Your SlideShare is downloading. ×
0
Windows 2008 Active Directory Branch office Management<br />Sampath Perera<br />sampath@nanotechglobal.net, sampath_mails@...
Session Objectives & Takeaways<br />Session Objectives: <br />Identify the key new AD DS features in WS08<br />Explain the...
Key Investments areas<br />Branch Office<br />Manageability<br />Security<br />
Key Investments areas<br />Branch Office<br />Manageability<br />Security<br />
Windows 2008 Branch Office Benefits<br />Security<br />BitLocker<br />Server Core<br />Read-Only Domain Controller<br />Ad...
Branch Office Dilemma<br />HQ Data Center<br />Hub Network<br />Branch Office<br /><ul><li> Small Number of Employees
 WAN: Congested, Unreliable
 Security: Not Sure
 Admin Proficiency: Generalist</li></li></ul><li>Branch Office Dilemma<br />HQ Data Center<br />Hub Network<br />Option 2:...
So how can we deploy a Domain Controller in this environment?!<br />
Read-Only Domain Controller<br />1-Way Replication<br />Admin Role Separation<br />No replication from RODC to Full-DC<br ...
RODC – Attacker “experience”<br />I have a Read-Only database. Also, no other DC in the enterprise replicates data from me...
RODC Mitigates “Stolen DC”<br />Hub Admin Perspective<br />
Read-Only Domain ControllerPassword Replication Policy<br />
Read-Only Domain ControllerHow it works?<br />Branch<br />HUB<br />Logon request sent to RODC <br />RODC<br />RODC: Looks ...
Read-Only Domain ControllerRecommended Deployment Models<br />No accounts cached (default)<br />Pro: Most secure, still pr...
Read-Only Domain ControllerUpgrade path from Windows 2003 Domain<br />Deployment steps:<br />ADPREP /ForestPrep<br />ADPRE...
Read-Only Domain ControllerDelegated Administrator (“Local Roles”)<br />Delegated RODC Promotion<br />
Read-Only Domain ControllerAdmin role separation<br />
Branch Office & Replication Optimization<br />DFS-R replication provides more robust and detailed replication of SYSVOL co...
Key Investments areas<br />Branch Office<br />Manageability<br />Security<br />
Directory Service AuditingNew Directory Service Changes Events<br />Event logs tell you exactly:<br />Who made a change<br...
Directory Service Auditingin Windows Server 2008<br />
Fine-Grained Password PoliciesOverview<br />Granular administration of password and lockout policies within a domain<br />...
Fine-Grained Password PoliciesAt a glance<br />Policies can be applied to:<br />Users<br />Global security groups<br />Doe...
Fine-Grained Password PoliciesExample<br />Resultant PSO = PSO1<br />Precedence = 10<br />Password Settings Object <br />P...
Key Investments areas<br />Branch Office<br />Manageability<br />Security<br />
Restartable AD DS<br />Without a reboot you can now perform offline defragmentation<br />DS stopped similar to member serv...
Upcoming SlideShare
Loading in...5
×

Windows 2008 Active Directory Branch office Management_MVP Sampath Perera

2,297

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,297
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
89
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Change auditing is not enabled by default. To do so:1) Turn on change auditing by auditpol /set /subcategory:"directory service changes" /success:enable2) Set up auditing in object SACLS through ADUC > Security (Advanced) > Auditing3) Filter out excessive events by modifying schema (by setting bit 9 in searchFlags to turn off auditing)
  • Note: No changes were made to the settings themselves (E.g., no new “password complexity” options)
  • Transcript of "Windows 2008 Active Directory Branch office Management_MVP Sampath Perera"

    1. 1. Windows 2008 Active Directory Branch office Management<br />Sampath Perera<br />sampath@nanotechglobal.net, sampath_mails@hotmail.com<br />www.khgeeks.org<br />
    2. 2. Session Objectives & Takeaways<br />Session Objectives: <br />Identify the key new AD DS features in WS08<br />Explain the value of deploying these features<br />Demonstrate these features in real life scenarios <br />Key Takeaways:<br />Understand when and how to deploy the key new AD DS features<br />
    3. 3. Key Investments areas<br />Branch Office<br />Manageability<br />Security<br />
    4. 4. Key Investments areas<br />Branch Office<br />Manageability<br />Security<br />
    5. 5. Windows 2008 Branch Office Benefits<br />Security<br />BitLocker<br />Server Core<br />Read-Only Domain Controller<br />Admin Role Separation<br />Optimization<br />SysVolRéplication<br />DFS Réplication<br />Protocols<br />Administration<br />Print Management Console<br />PowerShell, WinRS, WinRM<br />Virtualization<br />Restartable Active Directory<br />Hub Site<br />Branch Office<br />
    6. 6. Branch Office Dilemma<br />HQ Data Center<br />Hub Network<br />Branch Office<br /><ul><li> Small Number of Employees
    7. 7. WAN: Congested, Unreliable
    8. 8. Security: Not Sure
    9. 9. Admin Proficiency: Generalist</li></li></ul><li>Branch Office Dilemma<br />HQ Data Center<br />Hub Network<br />Option 2:<br />Put full DC in branch<br />Either give branch admin privilege or manage remotely<br />Branch DC being compromised jeopardizes security of corporate AD!!!<br />Branch Office<br />Option 1:<br />Consolidate and remove DCs from branch<br />Branch authentication & authorization fails when WAN goes down<br />
    10. 10. So how can we deploy a Domain Controller in this environment?!<br />
    11. 11. Read-Only Domain Controller<br />1-Way Replication<br />Admin Role Separation<br />No replication from RODC to Full-DC<br />RODC Server Admin does NOT need to be a Domain Admin<br />Prevents Branch Admin from accidentally causing harm to the AD<br />Delegated promotion<br />Attack on RODC does not propagate to the AD<br />RODC<br />Passwords not cached by-default<br />Policy to configure caching branch specific passwords (secrets) on RODC<br />Policy to filter schema attributes from replicating to RODC<br />
    12. 12. RODC – Attacker “experience”<br />I have a Read-Only database. Also, no other DC in the enterprise replicates data from me.<br />Damn!<br />Let’s steal this RODC<br />By default I do not have any secrets cached.<br />I do not hold any custom app specific attributes either.<br />Let’s tamper data on this RODC and use its identity<br />Let’s intercept Domain Admin credentials sent to this RODC<br />With Admin role separation, the Domain Admin doesn’t need to log-in to me.<br /><br />RODC<br />Attacker<br />RODC<br />
    13. 13. RODC Mitigates “Stolen DC”<br />Hub Admin Perspective<br />
    14. 14. Read-Only Domain ControllerPassword Replication Policy<br />
    15. 15. Read-Only Domain ControllerHow it works?<br />Branch<br />HUB<br />Logon request sent to RODC <br />RODC<br />RODC: Looks in DB &quot;I don&apos;t have the users secrets&quot;<br />Full DC<br />Forwards Request to Full DC<br />Full DC authenticates user<br />Returns authentication response and TGT back to the RODC<br />RODC gives TGT to User and Queues a replication request for the secrets<br />Hub DC checks Password Replication Policy to see if Password can be replicated<br />
    16. 16. Read-Only Domain ControllerRecommended Deployment Models<br />No accounts cached (default)<br />Pro: Most secure, still provides fast authentication and policy processing<br />Con: No offline access for anyone<br />Most accounts cached<br />Pro: Ease of password management. Manageability improvements of RODC and not security. <br />Con: More passwords potentially exposed to RODC<br />Few accounts (branch-specific accounts) cached <br />Pro: Enables offline access for those that need it, and maximizes security for other<br />Con: Fine grained administration is new task <br />
    17. 17. Read-Only Domain ControllerUpgrade path from Windows 2003 Domain<br />Deployment steps:<br />ADPREP /ForestPrep<br />ADPREP /DomainPrep<br />Promote a Windows Server 2008 DC<br />Verify Forest Functional Mode is Windows 2003<br />ADPREP /RodcPrep<br />Promote RODC<br />Test RODCs for application compatibility in your environment!<br />Not RODC specific<br />RODC <br />Specific task<br />
    18. 18. Read-Only Domain ControllerDelegated Administrator (“Local Roles”)<br />Delegated RODC Promotion<br />
    19. 19. Read-Only Domain ControllerAdmin role separation<br />
    20. 20.
    21. 21. Branch Office & Replication Optimization<br />DFS-R replication provides more robust and detailed replication of SYSVOL contents<br />Requires Windows Server 2008 Domain Mode<br />
    22. 22. Key Investments areas<br />Branch Office<br />Manageability<br />Security<br />
    23. 23. Directory Service AuditingNew Directory Service Changes Events<br />Event logs tell you exactly:<br />Who made a change<br />When the change was made<br />What object/attribute was changed<br />The beginning & endvalues<br />Auditing controlled by<br />Global audit policy<br />SACL<br />Schema<br />
    24. 24. Directory Service Auditingin Windows Server 2008<br />
    25. 25. Fine-Grained Password PoliciesOverview<br />Granular administration of password and lockout policies within a domain<br />Usage Examples:<br />Administrators<br />Strict setting (passwords expire every 14 days)<br />Service accounts<br />Moderate settings (passwords expire every 31 days, minimum password length 32 characters)<br />Average User<br />“light” setting (passwords expire every 90 days)<br />
    26. 26. Fine-Grained Password PoliciesAt a glance<br />Policies can be applied to:<br />Users<br />Global security groups<br />Does NOT apply to: <br />Computer objects<br />Organizational Units<br />Multiple policies can be associated with the user, but only one applies<br />
    27. 27. Fine-Grained Password PoliciesExample<br />Resultant PSO = PSO1<br />Precedence = 10<br />Password Settings Object <br />PSO 1<br />Applies To<br />Resultant PSO = PSO1<br />Applies To<br />Precedence = 20<br />Password Settings Object <br />PSO 2<br />Applies To<br />
    28. 28. Key Investments areas<br />Branch Office<br />Manageability<br />Security<br />
    29. 29. Restartable AD DS<br />Without a reboot you can now perform offline defragmentation<br />DS stopped similar to member server:<br />NTDS.dit is offline<br />Can log on locally with DSRM password<br />Server Core<br />Fewer reboots for servicing<br />Restartable AD DS<br />
    30. 30. Manageability Improvements<br />
    31. 31. ADUC: Prevent Object Deletion<br />Existing Object/OU<br />New Organizational Unit<br />
    32. 32. Summary – Key features in Active Directory Directory Services 2008<br />Read-Only Domain Controller (RODC)<br />Fine Grained Password Policies<br />Enhanced Auditing Capabilities<br />Restartable AD DS<br />AD DS Database Mounting Tool<br />DFS-R Sysvol Replication<br />
    33. 33.
    34. 34. Your potential. Our passion.<br />
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×