Presentation is loading. Please wait.

Presentation is loading. Please wait.

IAM304: Active Directory (AD) Design with Longhorn Server Directory Services Kamal Janardhan Lead Program Manager Directory Services.

Published byCamron Oswin Rice Modified over 8 years ago

Similar presentations

Presentation on theme: "IAM304: Active Directory (AD) Design with Longhorn Server Directory Services Kamal Janardhan Lead Program Manager Directory Services."— Presentation transcript:

1 IAM304: Active Directory (AD) Design with Longhorn Server Directory Services Kamal Janardhan Lead Program Manager Directory Services

2 Investment in the Fundamentals Security Reliability and Performance Management Globalization and standards

3 Investing in the Fundamentals Reliability and Performance Server core/Composite roles Restartable Active Directory Error correcting database page checksum DFSR ( aka FRS 2 ) for sysvol DNS server startup enhancements DNS IP Validation for NDF, DNS MMCs Security DC and DNS roles for server core Read-only Domain Controller for branch offices Improved auditing (“last value” and “new value”) New Creator well-known SID Fine grained password policy

4 Investing in the Fundamentals Globalization and standards Full IPV6 support for DC and DNS server roles Phonetic sort order support for address books Common Criteria Additions Management DC locator site locality enhancements Improved Role Management DC promotion wizard enhancements DNS Auto-configuration ADSIEdit properties page for all objects New IFM tool for RODC Single-label-name resolution (WINS-less)

5 Agenda Longhorn Feature Overview Longhorn Server Name Changes Server Core DCPromo Read Only Domain Controller Other Longhorn Changes Fine Grained Password Policy Backup and Restore …and many more

6 Longhorn Server Name Changes Active Directory Domain Services Active Directory Domain Controller Active Directory Lightweight Directory Active Directory Application Mode Active Directory Rights Management Windows Rights Management Active Directory Certificate Services Windows Certificate Services Active Directory Metadirectory Identity Integration Feature Pack

7 Agenda Longhorn Feature Overview Longhorn Server Name Changes Server Core DCPromo Read Only Domain Controller Other Longhorn Changes Fine Grained Password Policy Backup and Restore …and many more

8 Server Core Value Proposition Core set of AD, ADAM and DNS server functionality Part of the “Windows Server” SKU, available as an install option Boot and operate in headless/embedded scenarios Reduced attack surface due to reduced set of binaries

9 Server Core Value Proposition contd. Reduced servicing and management costs Reduced servicing and management costs Customers who deploy server to support a single role or fixed workload have reduced TCO. Only services necessary for the role are installed Costs for servicing, security, and management of services not essential to the workload are eliminated. For server specific IT staff and skills, enables separate servers for separate roles For e.g. Active Directory Administrators don’t usually administer web servers (in MORG +) Skill sets for SQL Administration are not highly transferable to DHCP administration

10 Agenda Longhorn Feature Overview Longhorn Server Name Changes Server Core DCPromo Read Only Domain Controller Other Longhorn Changes Fine Grained Password Policy Backup and Restore …and many more

11 DCPROMO in Longhorn Supports server core (no UI) Use logged on credentials for promotion Role selection: DNS (default), GC (default), RODC Site selection (with auto detection) Seed method: Specific DC, Any DC, IFM Advanced features easy to discover (/adv switch not required) DNS auto-configuration DNS Client auto-configured DNS Delegations automatically created and configured

12 Agenda Longhorn Feature Overview Longhorn Server Name Changes Server Core DCPromo Read Only Domain Controller Other Longhorn Changes Fine Grained Password Policy Backup and Restore …and many more

13 RODC Value Proposition DC Attack surface in unsecure locations reduced DC Attack surface in unsecure locations reduced By default, no passwords stored on/replicated from RODC. Read Only instance of the AD Domain database Server Core + RODC further reduces surface area Unidirectional replication for AD and FRS\DFSR Kerberos key separation: RODC has own KDC Krbtgt account Limited write rights in Directory: RODCs have no “Enterprise DC” or “Domain DC” group membership

14 RODC Value Proposition contd. Improved management and configuration of branch offices Improved management and configuration of branch offices Unidirectional replication make bridgehead and replication schedule configuration simpler Most Branch Office Guide guidelines enabled by default Delegate promotion/recovery of RODCs is possible RODC Admin can be restricted to a single RODC separate from the Domain Admin Prevents accidental modification of domain by machine administrators Does not prevent malicious compromise of RODC data

15 DCPromo of an RODC

16 How RODC mitigates “stolen DC” Hub Admin perspective Attacker perspective

17 RODC Deployment prerequisites Works in existing environments! No patching to down-level DCs or clients needed No domain restructuring May be able to consolidate bridgehead servers Incremental Requirements Must be in Win2003 Forest Functional Mode Linked value replication required RODCs require constrained delegation PDC FSMO must be running Longhorn Recommend multiple LH DCs per domain to load balance RODC replication

18 Incorporating RODCS into your AD

19

20 Read-only DC How it works: Secret caching during first logon How it works: Secret caching during first logon 2. 2.RODC: Looks in DB: "I don't have the users secrets" 3. 3.Forwards Request to LH DC 4. 4.LH DC authenticates request 5. 5.Returns authentication response and TGT back to the RODC 6. 6.RODC gives TGT to User and Queues a replication request for the secrets 7) Hub DC checks Password Replication Policy to see if Password can be replicated 1. 1.AS_Req sent to RODC (request for TGT) Note: At this point the user will have a hub signed TGT

21 Read Only DC How it works: Authentication requests How it works: Authentication requests 4) Client uses session key to connect to File Server. File Server machine account should already have TGT from previous authentication. 2) RODC forwards request to Hub 3) In the response from the hub, the RODC looks at the requesters name. If the RODC sees that it has the secrets for the requester, it returns a Kerberos error to the client which causes the client to automatically re-request a TGT (and this time the client will receive a branch signed TGT) 1) 1)Sends TGS request with hub-signed TGT (based on previous example) to RODC

22 Password Replication Policy Recommended Management Models No accounts cached (default) No accounts cached (default) Pro: Most secure, still provides fast authentication and policy processing. Pro: Most secure, still provides fast authentication and policy processing. Con: No offline access for anyone. WAN required for Logon Con: No offline access for anyone. WAN required for Logon Most accounts cached Most accounts cached Pro: Ease of password management. Intended for customers who care most about manageability improvements of RODC and not security. Pro: Ease of password management. Intended for customers who care most about manageability improvements of RODC and not security. Con: More passwords potentially exposed to RODC Con: More passwords potentially exposed to RODC Few accounts (branch-specific accounts) cached Few accounts (branch-specific accounts) cached Pro: Enables offline access for those that need it, and maximizes security for other Pro: Enables offline access for those that need it, and maximizes security for other Con: Fine grained administration is new task Con: Fine grained administration is new task Need to map computers per branch Need to map computers per branch Requires watching Auth2 attribute list to manually identify accounts, or use MIIS to automate. Requires watching Auth2 attribute list to manually identify accounts, or use MIIS to automate. There is an enhancement to Repadmin under development to help automate moving from Auth2 to Allow There is an enhancement to Repadmin under development to help automate moving from Auth2 to Allow

23 Password Replication Policy

24 Read-only DC: Application Support Applications Supported Applications Supported SMS, ADSI queries, MOM ADFS,DNS, DHCP, FRS V1, DFSR (FRS V2), Group Policy, NAP, PKI, CA, IAS/VPN, DFS, SMS, ADSI queries, MOM Generic LDAP apps which support write referrals and can tolerate write failures if WAN is offline. App guidance whitepaper planned post Beta 3 Will include checklist to verify RODC app compatibility

25 RODC Admin Role Separation New “local administrator” level of access per RODC Includes Builtin groups (Backup Operators, etc) Prevents accidental AD modifications by machine administrators Does not prevent “local administrator” from maliciously modifying the local DB Mitigates the need for large numbers of Domain Admins Admin Role Separation for full DCs not available

26 Features Under Consideration (Beta 3) RODC GC with support for Outlook clients RODC protection for highly sensitive credential attributes (not Windows password): RO-PAS Two RODC’s in the same site Features NOT under consideration RODC to RODC replication Exchange server support Read-only ADAM

27 Agenda Longhorn Feature Overview Longhorn Server Name Changes Server Core DCPromo Read Only Domain Controller Other Longhorn Changes Fine Grained Password Policy Backup and Restore …and many more

28 Fine Grained Password Policy Today password policies are domain based Not granular enough for large organizations Inconvenient for Admin and machine accounts passwords to be equally restrictive Password policy feature enables group based policy restrictions Creates new PSO object in the schema that may be associated with any security principle Precedence rules to ensure resultant policy is correct Applies to password and account lockout settings

29 Longhorn Server Backup and Restore LHSB replaces NTBackup as the new in-box backup application Not a feature by feature replacement Volume based backup System Restore available in WINRE System State backup under consideration May require larger disk space Target must be separate logical volume/physical disk Online/offline system state recovery under consideration W2K3 Forest Recovery Whitepaper http://www.microsoft.com/downloads/details.aspx?FamilyID=afe436f a-8e8a-443a-9027-c522dee35d85&DisplayLang=en

30 Longhorn Backup and Restore cont. Snapshot Viewer of Previous AD States Feature under consideration: Snapshot Viewer of Previous AD States Problem: Restore of accidentally deleted objects Tombstones contain insufficient data so re-animation does not restore everything, e.g. group memberships Solution Enables connecting ldp.exe or equivalent to a backup Backup may be browsed to view group memberships on deleted object Tombstone reanimation + manual addition to groups enables full restoration of object Alternatively authoritative restore can be used but with full confidence that undesrirable memberships will not be restored.

31 And many more…. Restartable Active Directory Restartable Active Directory Enables Offline defrag Enables Offline defrag Enables patches to Enables patches to ntdsai.dll without reboot Not a steady state configuration! Not a steady state configuration! IPV6 support in AD DS, AD LDS and DNS IPV6 support in AD DS, AD LDS and DNS Impacts DCLocator and Sites and Subnets DNS DNAME Support DNS Single label support (GlobalNames Zone) DNS Instant-on DNS Client LLMNR (Link Local Multicast)

32 And many more…. Cont. Management Packs Management Packs Active Directory Management Pack SP1 Active Directory Management Pack SP1 New Longhorn features (e.g. restartable AD, RODC, etc) Multiple replication latency groups Multiple forests DNS MP SP1 DNS MP SP1 New Longhorn features (IPv6, etc) Leverage new DNS health model Configuration validation ADAM MP ADAM MP Phonetic names support for Address book Phonetic names support for Address book

33 Attribute Editor

34 Resources http://www.microsoft.com/windowsserver2003/evaluation /news/bulletins/ADvision.mspx http://www.microsoft.com/windowsserver2003/evaluation /news/bulletins/ADvision.mspx http://www.microsoft.com/technet/technetmag/issues/20 06/11/FutureOfWindows/default.aspx http://www.microsoft.com/technet/technetmag/issues/20 06/11/FutureOfWindows/default.aspx http://www.microsoft.com/windowsserver/longhorn/evalu ation/overview.mspx http://www.microsoft.com/windowsserver/longhorn/evalu ation/overview.mspx

35

36

37

Download ppt "IAM304: Active Directory (AD) Design with Longhorn Server Directory Services Kamal Janardhan Lead Program Manager Directory Services."

Similar presentations

Longhorn Academy Branch Office Solutions for Windows Server 2008

Longhorn Academy Branch Office Solutions for Windows Server 2008
What’s New in Windows Server 2008 AD?

What’s New in Windows Server 2008 AD?
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Brian Desmond Moran Technology Consulting www.morantechnology.com www.briandesmond.com.

Brian Desmond Moran Technology Consulting
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Module 10: Troubleshooting Active Directory, DNS, and Replication Issues.

Module 10: Troubleshooting Active Directory, DNS, and Replication Issues.
Module 10: Troubleshooting AD DS, DNS, and Replication Issues.

Module 10: Troubleshooting AD DS, DNS, and Replication Issues.
Active Directory Disaster Recovery Paul Simmons Support Engineer Directory Services Microsoft Corporation.

Active Directory Disaster Recovery Paul Simmons Support Engineer Directory Services Microsoft Corporation.
Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Michael Kleef Technology Advisor | Microsoft Australia

Michael Kleef Technology Advisor | Microsoft Australia
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Chapter 4 Introduction to Active Directory and Account Management

Chapter 4 Introduction to Active Directory and Account Management
Course 6425A Module 2: Configuring Domain Name Service for Active Directory® Domain Services Presentation: 50 minutes Lab: 45 minutes This module helps.

Course 6425A Module 2: Configuring Domain Name Service for Active Directory® Domain Services Presentation: 50 minutes Lab: 45 minutes This module helps.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Understanding Active Directory

Understanding Active Directory
Installing a New Windows Server 2008 Domain Controller in a New Windows Server 2008 R2.

Installing a New Windows Server 2008 Domain Controller in a New Windows Server 2008 R2.
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008

Similar presentations

Ads by Google