![Page 1: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/1.jpg)
Windows 2008 Active Directory Branch office
ManagementSampath Perera
[email protected], [email protected]
www.khgeeks.org
![Page 2: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/2.jpg)
Session Objectives & Takeaways
• Session Objectives: – Identify the key new AD DS features in WS08– Explain the value of deploying these features– Demonstrate these features in real life scenarios
• Key Takeaways:– Understand when and how to deploy the key new
AD DS features
![Page 3: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/3.jpg)
Key Investments areas
Security Manageability
Branch Office
![Page 4: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/4.jpg)
Key Investments areas
Security Manageability
Branch Office
![Page 5: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/5.jpg)
Hub Site
Branch Office
Windows 2008 Branch Office Benefits
SecurityBitLockerServer CoreRead-Only Domain ControllerAdmin Role Separation
OptimizationSysVol RéplicationDFS RéplicationProtocols
AdministrationPrint Management ConsolePowerShell, WinRS, WinRMVirtualizationRestartable Active Directory
![Page 6: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/6.jpg)
Branch Office Dilemma
Small Number of Employees WAN: Congested, Unreliable Security: Not Sure Admin Proficiency: Generalist
HQ Data CenterHub Network
Branch Office
![Page 7: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/7.jpg)
Option 1:Consolidate and remove DCs from branch
Branch authentication & authorization fails when WAN goes down
Option 2:Put full DC in branch
Either give branch admin privilege or manage remotelyBranch DC being compromised jeopardizes security of corporate AD!!!
Branch Office
HQ Data CenterHub Network
Branch Office Dilemma
![Page 8: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/8.jpg)
So how can we deploy a Domain Controller in this environment?!
![Page 9: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/9.jpg)
RODC Server Admin does NOT need to be a Domain AdminPrevents Branch Admin from accidentally causing harm to the ADDelegated promotion
Admin Role Separation
Policy to configure caching branch specific passwords (secrets) on RODCPolicy to filter schema attributes from replicating to RODC
Passwords not cached by-default
No replication from RODC to Full-DC
1-Way Replication
Attack on RODC does not propagate to the AD
RO
D C
Read-Only Domain Controller
![Page 10: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/10.jpg)
RODC – Attacker “experience”
Let’s intercept Domain Admin
credentials sent to this RODC
With Admin role separation, the Domain
Admin doesn’t need to log-in to me.
Let’s steal this RODC
By default I do not have any secrets cached.
I do not hold any custom app specific attributes
either.
Let’s tamper data on this RODC and
use its identity
I have a Read-Only database. Also, no other DC in the enterprise replicates
data from me.Damn!
Attacker RODC
RO
D C
![Page 11: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/11.jpg)
Read-Only Domain ControllerPassword Replication Policy
![Page 12: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/12.jpg)
Read-Only Domain ControllerHow it works?
2.RODC: Looks in DB "I don't have the users secrets"3.Forwards Request to Full DC4.Full DC authenticates user5.Returns authentication response and TGT back to the RODC6.RODC gives TGT to User and Queues a replication request for the secrets7.Hub DC checks Password Replication Policy to see if Password can be replicated
1.Logon request sent to RODC
1
2
34
5
6
6
7
7
BranchHUBFull DC RODC
![Page 13: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/13.jpg)
Read-Only Domain ControllerRecommended Deployment Models
• No accounts cached (default)– Pro: Most secure, still provides fast authentication and policy
processing– Con: No offline access for anyone
• Most accounts cached– Pro: Ease of password management. Manageability improvements of
RODC and not security. – Con: More passwords potentially exposed to RODC
• Few accounts (branch-specific accounts) cached – Pro: Enables offline access for those that need it, and maximizes
security for other– Con: Fine grained administration is new task
![Page 14: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/14.jpg)
Read-Only Domain ControllerUpgrade path from Windows 2003 Domain
• Deployment steps:1. ADPREP /ForestPrep2. ADPREP /DomainPrep3. Promote a Windows Server 2008 DC4. Verify Forest Functional Mode is Windows 20035. ADPREP /RodcPrep6. Promote RODC
Test RODCs for application compatibility in your environment!
Not RODC specific
RODC Specific task
![Page 15: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/15.jpg)
Read-Only Domain ControllerDelegated Administrator (“Local Roles”)
• Delegated RODC Promotion
![Page 16: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/16.jpg)
Read-Only Domain ControllerAdmin role separation
![Page 17: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/17.jpg)
Branch Office & Replication Optimization
• DFS-R replication provides more robust and detailed replication of SYSVOL contents– Requires Windows Server 2008 Domain Mode
![Page 18: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/18.jpg)
Key Investments areas
Security Manageability
Branch Office
![Page 19: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/19.jpg)
Directory Service AuditingNew Directory Service Changes Events
• Event logs tell you exactly:– Who made a change– When the change was made– What object/attribute was changed– The beginning & end
values
• Auditing controlled by– Global audit policy– SACL– Schema
Event ID Event type Event description
5136 Modify This event is logged when a successful modification is made to an attribute in the directory.
5137 Create This event is logged when a new object is created in the directory.
5138 Undelete This event is logged when an object is undeleted in the directory.
5139 Move This event is logged when an object is moved within the domain.
![Page 20: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/20.jpg)
Directory Service Auditingin Windows Server 2008
![Page 21: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/21.jpg)
Fine-Grained Password PoliciesOverview
• Granular administration of password and lockout policies within a domain
• Usage Examples:– Administrators
• Strict setting (passwords expire every 14 days)– Service accounts
• Moderate settings (passwords expire every 31 days, minimum password length 32 characters)
– Average User• “light” setting (passwords expire every 90 days)
![Page 22: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/22.jpg)
Fine-Grained Password PoliciesAt a glance
• Policies can be applied to:– Users– Global security groups
• Does NOT apply to: – Computer objects– Organizational Units
• Multiple policies can be associated with the user, but only one applies
![Page 23: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/23.jpg)
Password Settings Object PSO 1
Password Settings Object PSO 2
Precedence = 20
Applies To
Resultant PSO = PSO1
Fine-Grained Password PoliciesExample
Precedence = 10
Resultant PSO = PSO1
Applies To
Applies To
![Page 24: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/24.jpg)
Key Investments areas
Security Manageability
Branch Office
![Page 25: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/25.jpg)
Restartable AD DS
• Without a reboot you can now perform offline defragmentation
• DS stopped similar to member server:– NTDS.dit is offline– Can log on locally with DSRM password
Server CoreRestartable AD DS
Fewer reboots for
servicing
![Page 26: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/26.jpg)
Manageability Improvements
![Page 27: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/27.jpg)
Summary – Key features in Active Directory Directory Services 2008
• Read-Only Domain Controller (RODC)• Fine Grained Password Policies• Enhanced Auditing Capabilities• Restartable AD DS• AD DS Database Mounting Tool• DFS-R Sysvol Replication
![Page 28: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/28.jpg)
![Page 29: Windows 2008 Active Directory Branch office Management_MVP Sampath Perera](https://reader035.vdocuments.us/reader035/viewer/2022081400/5554bec0b4c90503388b4d43/html5/thumbnails/29.jpg)
Your potential. Our passion.