RODC,” to identify accounts whose passwords were
stored on the RODC. Export the list to a fi le on your desktop.
n
Practice 2 Open the Active Directory Users And Computers snap-in and, in the
Domain Controllers OU, select Boston. Press Delete and click Yes. Examine the options
for resetting user and computer passwords automatically.
Take a Practice Test
The practice tests on this book’s companion DVD offer many options. For example, you can
test yourself on just one exam objective, or you can test yourself on all the upgrade exam
content. You can set up the test so that it closely simulates the experience of taking a certifi -
cation exam, or you can set it up in study mode so that you can look at the correct answers
and explanations after you answer each question.
MORE INFO PRACTICE TESTS
For details about all the practice test options available, see the “How to Use the Practice
Tests” section in this book’s introduction.
MORE INFO
PRACTICE TESTS
For details about all the practice test options available, see the “How to Use the Practice
Tests” section in this book’s introduction.

CHAPTER 6 281
CHAPTER 6

Active Directory Federation
Services and Active Directory
Rights Management Services
Server Roles
A
ctive Directory Federation Services (AD FS) is designed to extend the authority of your
internal network and facilitate the formation of partnerships with other organiza-
tions. AD FS communicates over HTTPS port 443 so that sensitive data can be secured and
encrypted. It enables single sign-on (SSO) so that—for example—Don Hall, a user logged
on to the Contoso domain, can access a collaboration application hosted by Contoso’s part-
ner organization, Northwind Traders, without needing to supply additional credentials.
Active Directory Rights Management Services (AD RMS) protects intellectual property
through the integration of several Active Directory technologies such as Active Directory
Domain Services (AD DS) and Active Directory Certificate Services (AD CS). AD FS extends
AD RMS policies beyond the firewall and protects your organization’s intellectual property
among your business partners.
This chapter aims to give a deeper understanding of AD FS and AD RMS, discusses their
installation and configuration, and explains how they interact with each other and with
other Active Directory technologies.
Exam objectives in this chapter:
n
Configure Active Directory Federation Services (AD FS).
n
Configure Active Directory Rights Management Services (AD RMS).
Lessons in this chapter:
n
Installing, Configuring, and Using AD FS 283
n
Installing, Configuring, and Using AD RMS 312
2 8 2 CHAPTER 6 Active Directory Federation Services and Active Directory Rights Management Services Server Roles

Before You Begin
To complete the lessons in this chapter, you must have done the following:
n
Installed a Windows Server 2008 Enterprise server confi gured as a domain controller in
the contoso.internal domain as described in Chapter 1, “Confi guring Internet Protocol
Addressing.”
n
Installed a Windows Server 2008 Enterprise server in the contoso.internal domain as
described in Chapter 2, “Confi guring IP Services.” If you completed the practices in
Chapter 5, “Confi guring Active Directory Lightweight Directory Services and Read-Only
Domain Controllers,” this server might currently have the Active Directory Lightweight
Directory Services (AD LDS) server role installed and be confi gured as a read-only
domain controller (RODC). In this case, remove the AD LDS role as described in Chapter
5 and then run the dcpromo command to demote the computer to a member server.
NOTE TESTING AD FS FUNCTIONS
To test AD FS and AD RMS functions fully, you need two forests and at least seven servers,
two of them domain controllers, plus several client computers. Even with Hyper-V virtu-
alization, this is a requirement that is probably beyond the capability of most test setups.
The considerable time taken to confi gure such a test network would almost certainly be
better spent answering practice test questions. In this chapter, the practices are kept brief
and straightforward, and the AD FS and AD RMS server roles are installed on a domain con-
troller. This is not recommended in a production network. A case study is included to give
you a feel for full AD FS installation.
NOTE
TESTING AD FS FUNCTIONS
NOTE TESTING AD FS FUNCTIONSNOTE
To test AD FS and AD RMS functions fully, you need two forests and at least seven servers,
two of them domain controllers, plus several client computers. Even with Hyper-V virtu-
alization, this is a requirement that is probably beyond the capability of most test setups.
The considerable time taken to confi gure such a test network would almost certainly be

better spent answering practice test questions. In this chapter, the practices are kept brief
and straightforward, and the AD FS and AD RMS server roles are installed on a domain con-
troller. This is not recommended in a production network. A case study is included to give
you a feel for full AD FS installation.
Lesson 1: Installing, Confi guring, and Using AD FS CHAPTER 6 283
Lesson 1: Installing, Confi guring, and Using AD FS
Securing an organizational network against attacks from external networks—typically but
not exclusively the Internet—presents problems about which every network engineer is aware
and which have led to the development of fi rewalls, virtual private networks (VPNs), perime-
ter networks, and security technologies such as intrusion detection systems. Possibly the most
diffi cult problem that faces a network professional is to secure a network without impairing
potential partnerships such as those created through forest trusts.
You will almost certainly have studied forest trusts for your Windows Server 2003 examina-
tions and will be aware that they enable organizations to extend the security contexts of their
own internal forests to trust partner forests. However, implementing forest trusts requires an
administrator to set up complex, semipermanent VPN links between disparate organizations
or to open specifi c ports in a fi rewall to support AD DS. Also, forest trusts can be diffi cult to
manage, particularly in multiple partnerships.
Trust relationships are powerful entities and have their place in fully featured inter-
organizational relationships. However, there existed a perceived need for partners to access a
specifi c and limited set of resources without all the facilities and complexity involved in a full
trust relationship.
To address this need, Microsoft introduced AD FS—which is often described as a limited
trust relationship. The AD FS service provides external support for the internal identity and
access (IDA) services that AD DS requires and extends the authority of your internal network
to external networks. In this lesson, you learn how AD FS authenticates a user, how you install
and confi gure the service, and how you manage the trusts and certifi cates it requires.
After this lesson, you will be able to:
n
Describe the AD FS authentication process.

n
List the components used in an AD FS implementation.
n
Install the AD FS server role.
n
Manage AD FS certifi cates.
n
Confi gure AD FS servers.
n
Confi gure AD FS trust policies.
Estimated lesson time: 60 minutes
After this lesson, you will be able to:
n
Describe the AD FS authentication process.
n
List the components used in an AD FS implementation.
n
Install the AD FS server role.
n
Manage AD FS certifi cates.
n
Confi gure AD FS servers.
n
Confi gure AD FS trust policies.
Estimated lesson time: 60 minutes
2 8 4 CHAPTER 6 Active Directory Federation Services and Active Directory Rights Management Services Server Roles
REAL WORLD
Ian McLean
A
few years ago I was involved in a very large project that involved collaboration

between a number of organizations that strongly defended the security, integ-
rity, and independence of their networks. I’ve no problems with defending security
and integrity, but sometimes independence can be a problem when collaboration is
required.
For reasons far too complex to go into here, VPNs were not seen as an appropriate
solution. Trust relationships required collaboration so they could be set up at both
ends. I lost count of the number of times I had to tell network administrators that I
wasn’t asking them to trust me. I was asking them to permit me to trust them. And
when it came to anything whatsoever that involved a fi rewall—well, I’d rather not
go into that can of worms.
So when it came to a second project that required SSO and involved the same set
of organizations, I was wary about trusts, VPNs, and fi rewalls. The central organiza-
tion for which I was working was the resource organization. It was not asking to be
able to access resources owned by its partner organizations; it was permitting them
to use its resources. I needed a solution that allowed account partners to access a
specifi c and limited set of resources and required little or no network reconfi gura-
tion on their part.
AD FS wasn’t around at the time, which was a pity because that’s exactly what it
does.
Understanding AD FS
AD FS is an SSO facility that allows users of external Web-based applications to access and
authenticate through a browser. It relies on the internal authentication store of the user’s own
domain to authenticate a client and does not have a store of its own. It also relies upon the
original authentication clients perform in their own networks and passes this authentication
to Web applications that are AD FS–enabled. To return to the example earlier in this chapter,
Don Hall from Contoso, Ltd., should be able to log on to the password-protected Northwind
Traders Web site by using his account and without needing to supply
additional credentials.
With AD FS, organizations need to manage only a single authentication store for their
own users. If you use an AD LDS directory for extranet authentication, this adds administra-

tive overhead because the organization then needs to manage its own internal store and an
external store or stores. Users must remember several access codes and passwords to log on
REAL WORLD
Ian McLean
A
few years ago I was involved in a very large project that involved collaboration
between a number of organizations that strongly defended the security, integ-
rity, and independence of their networks. I’ve no problems with defending security
and integrity, but sometimes independence can be a problem when collaboration is
required.
For reasons far too complex to go into here, VPNs were not seen as an appropriate
solution. Trust relationships required collaboration so they could be set up at both
ends. I lost count of the number of times I had to tell network administrators that I
wasn’t asking them to trust me. I was asking them to permit me to trust them. And
when it came to anything whatsoever that involved a fi rewall—well, I’d rather not
go into that can of worms.
So when it came to a second project that required SSO and involved the same set
of organizations, I was wary about trusts, VPNs, and fi rewalls. The central organiza-
tion for which I was working was the resource organization. It was not asking to be
able to access resources owned by its partner organizations; it was permitting them
to use its resources. I needed a solution that allowed account partners to access a
specifi c and limited set of resources and required little or no network reconfi gura-
tion on their part.
AD FS wasn’t around at the time, which was a pity because that’s exactly what it
does.
Lesson 1: Installing, Confi guring, and Using AD FS CHAPTER 6 285
to each of these stores. It is diffi cult enough for most users to remember a single name and
password, never mind several. AD FS, alternatively, federates a user’s internal AD DS identity
and submits it to external networks. Users need to authenticate only once.
For example, David Hamilton, Nancy Anderson, and Jeff Hay buy supplies for Wingtip Toys

from Wide World Importers, an organization with which their company has a long-standing
relationship. David, Nancy, and Jeff need to log on to Web applications at World Wide
Importers. Unfortunately, Wide World Importers has different username and password poli-
cies, and David, Nancy, and Jeff need to remember two sets of logon names and passwords,
which regularly change. AD FS allows Wingtip Toys and World Wide Importers to set up a
partnership so that David, Nancy, and Jeff can log on to these Web applications using their
Wingtip Toys credentials and do not need to log on twice and remember two usernames and
two passwords to do their jobs.
Unlike forest trusts, AD FS does not use Lightweight Directory Access Protocol (LDAP)
ports but rather the common HTTP ports, specifi cally port 443, so all AD FS trust communica-
tions can be secured and encrypted. AD FS relies on AD CS to manage certifi cates for each
server in the AD FS implementation. AD FS can also extend AD RMS deployment and provide
federation services for intellectual property management between partners.
NOTE NAMED SERVICE ACCOUNTS
AD FS, like all Active Directory services, can use a named service account. However, if you
install the AD FS role on a Windows Server 2008 server, or if you upgrade Federation Ser-
vices running under Windows Server 2003 R2 to AD FS, the service runs by default under
the Network Service account.
EXAM TIP
Windows Server 2003 R2 introduced AD FS, and you might or might not have studied it
for your Windows Server 2003 examinations. Even if you did, you should spend some time
looking at the service again because Windows Server 2008 introduces some signifi cant
enhancements.
AD FS provides extensions to internal forests and enables your organization to create
partnerships without needing to open any additional ports on its fi rewall. It relies on each
partner’s internal AD DS directory to provide authentication for extranet or perimeter ser-
vices. When a user attempts to authenticate to an application integrated to AD FS, the AD FS
engine polls the internal directory for authentication data. Users who have access provided
through the internal directory are granted access to the external application. This means that
each partner needs to manage authentication data only in its internal network. The federa-

tion services of AD FS do all the rest.
Use AD FS whenever you want to implement a partnership with other organizations
that also rely on internal AD DS directories. If, however, you need to provide authentication
NOTE
NAMED SERVICE ACCOUNTS
AD FS, like all Active Directory services, can use a named service account. However, if you
install the AD FS role on a Windows Server 2008 server, or if you upgrade Federation Ser-
vices running under Windows Server 2003 R2 to AD FS, the service runs by default under
the Network Service account.
2 8 6 CHAPTER 6 Active Directory Federation Services and Active Directory Rights Management Services Server Roles
services in your perimeter network but the users or organizations with which you want to
interact do not have internal AD DS directories, or the scope of the partnership does not war-
rant an AD FS deployment, use (for example) AD LDS. Account partners can have stores in AD
DS, AD LDS, or ADAM and do not need AD DS to work with AD FS.
NOTE AD LDS, AD CS, AND AD RMS
You will fi nd more information about AD LDS in Chapter 5; more information about AD CS
in Chapter 7, “Active Directory Certifi cate Services”; and more information about AD RMS
in Lesson 2, “Installing, Confi guring, and Using AD RMS,” of this chapter.
Business-to-Business Partnerships
You can use AD FS to form business-to-business (B2B) partnerships. In this arrangement, part-
ners can be account or resource organizations (or both). These can be described as follows:
n
Account organizations Manage the accounts used to access the shared resources in
SSO scenarios. Account organizations join partnerships created by resource organiza-
tions and access the resources in these organizations.
n
Resource organizations Form the partnerships in SSO scenarios. An organization that
has resources (such as a collaboration Web site) can use AD FS to simplify the authen-
tication process to these resources by forming partnerships that account organizations
then join. The organization that initially forms the partnership is deemed the resource

organization because it hosts the shared resources in its perimeter network.
NOTE ACCOUNT AND RESOURCE ORGANIZATIONS
In the example given earlier in this lesson, David, Nancy, and Jeff are logged on to the
Wingtip Toys forest and can access Web applications at Wide World Importers without
needing to supply additional credentials. In this case, Wingtip Toys is the account orga-
nization (or account partner) and Wide World Importers is the resource organization (or
resource partner).
NOTE WEB SSO DESIGN
In a Web SSO design, discussed later in this lesson, AD FS can authenticate users from any-
where on the Internet. After a user accessing from the Internet has been authenticated, AD
FS examines the user’s attributes in AD DS or in AD LDS directories to identify what rights
the user has to the application to which he or she is authenticating.
NOTE
AD LDS, AD CS, AND AD RMS
You will fi nd more information about AD LDS in Chapter 5; more information about AD CS
in Chapter 7, “Active Directory Certifi cate Services”; and more information about AD RMS
in Lesson 2, “Installing, Confi guring, and Using AD RMS,” of this chapter.
NOTE
ACCOUNT AND RESOURCE ORGANIZATIONS
In the example given earlier in this lesson, David, Nancy, and Jeff are logged on to the
Wingtip Toys forest and can access Web applications at Wide World Importers without
needing to supply additional credentials. In this case, Wingtip Toys is the account orga-
nization (or account partner) and Wide World Importers is the resource organization (or
resource partner).
NOTE
WEB SSO DESIGN
In a Web SSO design, discussed later in this lesson, AD FS can authenticate users from any-
where on the Internet. After a user accessing from the Internet has been authenticated, AD
FS examines the user’s attributes in AD DS or in AD LDS directories to identify what rights
the user has to the application to which he or she is authenticating.

Lesson 1: Installing, Confi guring, and Using AD FS CHAPTER 6 287
AD FS Components
AD FS uses the following components:
n
Claims
n
Cookies
n
Certifi cates
CLAIMS
A claim is a statement the federation server makes about a user or client. Claims are stored
as AD DS attributes that each partner in an AD FS relationship attaches to its user accounts.
They can be based on several values—for example, usernames, certifi cate keys, membership
of security groups, and so on. Claims are included in the signed security token AD FS sends to
the Web application and are used for authorization. They can be based on user identity (the
identity claim type) or on security group membership (the group claim type). Claims can also
be based on custom information (the custom claim type), for example, a custom identifi ca-
tion number such as employee number or bank account number. The federation server fi lters
claims as part of the AD FS authentication process. This greatly reduces the overall number of
claims an organization needs to manage.
MORE INFO AD FS CLAIMS
For more information on AD FS claims, see />/cc730612.aspx.
COOKIES
User browsers hold cookies that are generated during Web sessions authenticated through
AD FS. AD FS uses authentication cookies, account partner cookies, and sign-out cookies.
When a user is authenticated through AD FS, an authentication cookie is placed within the
user’s browser to support SSO for additional authentications. This cookie includes all the
claims for the user. It is a session cookie and is erased after the session is closed.
The AD FS process writes an account partner cookie when a client announces its account
partner membership during authentication, so it does not need to perform partner discov-

ery again the next time the client authenticates. An account partner cookie is long-lived and
persistent.
Each time the federation service assigns a token, it adds the resource partner or target
server linked to the token to a sign-out cookie. The authentication process uses sign-out
cookies for various purposes, for example, for cleanup operations at the end of a user session.
A sign-out cookie is a session cookie and is erased after the session is closed.
MORE INFO
AD FS CLAIMS
For more information on AD FS claims, see
/>/cc730612.aspx
.
/cc730612.aspx. /cc730612.aspx