Presentation is loading. Please wait.

Presentation is loading. Please wait.

{ Small / Branch Offices}

Published byCuthbert Warren Modified over 5 years ago

Similar presentations

Presentation on theme: "{ Small / Branch Offices}"— Presentation transcript:

1

2 { Small / Branch Offices}
Viral Tarpara IT Pro Evangelist, Microsoft Ltd Steve Lamb IT Pro Evangelist, Microsoft UK

3 Why Are You Here? Curiosity Find other ways to make money
11/27/ :55 PM Why Are You Here? Curiosity Find other ways to make money find ways to get home on time ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

4 Objective of the session
Show you how to take control and improve effectiveness of remote office infrastructure Educate you on the improvments made to Vista SP1 How to setup a self-provisioning branch office

5 Agenda Let’s review the challenges Read Only Domain Controllers
Sustainable/Green IT BitLocker on the Server Bandwidth optimisation Server & Domain Isolation

6 What are the challenges?
Limited Bandwidth Limited IT the local level Limited budget! Too much to do – shear scale – particularly for Branch Offices

7 Read-Only Domain Controller
11/27/ :55 PM Read-Only Domain Controller RODC Features Read Only Active Directory Database and GC PAS Only allowed user passwords are stored on RODC Unidirectional Replication Role Separation Benefits Increases security for remote Domain Controllers where physical security cannot be guaranteed Support ADFS,DNS, DHCP, FRS V1, DFSR (FRS V2), Group Policy, IAS/VPN, DFS, SMS, ADSI queries, MOM Title: Read-Only Domain Controller (RODC) Talking Points: The Read-Only Domain Controller (RODC) provides increased security for locations such as Branch Offices. A read-only domain controller (RODC) is a new type of domain controller in the Windows Server 2008 operating system. The Read-Only Domain Controller (RODC) is primarily targeted toward branch offices or edge sites. RODC doesn’t store any passwords, by default. That way, if the RODC is compromised, then an administrator doesn’t have to worry about someone gaining access to the entire network using the information stored on that server. This addresses the lack of security that can occur at branch offices. So the threat to the Active Directory is drastically reduced. [BUILD1] RODC Features: RODC are read-only state with unidirectional (read-only) replication for Active Directory and FRS\DFSR. Each RODC has its own KDC KrbTGT account—this is the account that issues tickets. This provides cryptographic isolation. RODC uses workstation accounts, so it has very limited rights to write in Active Directory, to minimize unauthorized access. And since RODCs have workstation accounts, they have no EDC or Display Data Channel (DDC) group membership. Because no changes are written directly to the RODC, and therefore do not originate locally, writable domain controllers that are replication partners do not have to pull changes from the RODC. This reduces the workload of bridgehead servers in the hub site, and the effort required to monitor replication. RODC unidirectional replication applies to both AD DS and Distributed File System Replication. The RODC performs normal inbound replication for AD DS and Distributed File System Replication changes. RODC also uses credential caching. Credential caching is the storage of user or computer credentials. Credentials consist of a small set of approximately 10 passwords that are associated with security principals. With Role Separation you can delegate the local administrator role of an RODC to any domain user without granting that user any user rights for the domain, or other domain controllers. This permits a local branch user to log on to an RODC and perform maintenance work on the server, such as upgrading a driver. However, the branch user cannot log on to any other domain controller or perform any other administrative task in the domain. In this way, the branch user can be delegated the ability to effectively manage the RODC in the branch office without compromising the security of the rest of the domain. [BUILD2] RODC Benefits: RODCs provide a way to deploy a domain controller more securely in a branch office location, extranet, or an application-facing role. RODCs are designed to be placed in locations that require rapid, reliable, and robust authentication services but that might also have a security limitation that prevents deployment of a writable domain controller. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed. [BUILD3] RODC Support: RODCs provide support for: ADFS, DNS, DHCP, FRS V1, DFSR (FRS V2), Group Policy, IAS/VPN, DFS, SMS, ADSI queries, and MOM. We provide more detailed information on how RODC works and what is required to implement RODC in Windows Server 2008 in the next two slides. Additional Information: Changes in Functionality to Windows Server Longhorn (January 2007).doc (also called the Book of Longhorn)  Main Office Branch Office

8 Sustainable/Green IT Centralised Power Management Via GPOs on OUs

9 BitLocker on the Server
What threats does it mitigate? What are the pre-requisites? Where to start? How’s it different on the Server?

10 Server and Domain Isolation
Active Directory Domain Controller Corporate Network Server Isolation Trusted Resource Server Servers with Sensitive Data HR Workstation X Unmanaged/Rogue Computer X Managed Computer Managed Computer Ipsec tools all located in one place to prevent creating conflicting policies. Possible Vista integration Untrusted Define the logical isolation boundaries Distribute policies and credentials Managed computers can communicate Block inbound connections from untrusted Enable tiered-access to sensitive resources

11 Bandwidth Optimisation
New network stack gives great benefits Continued support for Diffserv Compression Improved file SP1

12 Vista SP1 Realities

13 Realities vulnerabilities found in first year of OS life

14

15

16 Application Compatibility Progress
Over 150 Critical Enterprise-blocking applications remediated Each application on this list was blocking 1 or more companies from moving to Windows Vista 10-times more application have either “certified for” or “works with” Windows Vista Logos than at launch Great titles like Trend Micro Internet Security Pro and Nero 7 Premium Today’s most popular and best selling software runs on Windows Vista

17 Microsoft Deployment Microsoft Deployment
Lite Touch Zero Touch with SMS 2003 Zero Touch with Configuration Manager 2007 New! Fully integrated Single console Adds server support Extends and enhances Aligns with ConfigMgr Upgrade from BDD 2007 Evolutionary Adds server support Aligns with ConfigMgr Upgrade from BDD 2007 Evolutionary Leverages core deployment tools Provides process and tool guidance

18 MDT: Lite Touch Setup Process Core Image Build and Deploy
Install MDT Install MDT Configure MDT Download & Install Additional Components Add Operating Systems Add Applications Stock the Distribution Share Add Packages Add Drivers Task Sequence Add Task Sequence Deployment Point Create and Configure the Distribution Point

19 Call to Action Come and talk to us either in person, via or via our blogs to overcome the challenges you face in Small Offices and Branch Offices

20 Please fill in your Evaluation Form

21 References For BitLocker For the Server & Domain Isolation
For the Server & Domain Isolation For the ReadOnly Domain Controller For Windows Deployment Services For Microsoft Deployment Toolkit For Application Compatibility Toolkit v5

22 Thank you mailto://jamesone@microsoft.com
© 2007 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Download ppt "{ Small / Branch Offices}"

Similar presentations

Ljubomir Ivaniš CPU d.o.o.

Ljubomir Ivaniš CPU d.o.o.
The System Center Family Microsoft. Mobile Device Manager 2008.

The System Center Family Microsoft. Mobile Device Manager 2008.
Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
Dan Stolts IT Pro Evangelist US DPE - North East Microsoft Corporation

Dan Stolts IT Pro Evangelist US DPE - North East Microsoft Corporation
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Michael Kleef Technology Advisor | Microsoft Australia

Michael Kleef Technology Advisor | Microsoft Australia
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Administering Active Directory

Administering Active Directory
4/17/2017 7:07 AM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

4/17/2017 7:07 AM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Microsoft ® Application Virtualization 4.5 Infrastructure Planning and Design Series.

Microsoft ® Application Virtualization 4.5 Infrastructure Planning and Design Series.
Understanding Active Directory

Understanding Active Directory
Microsoft ® Application Virtualization 4.6 Infrastructure Planning and Design Published: September 2008 Updated: February 2010.

Microsoft ® Application Virtualization 4.6 Infrastructure Planning and Design Published: September 2008 Updated: February 2010.
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.

Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.
Module 1: Installing Active Directory Domain Services

Module 1: Installing Active Directory Domain Services
Chapter 12: Additional Active Directory Server Roles

Chapter 12: Additional Active Directory Server Roles
Clinic Security and Policy Enforcement in Windows Server 2008.

Clinic Security and Policy Enforcement in Windows Server 2008.
Module 1 Introduction to Managing Microsoft® Windows Server® 2008 Environment.

Module 1 Introduction to Managing Microsoft® Windows Server® 2008 Environment.
Test Review. What is the main advantage to using shadow copies?

Test Review. What is the main advantage to using shadow copies?
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 3: Introducing Active Directory.

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 3: Introducing Active Directory.

Similar presentations

Ads by Google