Windows 2008 Active Directory includes several new features to improve management of branch offices and security. It introduces Read-Only Domain Controllers that allow placing a domain controller in a branch office without compromising security if it is compromised. It includes fine-grained password policies that allow customizing password policies for different groups. Enhanced auditing capabilities provide more detailed auditing of directory service changes. Other features like restartable AD DS and DFS-R replication improve manageability.

1. Windows 2008 Active Directory Branch office ManagementSampath Pererasampath@nanotechglobal.net, sampath_mails@hotmail.comwww.khgeeks.org

2. Session Objectives & TakeawaysSession Objectives: Identify the key new AD DS features in WS08Explain the value of deploying these featuresDemonstrate these features in real life scenarios Key Takeaways:Understand when and how to deploy the key new AD DS features

3. Key Investments areasBranch OfficeManageabilitySecurity

4. Key Investments areasBranch OfficeManageabilitySecurity

5. Windows 2008 Branch Office BenefitsSecurityBitLockerServer CoreRead-Only Domain ControllerAdmin Role SeparationOptimizationSysVolRéplicationDFS RéplicationProtocolsAdministrationPrint Management ConsolePowerShell, WinRS, WinRMVirtualizationRestartable Active DirectoryHub SiteBranch Office

6. Branch Office DilemmaHQ Data CenterHub NetworkBranch Office Small Number of Employees

7. WAN: Congested, Unreliable

8. Security: Not Sure

9. Admin Proficiency: GeneralistBranch Office DilemmaHQ Data CenterHub NetworkOption 2:Put full DC in branchEither give branch admin privilege or manage remotelyBranch DC being compromised jeopardizes security of corporate AD!!!Branch OfficeOption 1:Consolidate and remove DCs from branchBranch authentication & authorization fails when WAN goes down

10. So how can we deploy a Domain Controller in this environment?!

11. Read-Only Domain Controller1-Way ReplicationAdmin Role SeparationNo replication from RODC to Full-DCRODC Server Admin does NOT need to be a Domain AdminPrevents Branch Admin from accidentally causing harm to the ADDelegated promotionAttack on RODC does not propagate to the ADRODCPasswords not cached by-defaultPolicy to configure caching branch specific passwords (secrets) on RODCPolicy to filter schema attributes from replicating to RODC

12. RODC – Attacker “experience”I have a Read-Only database. Also, no other DC in the enterprise replicates data from me.Damn!Let’s steal this RODCBy default I do not have any secrets cached.I do not hold any custom app specific attributes either.Let’s tamper data on this RODC and use its identityLet’s intercept Domain Admin credentials sent to this RODCWith Admin role separation, the Domain Admin doesn’t need to log-in to me.RODCAttackerRODC

13. RODC Mitigates “Stolen DC”Hub Admin Perspective

14. Read-Only Domain ControllerPassword Replication Policy

15. Read-Only Domain ControllerHow it works?BranchHUBLogon request sent to RODC RODCRODC: Looks in DB "I don't have the users secrets"Full DCForwards Request to Full DCFull DC authenticates userReturns authentication response and TGT back to the RODCRODC gives TGT to User and Queues a replication request for the secretsHub DC checks Password Replication Policy to see if Password can be replicated

16. Read-Only Domain ControllerRecommended Deployment ModelsNo accounts cached (default)Pro: Most secure, still provides fast authentication and policy processingCon: No offline access for anyoneMost accounts cachedPro: Ease of password management. Manageability improvements of RODC and not security. Con: More passwords potentially exposed to RODCFew accounts (branch-specific accounts) cached Pro: Enables offline access for those that need it, and maximizes security for otherCon: Fine grained administration is new task

17. Read-Only Domain ControllerUpgrade path from Windows 2003 DomainDeployment steps:ADPREP /ForestPrepADPREP /DomainPrepPromote a Windows Server 2008 DCVerify Forest Functional Mode is Windows 2003ADPREP /RodcPrepPromote RODCTest RODCs for application compatibility in your environment!Not RODC specificRODC Specific task

18. Read-Only Domain ControllerDelegated Administrator (“Local Roles”)Delegated RODC Promotion

19. Read-Only Domain ControllerAdmin role separation

21. Branch Office & Replication OptimizationDFS-R replication provides more robust and detailed replication of SYSVOL contentsRequires Windows Server 2008 Domain Mode

22. Key Investments areasBranch OfficeManageabilitySecurity

23. Directory Service AuditingNew Directory Service Changes EventsEvent logs tell you exactly:Who made a changeWhen the change was madeWhat object/attribute was changedThe beginning & endvaluesAuditing controlled byGlobal audit policySACLSchema

24. Directory Service Auditingin Windows Server 2008

25. Fine-Grained Password PoliciesOverviewGranular administration of password and lockout policies within a domainUsage Examples:AdministratorsStrict setting (passwords expire every 14 days)Service accountsModerate settings (passwords expire every 31 days, minimum password length 32 characters)Average User“light” setting (passwords expire every 90 days)

26. Fine-Grained Password PoliciesAt a glancePolicies can be applied to:UsersGlobal security groupsDoes NOT apply to: Computer objectsOrganizational UnitsMultiple policies can be associated with the user, but only one applies

27. Fine-Grained Password PoliciesExampleResultant PSO = PSO1Precedence = 10Password Settings Object PSO 1Applies ToResultant PSO = PSO1Applies ToPrecedence = 20Password Settings Object PSO 2Applies To

28. Key Investments areasBranch OfficeManageabilitySecurity

29. Restartable AD DSWithout a reboot you can now perform offline defragmentationDS stopped similar to member server:NTDS.dit is offlineCan log on locally with DSRM passwordServer CoreFewer reboots for servicingRestartable AD DS

30. Manageability Improvements

31. ADUC: Prevent Object DeletionExisting Object/OUNew Organizational Unit

32. Summary – Key features in Active Directory Directory Services 2008Read-Only Domain Controller (RODC)Fine Grained Password PoliciesEnhanced Auditing CapabilitiesRestartable AD DSAD DS Database Mounting ToolDFS-R Sysvol Replication

34. Your potential. Our passion.