1. Windows 2008 Active Directory Branch office Management Sampath Perera sampath@nanotechglobal.net, sampath_mails@hotmail.com www.khgeeks.org

2. Session Objectives & Takeaways Session Objectives: Identify the key new AD DS features in WS08 Explain the value of deploying these features Demonstrate these features in real life scenarios Key Takeaways: Understand when and how to deploy the key new AD DS features

3. Key Investments areas Branch Office Manageability Security

4. Key Investments areas Branch Office Manageability Security

5. Windows 2008 Branch Office Benefits Security BitLocker Server Core Read-Only Domain Controller Admin Role Separation Optimization SysVolRéplication DFS Réplication Protocols Administration Print Management Console PowerShell, WinRS, WinRM Virtualization Restartable Active Directory Hub Site Branch Office

7. WAN: Congested, Unreliable

8. Security: Not Sure

10. So how can we deploy a Domain Controller in this environment?!

11. Read-Only Domain Controller 1-Way Replication Admin Role Separation No replication from RODC to Full-DC RODC Server Admin does NOT need to be a Domain Admin Prevents Branch Admin from accidentally causing harm to the AD Delegated promotion Attack on RODC does not propagate to the AD RODC Passwords not cached by-default Policy to configure caching branch specific passwords (secrets) on RODC Policy to filter schema attributes from replicating to RODC

12. RODC – Attacker “experience” I have a Read-Only database. Also, no other DC in the enterprise replicates data from me. Damn! Let’s steal this RODC By default I do not have any secrets cached. I do not hold any custom app specific attributes either. Let’s tamper data on this RODC and use its identity Let’s intercept Domain Admin credentials sent to this RODC With Admin role separation, the Domain Admin doesn’t need to log-in to me.  RODC Attacker RODC

13. RODC Mitigates “Stolen DC” Hub Admin Perspective

14. Read-Only Domain ControllerPassword Replication Policy

15. Read-Only Domain ControllerHow it works? Branch HUB Logon request sent to RODC RODC RODC: Looks in DB "I don't have the users secrets" Full DC Forwards Request to Full DC Full DC authenticates user Returns authentication response and TGT back to the RODC RODC gives TGT to User and Queues a replication request for the secrets Hub DC checks Password Replication Policy to see if Password can be replicated

16. Read-Only Domain ControllerRecommended Deployment Models No accounts cached (default) Pro: Most secure, still provides fast authentication and policy processing Con: No offline access for anyone Most accounts cached Pro: Ease of password management. Manageability improvements of RODC and not security. Con: More passwords potentially exposed to RODC Few accounts (branch-specific accounts) cached Pro: Enables offline access for those that need it, and maximizes security for other Con: Fine grained administration is new task

17. Read-Only Domain ControllerUpgrade path from Windows 2003 Domain Deployment steps: ADPREP /ForestPrep ADPREP /DomainPrep Promote a Windows Server 2008 DC Verify Forest Functional Mode is Windows 2003 ADPREP /RodcPrep Promote RODC Test RODCs for application compatibility in your environment! Not RODC specific RODC Specific task

18. Read-Only Domain ControllerDelegated Administrator (“Local Roles”) Delegated RODC Promotion

19. Read-Only Domain ControllerAdmin role separation

21. Branch Office & Replication Optimization DFS-R replication provides more robust and detailed replication of SYSVOL contents Requires Windows Server 2008 Domain Mode

22. Key Investments areas Branch Office Manageability Security

23. Directory Service AuditingNew Directory Service Changes Events Event logs tell you exactly: Who made a change When the change was made What object/attribute was changed The beginning & endvalues Auditing controlled by Global audit policy SACL Schema

24. Directory Service Auditingin Windows Server 2008

25. Fine-Grained Password PoliciesOverview Granular administration of password and lockout policies within a domain Usage Examples: Administrators Strict setting (passwords expire every 14 days) Service accounts Moderate settings (passwords expire every 31 days, minimum password length 32 characters) Average User “light” setting (passwords expire every 90 days)

26. Fine-Grained Password PoliciesAt a glance Policies can be applied to: Users Global security groups Does NOT apply to: Computer objects Organizational Units Multiple policies can be associated with the user, but only one applies

27. Fine-Grained Password PoliciesExample Resultant PSO = PSO1 Precedence = 10 Password Settings Object PSO 1 Applies To Resultant PSO = PSO1 Applies To Precedence = 20 Password Settings Object PSO 2 Applies To

28. Key Investments areas Branch Office Manageability Security

29. Restartable AD DS Without a reboot you can now perform offline defragmentation DS stopped similar to member server: NTDS.dit is offline Can log on locally with DSRM password Server Core Fewer reboots for servicing Restartable AD DS

30. Manageability Improvements

31. ADUC: Prevent Object Deletion Existing Object/OU New Organizational Unit

32. Summary – Key features in Active Directory Directory Services 2008 Read-Only Domain Controller (RODC) Fine Grained Password Policies Enhanced Auditing Capabilities Restartable AD DS AD DS Database Mounting Tool DFS-R Sysvol Replication

34. Your potential. Our passion.