Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jose Luis Auricchio Microsoft Switzerland

Published byRandell Poole Modified over 8 years ago

Similar presentations

Presentation on theme: "Jose Luis Auricchio Microsoft Switzerland"— Presentation transcript:

1 Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com

2 Session Objectives: Identify the key new AD DS features in WS08 Explain the value of deploying these features Demonstrate these features in real life customer scenarios Key Takeaways: Understand when and how to deploy the key new AD DS features Learn planning tips and best practices for these key features

3 Key Investments Branch Office: Read-Only Domain Controller Manageability: Auditing, Backup/Recovery Security: Fine-Grained Password Policy Q & A

4 Active Directory Domain Services Replaces “Active Directory” Active Directory Lightweight Directory Services Replaces “Active Directory Application Mode” Server Roles Server functionalities like AD DS, AD LDS, and DNS Centrally managed through Server Manager Server Core Minimal server installation option Reduces attack surface because fewer components installed

5 Security Manageability Branch Office

6 Security Manageability

7 Admins face following challenges when deploying a Domain Controller at a branch office: DC is placed at a physically unsecure location DC has unreliable network connectivity to hub Branch staffs lack knowledge/privileges to manage DC DAs remotely manage branch DC, or DAs delegate privileges to branch staffs To consolidate AD infrastructure, admins wish to remove DCs from branch offices, but Users cannot logon or access network resources when WAN fails

8 Adversary mightSteal RODC No secrets cached by default RO PAS prevents data replication to RODC Compromise RODC Read-only database Unidirectional replication Intercept DA credentials Admin role separation reduces DA access

9 When to use: Security concerns or Management costs are driving consolidation of writeable DCs from Branch Offices …and there is still a need for benefits from data locality and autonomy if WAN fails When not to use: As a full featured replacement for Full\Writeable Domain Controllers

10 No accounts cached (default) Pro: Most secure, still provides fast authentication and policy processing. Con: No offline access for anyone. WAN required for Logon Most accounts cached Pro: Ease of password management. Intended for customers who care most about manageability improvements of RODC and not security. Con: More passwords potentially exposed to RODC Few accounts (branch-specific accounts) cached Pro: Enables offline access for those that need it, and maximizes security for other Con: Fine grained administration is new task Need to map computers per branch

11 RODC in Branch Offices (Primary and supported scenario) Intended for environments with limited physical security RODC in DMZ Intended for environments with cross Corpnet\DMZ resources access requirements RODC on the Internet Intended for environments with cross Corpnet\Internet resources access requirements

12 How to deploy RODC from W2K3 environment 1.ADPREP /ForestPrep 2.ADPREP /DomainPrep 3.Promote a Windows Server 2008 DC 4.Verify Forest Functional Mode is Win2k03 5.ADPREP /RodcPrep 6.Verify list of client patches to check for compatibility 7.Promote RODC Not RODC specific RODC specific task Note: You can’t convert a Full DC to RODC or vice versa without a demotion\re-promotion

13 Pre-create RODC account Specify RODC parameters Attach machine to RODC slot

14

15 NTDSUtil > IFM During creation of RODC IFM: “Secrets” are removed DIT is defragged to remove free space

16 Secure Appliance DC Admin Role Separation RODC Server Core

17 Security Manageability Branch Office

18 Event logs tell you exactly: Who made a change When the change was made What object/attribute was changed The beginning and end values Auditing is controlled by Global audit policy SACL Schema Event IDEvent typeEvent description 5136ModifyThis event is logged when a successful modification is made to an attribute in the directory. 5137CreateThis event is logged when a new object is created in the directory. 5138UndeleteThis event is logged when an object is undeleted in the directory. 5139MoveThis event is logged when an object is moved within the domain.

19 Existing Object/OUNew Organizational Unit

20 Allows admins to choose best backup Tool DOES NOT restore objects Now: Tool + tombstone reanimation + LDAP Post-WS08: Undelete is being investigated NTDSUTIL.EXE Takes VSS snapshots of DS/LDS DSAMAIN.EXE Exposes snapshots as LDAP servers LDP.EXE Views read- only DS/LDS data

21

22 Windows Server Backup (wbadmin.exe) System state backup/recovery through command-line Must backup to separate partition System state recovery in DSRM (auth & non-auth) Database Mounting Tool (dsamain.exe) DSAMain.exe works with offline DITs as well E.g. Restore backup to alternate location to get offline DIT Best Practice: Schedule NTDSUtil.exe to take regular (e.g. nightly) snapshots of AD DS/LDS Enhancement in ADUC By default, “Prevent container from accidental deletion” is checked for creation of OUs Best Practice: Check “Prevent object from accidental deletion” for important user objects as well Dedicated Backup Volume

23 Security Manageability Branch Office

24 Enables granular administration of password and lockout policies within a domain Policies can be applied to: Users Global security groups Requirements Windows server 2008 Domain Mode No client changes needed No changes were made to the settings themselves E.g., no new “password complexity” options Multiple policies can be associated with the user, but only one applies

25 Designed to be used in scenarios where there are different security and business requirements for sets of users Examples Administrators Strict setting (passwords expire every 14 days) Service accounts Moderate settings (passwords expire every 31 days, different lockout threshold, minimum password length 32 characters) Average User Relatively lenient setting (passwords expire every 90 days) 3 to 10 policies envisioned for most deployments No known technical restrictions on number of policies

26 Password Settings Object PSO 1 Password Settings Object PSO 1 Password Settings Object PSO 2 Password Settings Object PSO 2 Precedence = 10 Precedence = 20 Applies To Resultant PSO = PSO1

27 Identify sets of users in the organization Formulate corresponding password policies for the different sets of users Create groups that mirror sets of users Create PSOs that mirror devised password policies Apply PSOs to the appropriate users/groups Delegate administration

28 Recommendation: Group-based administration Delegate modification of group membership Feature itself can be delegated By default, only Domain Admins can create and read PSOs apply a PSO to a group or user Permissions Operation to be delegatedAssociated Permissions Create and delete PSOsOn the PSC, Create all child objects Delete all child objects Applying PSOs to users/groups On the PSO, Write

29

30 Manageability Tools Data Collection Template (previously known as SPA) AD MP SP1 for W28K DC/RODCs Enhanced data integrity in directory database Support for single-bit correction DC Locator improvements Site-aware Domain Controller Locator DNS Server Instant-on Startup performance improvements

31 TechNet Documentation for AD DS Step-by-step Guide for RODC Step-by-step Guide for AD DS Installation & Removal Step-by-step Guide for Restartable AD DS Step-by-step Guide for AD Data Mining (Mounting) Tool Step-by-step Guide for AD DS Backup & Recovery Step-by-step Guide for Auditing AD DS Changes Step-by-step Guide for FGPP & Account Lockout Policy Configuration MSDN Documentation for Schema

32 © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Jose Luis Auricchio Microsoft Switzerland"

Similar presentations

Longhorn Academy Branch Office Solutions for Windows Server 2008

Longhorn Academy Branch Office Solutions for Windows Server 2008
What’s New in Windows Server 2008 AD?

What’s New in Windows Server 2008 AD?
The System Center Family Microsoft. Mobile Device Manager 2008.

The System Center Family Microsoft. Mobile Device Manager 2008.
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
MIX 09 4/15/2017 11:14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

MIX 09 4/15/ :14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Feature: Payroll and HR Enhancements © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.

Feature: Payroll and HR Enhancements © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Michael Kleef Technology Advisor | Microsoft Australia

Michael Kleef Technology Advisor | Microsoft Australia
Active Directory Domain Services in Windows Server 2008

Active Directory Domain Services in Windows Server 2008
Chapter 4 Introduction to Active Directory and Account Management

Chapter 4 Introduction to Active Directory and Account Management
Windows 7 Training. Windows ® 7 Compatibility Installer Detection.

Windows 7 Training. Windows ® 7 Compatibility Installer Detection.
Windows 7 Training Microsoft Confidential. Windows ® 7 Compatibility Version Checking.

Windows 7 Training Microsoft Confidential. Windows ® 7 Compatibility Version Checking.
Understanding Active Directory

Understanding Active Directory
Understanding Active Directory

Understanding Active Directory
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
Module 8: Designing Active Directory Disaster Recovery in Windows Server 2008.

Module 8: Designing Active Directory Disaster Recovery in Windows Server 2008.
Feature: Web Client Keyboard Shortcuts © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are.

Feature: Web Client Keyboard Shortcuts © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are.
Feature: SmartList Usability Enhancements © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names.

Feature: SmartList Usability Enhancements © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names.
Microsoft ® Official Course Module 12 Monitoring, Managing, and Recovering AD DS.

Microsoft ® Official Course Module 12 Monitoring, Managing, and Recovering AD DS.
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.

Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.

Similar presentations

Ads by Google