Transcript Title of Presentation
Efi Bregman Principal Consultant Microsoft Consulting Services Israel
Session Objectives and Takeaways
Session Objectives: Identify the key new AD DS features in WS08 Explain the value of deploying these features Demonstrate these features in real life scenarios Key Takeaways: Understand when and how to deploy the key new AD DS features
Key Investments areas
Branch Office Security Manageability
Key Investments areas
Branch Office Security Manageability
Windows 2008 Branch Office Benefits
Security
BitLocker Server Core
Read-Only Domain Controller Admin Role Separation Optimization SysVol Replication DFS Replication
Protocols
Administration
Print Management Console PowerShell, WinRS, WinRM Virtualization
Restartable Active Directory Hub Site Branch Office
Branch Office Dilemma
HQ Data Center Hub Network
Branch Office
Small Number of Employees WAN: Congested, Unreliable Security: Not Sure Admin Proficiency: Generalist
Branch Office Dilemma
HQ Data Center Hub Network
Branch Office
Branch authentication & authorization fails when WAN goes down Branch DC being compromised jeopardizes security of corporate AD!!!
So how can we deploy a Domain Controller in this environment?!
Read-Only Domain Controller
Admin Role Separation RODC Server Admin does NOT need to be a Domain Admin Prevents Branch Admin from accidentally causing harm to the AD Delegated promotion 1-Way Replication No replication from RODC to Full-DC Attack on RODC does not propagate to the AD Passwords not cached by-default Policy to configure caching branch specific passwords (secrets) on RODC Policy to filter schema attributes from replicating to RODC
RODC – Attacker “experience”
Let’s tamper data Damn!
I have a Read-Only With Admin role
enterprise replicates log-in to me.
Attacker RODC
7 4
HUB
Full DC
5 7
Read-Only Domain Controller
How it works?
6 3
Branch
RODC
6 2 1 1. Logon request sent to RODC 2. RODC: Looks in DB "I don't have the users secrets" 3. Forwards Request to Full DC 4. Full DC authenticates user 5. Returns authentication response and TGT back to the RODC 6. RODC gives TGT to User and Queues a replication request for the secrets 7. Hub DC checks Password Replication Policy to see if Password can be replicated
Read-Only Domain Controller
Recommended Deployment Models
No accounts cached (default)
Pro: Most secure, still provides fast authentication and policy processing Con: No offline access for anyone
Most accounts cached
Pro: Ease of password management. Manageability improvements of RODC and not security. Con: More passwords potentially exposed to RODC
Few accounts (branch-specific accounts) cached
Pro: Enables offline access for those that need it, and maximizes security for other Con: Fine grained administration is new task
Read-Only Domain Controller
Upgrade path from Windows 2003 Domain Deployment steps: 1. ADPREP /ForestPrep 2. ADPREP /DomainPrep
Not RODC specific
3. Promote a Windows Server 2008 DC 4. Verify Forest Functional Mode is Windows 2003 5. ADPREP /RodcPrep 6. Promote RODC
RODC Specific task
Test RODCs for application compatibility in your environment
Read-Only Domain Controller
Delegated Administrator (“Local Roles”) Delegated RODC Promotion Pre-create RODC account Specify RODC parameters Attach machine to RODC slot
Read-Only Domain Controller
Install-from-media Promotion NTDSUtil > IFM During creation of RODC IFM: “Secrets” are removed DIT is defragged to remove free space
Branch Office & Replication Optimization
DFS-R replication provides more robust and detailed replication of SYSVOL contents Requires
Windows Server 2008 Domain Mode
Key Investments areas
Branch Office Security Manageability
Directory Service Auditing
New Directory Service Changes Events Event logs tell you exactly: Who made a change When the change was made What object/attribute was changed The beginning & end
values
Auditing controlled by
Event ID Event type Event description
5136 Modify This event is logged when a successful modification is made to an attribute in the directory.
Global audit policy SACL Schema 5137 5138 Create Undelete This event is logged when a new object is created in the directory.
This event is logged when an object is undeleted in the directory.
5139 Move This event is logged when an object is moved within the domain.
Fine-Grained Password Policies
Overview Granular administration of password and lockout policies within a domain Usage Examples:
Administrators
Strict setting (passwords expire every 14 days)
Service accounts
Moderate settings (passwords expire every 31 days, minimum password length 32 characters)
Average User
“light” setting (passwords expire every 90 days)
Fine-Grained Password Policies
At a glance Policies can be applied to: Users Global security groups Does NOT apply to: Computer objects Organizational Units Multiple policies can be associated with the user, but only one applies
Fine-Grained Password Policies
Example Precedence = 10 Password Settings Object PSO 1 Applies To Resultant PSO = PSO1 Resultant PSO = PSO1 Precedence = 20 Password Settings Object PSO 2 Applies To
Fine-Grained Password Policies
Design Step-by-Step Requires
Windows Server 2008 Domain Functional Mode
Create mirror groups for different sets of users Create PSOs for different password policies Apply PSOs to users/groups Delegate administration of mirror groups
Fine-Grained Password Policies
Administration Feature itself can be delegated By default, only Domain Admins can: Create and read PSOs Apply a PSO to a group or user
Operation to be delegated Associated Permissions
Create and delete PSOs On the PSC, Create all child objects Delete all child objects Applying PSOs to users/groups On the PSO, Write
Key Investments areas
Branch Office Security Manageability
Restartable AD DS
Without a reboot you can now perform offline defragmentation DS stopped similar to member server: NTDS.dit is offline Can log on locally with DSRM password Restartable AD DS Server Core Fewer reboots for servicing
Database Mounting Tool
Backup/Recovery Allows administrator to choose best backup
NTDSUTIL.EXE
Takes VSS snapshots of Directory Service
DSAMAIN.EXE
Exposes snapshots as LDAP servers
LDP.EXE or Active Directory Users & Computers
Views read-only Directory Service data Best Practice: Schedule NTDSUtil.exe to take regular snapshots of AD DS Note: Tool is not used for restoring objects
Group Policy Enhancements
Over 700 new settings Power options, Removable media, Windows Firewall configuration, Printer management … Transition to ADMX files Additional management features Add comments to individual GPOs and settings Search and filter on settings and comments Create Starter GPOs for easier reuse
Summary – Key features in Active Directory Directory Services 2008
Read Only Domain Controller Fine Grained Password Policies Enhanced Auditing Capabilities Restartable AD DS AD DS Database Mounting Tool DFS-R Sysvol Replication
Resources
Read Only Domain Controller http://technet2.microsoft.com/windowsserver2008/en/libra ry/ea8d253e-0646-490c-93d3-b78c5e1d9db71033.mspx
Fine Grained Password Policies http://technet2.microsoft.com/windowsserver2008/en/libra ry/056a73ef-5c9e-44d7-acc1-4f0bade6cd751033.mspx
Restartable AD DS http://technet2.microsoft.com/windowsserver2008/en/libra ry/caa05f49-210f-4f4c-b33f-c8ad50a687101033.mspx
Resources
Enhanced Auditing Capabilities http://technet2.microsoft.com/windowsserver2008/en/libra ry/ad35ab51-2e85-41e9-91f7-ccedf2fc98241033.mspx
http://technet2.microsoft.com/windowsserver2008/en/libra ry/a9c25483-89e2-4202-881c-ea8e02b4b2a51033.mspx
AD DS Database Mounting Tool (“SnapView”) http://technet2.microsoft.com/windowsserver2008/en/libra ry/4503d762-0adf-494f-a08b cf502ecb76021033.mspx?mfr=true
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.