Longhorn Academy Branch Office Solutions for Windows Server 2008.

Longhorn AcademyLonghorn AcademyBranch Office Solutions for Windows Branch Office Solutions for Windows

Server 2008Server 2008

The “Branch Office Challenge”

New Active Directory features in Windows Server 2008 for Branch Offices

RODC Overview

Read-only Partial Attribute Set

Delegated DCPROMO

Session Objectives and Agenda

Admin Role Separation

Server Core

Restartable Directory Services

Auditing

Session Agenda

Windows Server 2008 Branch Office Guide status update

Improving file access in the branch

Security

Remote support

Server management

Service deployment

WAN performance

Branch Office Challenges

Generally fit into one of the following categories:

No local Infrastructure

Full local Infrastructure Hybrid

• Some centralized applications

• Core services delivered locally

• Caching mechanism to improve user experience

• Distributed applications

• Distributed services

Branch Office Topologies

Hub Site

Branch Office

Branch Office BenefitsBranch Office Benefits

SecurityServer CoreRead-Only Domain ControllerAdmin Role SeparationBitLocker Drive Encryption

Administration/DeploymentAuditingDelegated DC PromoRestartable Active Directory

OptimizationSysVol ReplicationDFS ReplicationProtocolsTCP/IP Stack

Server Core

Reduced footprint server Available as an option at initial install Boot and operate stand-alone in headless/embedded scenarios Less to install, manage, patch, attack No GUI – all management through command line and remote

MMC

Supported server roles AD Domain Services, AD Lightweight Directory Services, DHCP,

DNS, File, Print, Streaming Media Services, IIS 7.0

Optional Windows features Failover Clustering, Network Load Balancing, Subsystem for

UNIX-based Applications, Backup, Multipath IO, Removable Storage, BitLocker Drive Encryption, SNMP, WINS, Telnet Client

New AD Features in Windows 2008 for Branch Office Deployments Read-only Domain Controllers with support for Server

Core Admin Role Separation* DCPROMO enhancements

Delegated promotion and demotion* Site Selection with auto-detection Role selection (GC, DNS, RODC)

Read-only Partial Attribute Set (RO-PAS)* Fine Grained Password Policies*** NTDSUTIL.EXE can now create IFM media

For RODC IFM media the tool will strip out all passwords from either Full DC or RODC*

* For RODC Only

Read-Only Domain ControllerReduced attack surface for branch office DCs

1. Impact of stolen DC to the Active Directory reduced• By default, no users/computers passwords stored on RODC• Read-only Partial Attribute Set can prevent application credentials from

replicating to RODC

2. Reduced attack surface to the Active Directory for a compromised DC• Read-only state with unidirectional replication for AD and FRS/DFSR

• SYSVOL deletion on RODC does not replicate outside the Branch Office

• Each RODC has its own KDC KrbTGT account to provide cryptographic key separation

• Delegated DCPROMO reduces need for DA to TS into RODC• Windows Server 2008 writeable DCs register SRV records on behalf of RODCs

to prevent DNS pollution in other sites• RODCs are workstation accounts from the Active Directory perspective

• Not members of Enterprise-DC or Domain-DC groups

Read-Only Domain Controller Incorporating RODCs into your AD design

Directory Service “Cloud”

Data Center or Trusted Network

Edge sites or edge\boundary of network

Read-Only

Read-Only

Read-Only

Read-Only

Read-Only

“Writeables”

When to use:•Security concerns

or Management costs are driving consolidation of

writeable DCs from Branch Offices

•…and there is still a need for benefits from data locality and autonomy if

WAN fails

When not to use:

•As a full featured replacement for Full\Writeable

Domain Controllers

RODC in Branch Offices (Primary and supported scenario) Intended for environments with limited physical

security

RODC in DMZ (Being evaluated) Intended for environments with cross-Corpnet\DMZ

resource access requirements

RODC on the Internet (Being evaluated) Intended for environments with cross-Corpnet\Internet

resource access requirements

Deployment scenariosDeployment scenarios

Read-Only Domain Controller

• How to deploy RODC from a Windows Server 2003 environment

1. ADPREP /ForestPrep

2. ADPREP /DomainPrep

3. Promote a Windows Server 2008 DC

4. Verify Forest Functional Mode is Win2k03

5. ADPREP /RodcPrep

6. Promote RODC

Not RODC specific

RODC specific

task

Note: You can’t convert a Full DC to RODC or vice versa without a demotion\re-promotion

Delegated RODC Promotion

Read-Only Domain ControllerAdmin role separation• Problem

• Customers have too many Domain Admins• Most of these DAs are really server admins

(patch management, etc)

• Solution• Provides a new “local admin” level of access per RODC

• Also includes all Built-in groups (Backup Operators, etc)

• Prevents accidental AD modifications by machine administrators

• Does not prevent “local admin” from maliciously modifying the local database

• This is a true security feature for Read-only DC

Read-Only Domain ControllerPartial attribute set• Problem

• Applications are storing credentials in Active Directory. If a RODC was stolen this could be catastrophic

• Solution• Don’t replicate “secret like data” to RO-PAS• Similar to Global Catalog Partial Attribute Sets, the RO-PAS is a subset of the

attributes replicated to RODC• Specified in the Schema and Dynamic (cleanup and additions)

• Considerations• RO-PAS is not intended for Admins but rather Application Developers to

control. • Applications must be aware if attribute is filtered• No forest or domain mode requirements

Read-Only Domain Controller How it works: Password replication during first

logon

Hub

`

Read Only DCHub Longhorn DC

Branch2. RODC: Looks in DB "I don't have

the users secrets"

3. Forwards Request to LH DC

4. LH DC authenticates request

5. Returns authentication response and TGT back to the RODC

6. RODC gives TGT to User and Queues a replication request for

the secrets

7. Hub DC checks Password Replication Policy to see

if Password can be replicated

1. AS_Req sent to RODC (request for TGT)

1

23

4

5

6

6

7

7

Note: At this point the user will have a hub signed TGT

Password replication

Passwords replicated to RODC are stored until the password changes

There is no secure method to expire or clear the cached passwords without changing the data itself.

Once the password changes the next logon by the user\computer will result in an attempt to replicate the new password

Whether a password is cached on a RODC is transparent to the client, unless the WAN fails

A client processes Logon scripts and Group Policy from a RODC regardless if its passwords are cached

Outlook clients can use a RODC GC for Address Book lookups, etc

LDAP searches still go to RODC

If WAN is offline then users\computers can only logon using the RODC if their password is cached, else clients perform “cached

logons” like today (if no DC were present)

Password Replication PolicyRecommended Management Models1. No passwords cached (default)

• Pro: Most secure, still provides fast authentication and local policy processing • Con: No offline access for anyone. WAN required for Logon

2. Most passwords cached• Pro: Ease of password management. Intended for customers who care most

about manageability improvements of RODC and not security• Con: More passwords potentially exposed to RODC

3. Few passwords (branch-specific accounts) cached • Pro: Enables offline access for those that need it, and maximizes security for

other• Con: Fine grained administration is new task

Read-Only Domain ControllerDNS

• Domain and Forest DNS zones on RODC are read-only

• Clients receive a DNS referral during registration

• RODC will try and replicate just the one updated record almost immediately

• The entire zone is NOT replicated

Read-only DC Mitigates “Stolen DC”Read-only DC Mitigates “Stolen DC”

Attacker PerspectiveHub Admin Perspective

Active DirectoryRestartable Directory Services• Application

• Routine Maintenance• NTDS.Dit Defragmentation

• Three Possible Modes• AD DS Started• AD DS Stopped• Directory Services Restore Mode

• Execution• MMC• Command Line

Enhanced Auditing Capabilities Audit Directory Service Access

Directory Service Access Directory Service Changes Directory Service Replication/Detailed DSR

Ability to Audit Directory Service Changes Create Modify Undelete Move

What is Logged Previous Value, New Value, What Account

Made the Change

New Audit Event IDs

Event ID Type of event Event description

5136 Modify This event is logged when a successful modification is made to an attribute in the directory.

5137 Create This event is logged when a new object is created in the directory.

5138 Undelete This event is logged when an object is undeleted in the directory.

5139 Move This event is logged when an object is moved within the domain.

First introduced with Windows Server 2003 R2 Multimaster replication engine that supports

replication scheduling and bandwidth throttling Replaces File Replication Service (FRS) used in

2000/2003 Remote Differential Compression (RDC)

protocol allows for efficient use of bandwidth resources at the branch office

RDC detects insertions, removals, and re-arrangements of data in files Enabling Differential replication of changes to files

DFS - RDFS - R

Combined with DFS Namespaces to deliver: shared folders in different locations presented as a

single folder view Contiguous Namespaces

Namespaces gives the following benefits: Increased data availability Load sharing Data Availability

DFS - RDFS - R

DFS - RDFS - R

DFS-R replaces FRS for SysVol replication Requires Longhorn domain functional level FRS will still be used where 2003 DC’s are present

Will greatly improve WAN utilization to the branch office for SysVol replication

SysVol ReplicationSysVol Replication

End User Wait Time First time access Subsequent access

Efficient use of bandwidth Bytes transmitted Time of day

Metrics for measuring improvementMetrics for measuring improvement

Types Of Data

Single User DataSingle User Data

Shared DataShared Data

Published DataPublished Data

Files accessed by a single user

Server copy used mostly for backup purposes

Files accessed by multiple users from multiple machines

Server allows sharing and collaboration across users

Files accessed by many users from many machines

Data updates are rare Large file set

Client-Side Caching

Vista’s client-side caching capabilities are greatly enhanced and work with Longhorn Server as well as with previous versions of Windows Server Additionally, client-side caching between Vista and Longhorn Server

accrues extra benefits from underlying networking improvements Seamless state transitions

No user intervention is required (offline changes are silently synchronized in the background)

Fast synchronization and differential transfers All types of files are supported (bitmap differential transfer enables transfer

of only modified data between client and server) Improved slow link mode

Detection has been improved, and the user can stay in this mode (all requests are satisfied from the cache) until they wish to force a transition to online mode

Move user data from local drive to central server, while preserving access speed

Provides central backup of user data Easy data migration to new machines Data synchronization can be scheduled when

bandwidth is cheap

Benefits of cached accessBenefits of cached access

Parallel requests greatly increase read/write speedParallel requests greatly increase read/write speed

Download speed (kb/sec), 100 ms RTTDownload speed (kb/sec), 100 ms RTTRequestRequest

ResponseResponse

SMB1SMB1 SMB2SMB2

Compounding reduces roundtripsCompounding reduces roundtrips

Open DirOpen Dir

Query Dir

Query Dir

Query VolumeQuery

Volume

Response

Response

Response

Response

Response

Response

Open DirOpen Dir

Query DirQuery Dir

Query VolumeQuery

Volume ResponseResponseClose DirClose Dir

Close DirClose DirRespons

eRespons

e

Query DirQuery Dir

Query VolumeQuery

Volume

Satisfied Satisfied from from cachecache

Published Data

Client caching of data set is impractical Improvements in data access (streaming,

compounding) improve access However, high cost of data transfer since

every access is a first access

Published Data

Windows Server 2003 R2 DFS Replication to pre-stage data in the branch DFS Namespaces for location and fault tolerance RDC differencing engine for delta replication

Windows Server 2008 Improved scalability and performance

Windows-based branch appliances offer caching of data in the branch

Windows Vista Client + Windows Server 2003 R2 (or earlier) Improved offline experience offers user fast response

times while keeping data synchronized between client and server

Windows Vista Client + Windows Server 2008 Data streaming improves file transfer times Operation compounding reduces chattiness

Client and server improvementsClient and server improvements

Windows Server 2008 status updateWindows Server 2008 status update• A Windows Server 2008 Branch Office Guide is planned

• Goal is to release the “planning” chapters by Windows Server 2008 RTM

• Scale lab testing is underway for Windows Server 2008• 680 RODCs in one domain were tested prior to Beta3

• Goal is 1200 RODCs tested by RTM• We want to push the current recommended limit of 1200 DCs in

a domain higher and will test possibly up to 3000 after WS08 Ships

• Scale lab topology• Hub+Spoke

• All Branch DCs in one domain• Virtual Server with RODC on Server core

• 32 Guests per host

Resources

http://www.microsoft.com/technet/branchoffice/default.mspx

© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.