Presentation is loading. Please wait.

Presentation is loading. Please wait.

Longhorn Academy Branch Office Solutions for Windows Server 2008.

Similar presentations

Presentation on theme: "Longhorn Academy Branch Office Solutions for Windows Server 2008."— Presentation transcript:

1 Longhorn Academy Branch Office Solutions for Windows Server 2008

2 The Branch Office Challenge New Active Directory features in Windows Server 2008 for Branch Offices RODC Overview Read-only Partial Attribute Set Delegated DCPROMO Session Objectives and Agenda Admin Role Separation Server Core Restartable Directory Services Auditing

3 Session Agenda Windows Server 2008 Branch Office Guide status update Improving file access in the branch

4 Security Remote support Server management Service deployment WAN performance Branch Office Challenges

5 Generally fit into one of the following categories: No local Infrastructure Full local Infrastructure Hybrid Centralized applications Fast, reliable WAN Some centralized applications Core services delivered locally Caching mechanism to improve user experience Distributed applications Distributed services Branch Office Topologies

6 Hub Site Branch Office Branch Office Benefits Security Server Core Read-Only Domain Controller Admin Role Separation BitLocker Drive Encryption Administration/Deployment Auditing Delegated DC Promo Restartable Active Directory Optimization SysVol Replication DFS Replication Protocols TCP/IP Stack

7 Server Core Reduced footprint server Available as an option at initial install Boot and operate stand-alone in headless/embedded scenarios Less to install, manage, patch, attack No GUI – all management through command line and remote MMC Supported server roles AD Domain Services, AD Lightweight Directory Services, DHCP, DNS, File, Print, Streaming Media Services, IIS 7.0 Optional Windows features Failover Clustering, Network Load Balancing, Subsystem for UNIX-based Applications, Backup, Multipath IO, Removable Storage, BitLocker Drive Encryption, SNMP, WINS, Telnet Client

8 New AD Features in Windows 2008 for Branch Office Deployments Read-only Domain Controllers with support for Server Core Admin Role Separation* DCPROMO enhancements Delegated promotion and demotion* Site Selection with auto-detection Role selection (GC, DNS, RODC) Read-only Partial Attribute Set (RO-PAS)* Fine Grained Password Policies*** NTDSUTIL.EXE can now create IFM media For RODC IFM media the tool will strip out all passwords from either Full DC or RODC* * For RODC Only

9 Read-Only Domain Controller Reduced attack surface for branch office DCs 1. Impact of stolen DC to the Active Directory reduced By default, no users/computers passwords stored on RODC Read-only Partial Attribute Set can prevent application credentials from replicating to RODC 2. Reduced attack surface to the Active Directory for a compromised DC Read-only state with unidirectional replication for AD and FRS/DFSR SYSVOL deletion on RODC does not replicate outside the Branch Office Each RODC has its own KDC KrbTGT account to provide cryptographic key separation Delegated DCPROMO reduces need for DA to TS into RODC Windows Server 2008 writeable DCs register SRV records on behalf of RODCs to prevent DNS pollution in other sites RODCs are workstation accounts from the Active Directory perspective Not members of Enterprise-DC or Domain-DC groups Im not a BDC

10 Read-Only Domain Controller Incorporating RODCs into your AD design When to use: Security concerns or Management costs are driving consolidation of writeable DCs from Branch Offices …and there is still a need for benefits from data locality and autonomy if WAN fails When not to use: As a full featured replacement for Full\Writeable Domain Controllers

11 RODC in Branch Offices (Primary and supported scenario) Intended for environments with limited physical security RODC in DMZ (Being evaluated) Intended for environments with cross-Corpnet\DMZ resource access requirements RODC on the Internet (Being evaluated) Intended for environments with cross-Corpnet\Internet resource access requirements Deployment scenarios

12 Read-Only Domain Controller How to deploy RODC from a Windows Server 2003 environment 1. ADPREP /ForestPrep 2. ADPREP /DomainPrep 3. Promote a Windows Server 2008 DC 4. Verify Forest Functional Mode is Win2k03 5. ADPREP /RodcPrep 6. Promote RODC Not RODC specific RODC specific task Note: You cant convert a Full DC to RODC or vice versa without a demotion\re-promotion

13 Delegated RODC Promotion Pre-create RODC account Specify parameters including machine name and delegated admin Attach machine to RODC slot

14 Read-Only Domain Controller Admin role separation Problem Customers have too many Domain Admins Most of these DAs are really server admins (patch management, etc) Solution Provides a new local admin level of access per RODC Also includes all Built-in groups (Backup Operators, etc) Prevents accidental AD modifications by machine administrators Does not prevent local admin from maliciously modifying the local database This is a true security feature for Read-only DC

15 Read-Only Domain Controller Partial attribute set Problem Applications are storing credentials in Active Directory. If a RODC was stolen this could be catastrophic Solution Dont replicate secret like data to RO-PAS Similar to Global Catalog Partial Attribute Sets, the RO-PAS is a subset of the attributes replicated to RODC Specified in the Schema and Dynamic (cleanup and additions) Considerations RO-PAS is not intended for Admins but rather Application Developers to control. Applications must be aware if attribute is filtered No forest or domain mode requirements

16 Read-Only Domain Controller How it works: Password replication during first logon 2.RODC: Looks in DB "I don't have the users secrets" 3.Forwards Request to LH DC 4.LH DC authenticates request 5.Returns authentication response and TGT back to the RODC 6.RODC gives TGT to User and Queues a replication request for the secrets 7.Hub DC checks Password Replication Policy to see if Password can be replicated 1.AS_Req sent to RODC (request for TGT) Note: At this point the user will have a hub signed TGT

17 Password replication Passwords replicated to RODC are stored until the password changes There is no secure method to expire or clear the cached passwords without changing the data itself. Once the password changes the next logon by the user\computer will result in an attempt to replicate the new password Whether a password is cached on a RODC is transparent to the client, unless the WAN fails A client processes Logon scripts and Group Policy from a RODC regardless if its passwords are cached Outlook clients can use a RODC GC for Address Book lookups, etc LDAP searches still go to RODC If WAN is offline then users\computers can only logon using the RODC if their password is cached, else clients perform cached logons like today (if no DC were present)

18 Password Replication Policy Recommended Management Models 1. No passwords cached (default) Pro: Most secure, still provides fast authentication and local policy processing Con: No offline access for anyone. WAN required for Logon 2. Most passwords cached Pro: Ease of password management. Intended for customers who care most about manageability improvements of RODC and not security Con: More passwords potentially exposed to RODC 3. Few passwords (branch-specific accounts) cached Pro: Enables offline access for those that need it, and maximizes security for other Con: Fine grained administration is new task

19 Read-Only Domain Controller DNS Domain and Forest DNS zones on RODC are read- only Clients receive a DNS referral during registration RODC will try and replicate just the one updated record almost immediately The entire zone is NOT replicated

20 Read-only DC Mitigates Stolen DC Attacker Perspective Hub Admin Perspective

21 Active Directory Restartable Directory Services Application Routine Maintenance NTDS.Dit Defragmentation Three Possible Modes AD DS Started AD DS Stopped Directory Services Restore Mode Execution MMC Command Line

22 Enhanced Auditing Capabilities Audit Directory Service Access Directory Service Access Directory Service Changes Directory Service Replication/Detailed DSR Ability to Audit Directory Service Changes Create Modify Undelete Move What is Logged Previous Value, New Value, What Account Made the Change

23 New Audit Event IDs Event IDType of eventEvent description 5136Modify This event is logged when a successful modification is made to an attribute in the directory. 5137Create This event is logged when a new object is created in the directory. 5138Undelete This event is logged when an object is undeleted in the directory. 5139Move This event is logged when an object is moved within the domain.

24 First introduced with Windows Server 2003 R2 Multimaster replication engine that supports replication scheduling and bandwidth throttling Replaces File Replication Service (FRS) used in 2000/2003 Remote Differential Compression (RDC) protocol allows for efficient use of bandwidth resources at the branch office RDC detects insertions, removals, and re- arrangements of data in files Enabling Differential replication of changes to files DFS - R

25 Combined with DFS Namespaces to deliver: shared folders in different locations presented as a single folder view Contiguous Namespaces Namespaces gives the following benefits: Increased data availability Load sharing Data Availability DFS - R


27 DFS-R replaces FRS for SysVol replication Requires Longhorn domain functional level FRS will still be used where 2003 DCs are present Will greatly improve WAN utilization to the branch office for SysVol replication SysVol Replication

28 End User Wait Time First time access Subsequent access Efficient use of bandwidth Bytes transmitted Time of day Metrics for measuring improvement

29 Types Of Data Single User Data Shared Data Published Data Files accessed by a single user Server copy used mostly for backup purposes Files accessed by multiple users from multiple machines Server allows sharing and collaboration across users Files accessed by many users from many machines Data updates are rare Large file set

30 Client-Side Caching Vistas client-side caching capabilities are greatly enhanced and work with Longhorn Server as well as with previous versions of Windows Server Additionally, client-side caching between Vista and Longhorn Server accrues extra benefits from underlying networking improvements Seamless state transitions No user intervention is required (offline changes are silently synchronized in the background) Fast synchronization and differential transfers All types of files are supported (bitmap differential transfer enables transfer of only modified data between client and server) Improved slow link mode Detection has been improved, and the user can stay in this mode (all requests are satisfied from the cache) until they wish to force a transition to online mode

31 Move user data from local drive to central server, while preserving access speed Provides central backup of user data Easy data migration to new machines Data synchronization can be scheduled when bandwidth is cheap Benefits of cached access

32 Parallel requests greatly increase read/write speed Download speed (kb/sec), 100 ms RTT Request Response SMB1SMB2

33 Compounding reduces roundtrips Open Dir Query Dir Query Volume Response Open Dir Query Dir Query Volume Response Close Dir Response Query Dir Query Volume Satisfied from cache

34 Published Data Client caching of data set is impractical Improvements in data access (streaming, compounding) improve access However, high cost of data transfer since every access is a first access

35 Published Data Windows Server 2003 R2 DFS Replication to pre-stage data in the branch DFS Namespaces for location and fault tolerance RDC differencing engine for delta replication Windows Server 2008 Improved scalability and performance Windows-based branch appliances offer caching of data in the branch

36 Windows Vista Client + Windows Server 2003 R2 (or earlier) Improved offline experience offers user fast response times while keeping data synchronized between client and server Windows Vista Client + Windows Server 2008 Data streaming improves file transfer times Operation compounding reduces chattiness Client and server improvements

37 Windows Server 2008 status update A Windows Server 2008 Branch Office Guide is planned Goal is to release the planning chapters by Windows Server 2008 RTM Scale lab testing is underway for Windows Server RODCs in one domain were tested prior to Beta3 Goal is 1200 RODCs tested by RTM We want to push the current recommended limit of 1200 DCs in a domain higher and will test possibly up to 3000 after WS08 Ships Scale lab topology Hub+Spoke All Branch DCs in one domain Virtual Server with RODC on Server core 32 Guests per host

38 Resources e/default.mspx

39 © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "Longhorn Academy Branch Office Solutions for Windows Server 2008."

Similar presentations

Ads by Google