Windows 2008 Active Directory Branch office Management_MVP Sampath Perera

Windows 2008 Active Directory Branch office Management
Sampath Perera
sampath@nanotechglobal.net, sampath_mails@hotmail.com
www.khgeeks.org

Session Objectives & Takeaways
Session Objectives:
Identify the key new AD DS features in WS08
Explain the value of deploying these features
Demonstrate these features in real life scenarios
Key Takeaways:
Understand when and how to deploy the key new AD DS features

Key Investments areas
Branch Office
Manageability
Security

Windows 2008 Branch Office Benefits
Security
BitLocker
Server Core
Read-Only Domain Controller
Admin Role Separation
Optimization
SysVolRéplication
DFS Réplication
Protocols
Administration
Print Management Console
PowerShell, WinRS, WinRM
Virtualization
Restartable Active Directory
Hub Site
Branch Office

Branch Office Dilemma
HQ Data Center
Hub Network
Branch Office

Small Number of Employees
WAN: Congested, Unreliable
Security: Not Sure
Admin Proficiency: Generalist

Branch Office Dilemma
HQ Data Center
Hub Network
Option 2:
Put full DC in branch
Either give branch admin privilege or manage remotely
Branch DC being compromised jeopardizes security of corporate AD!!!
Branch Office
Option 1:
Consolidate and remove DCs from branch
Branch authentication & authorization fails when WAN goes down

So how can we deploy a Domain Controller in this environment?!

Read-Only Domain Controller
1-Way Replication
Admin Role Separation
No replication from RODC to Full-DC
RODC Server Admin does NOT need to be a Domain Admin
Prevents Branch Admin from accidentally causing harm to the AD
Delegated promotion
Attack on RODC does not propagate to the AD
RODC
Passwords not cached by-default
Policy to configure caching branch specific passwords (secrets) on RODC
Policy to filter schema attributes from replicating to RODC

RODC – Attacker “experience”
I have a Read-Only database. Also, no other DC in the enterprise replicates data from me.
Damn!
Let’s steal this RODC
By default I do not have any secrets cached.
I do not hold any custom app specific attributes either.
Let’s tamper data on this RODC and use its identity
Let’s intercept Domain Admin credentials sent to this RODC
With Admin role separation, the Domain Admin doesn’t need to log-in to me.

RODC
Attacker
RODC

RODC Mitigates “Stolen DC”
Hub Admin Perspective

Read-Only Domain ControllerPassword Replication Policy

Read-Only Domain ControllerHow it works?
Branch
HUB
Logon request sent to RODC
RODC
RODC: Looks in DB "I don't have the users secrets"
Full DC
Forwards Request to Full DC
Full DC authenticates user
Returns authentication response and TGT back to the RODC
RODC gives TGT to User and Queues a replication request for the secrets
Hub DC checks Password Replication Policy to see if Password can be replicated

Read-Only Domain ControllerRecommended Deployment Models
No accounts cached (default)
Pro: Most secure, still provides fast authentication and policy processing
Con: No offline access for anyone
Most accounts cached
Pro: Ease of password management. Manageability improvements of RODC and not security.
Con: More passwords potentially exposed to RODC
Few accounts (branch-specific accounts) cached
Pro: Enables offline access for those that need it, and maximizes security for other
Con: Fine grained administration is new task

Read-Only Domain ControllerUpgrade path from Windows 2003 Domain
Deployment steps:
ADPREP /ForestPrep
ADPREP /DomainPrep
Promote a Windows Server 2008 DC
Verify Forest Functional Mode is Windows 2003
ADPREP /RodcPrep
Promote RODC
Test RODCs for application compatibility in your environment!
Not RODC specific
RODC
Specific task

Read-Only Domain ControllerDelegated Administrator (“Local Roles”)
Delegated RODC Promotion

Read-Only Domain ControllerAdmin role separation

Branch Office & Replication Optimization
DFS-R replication provides more robust and detailed replication of SYSVOL contents
Requires Windows Server 2008 Domain Mode

Branch Office
Manageability
Security

Directory Service AuditingNew Directory Service Changes Events
Event logs tell you exactly:
Who made a change
When the change was made
What object/attribute was changed
The beginning & endvalues
Auditing controlled by
Global audit policy
SACL
Schema

Directory Service Auditingin Windows Server 2008

Fine-Grained Password PoliciesOverview
Granular administration of password and lockout policies within a domain
Usage Examples:
Administrators
Strict setting (passwords expire every 14 days)
Service accounts
Moderate settings (passwords expire every 31 days, minimum password length 32 characters)
Average User
“light” setting (passwords expire every 90 days)

Fine-Grained Password PoliciesAt a glance
Policies can be applied to:
Users
Global security groups
Does NOT apply to:
Computer objects
Organizational Units
Multiple policies can be associated with the user, but only one applies

Fine-Grained Password PoliciesExample
Resultant PSO = PSO1
Precedence = 10
Password Settings Object
PSO 1
Applies To
Resultant PSO = PSO1
Applies To
Precedence = 20
Password Settings Object
PSO 2
Applies To

Branch Office
Manageability
Security

Restartable AD DS
Without a reboot you can now perform offline defragmentation
DS stopped similar to member server:
NTDS.dit is offline
Can log on locally with DSRM password
Server Core
Fewer reboots for servicing
Restartable AD DS

Manageability Improvements

ADUC: Prevent Object Deletion
Existing Object/OU
New Organizational Unit

Summary – Key features in Active Directory Directory Services 2008
Read-Only Domain Controller (RODC)
Fine Grained Password Policies
Enhanced Auditing Capabilities
Restartable AD DS
AD DS Database Mounting Tool
DFS-R Sysvol Replication

Your potential. Our passion.