Longhorn Academy Longhorn Academy Branch Office Solutions for Branch Office Solutions for Windows Server 2008 Windows Server 2008
Mar 26, 2015
Longhorn AcademyLonghorn AcademyBranch Office Solutions for Windows Branch Office Solutions for Windows
Server 2008Server 2008
The “Branch Office Challenge”
New Active Directory features in Windows Server 2008 for Branch Offices
RODC Overview
Read-only Partial Attribute Set
Delegated DCPROMO
Session Objectives and Agenda
Admin Role Separation
Server Core
Restartable Directory Services
Auditing
Session Agenda
Windows Server 2008 Branch Office Guide status update
Improving file access in the branch
Security
Remote support
Server management
Service deployment
WAN performance
Branch Office Challenges
Generally fit into one of the following categories:
No local Infrastructure
Full local Infrastructure Hybrid
• Some centralized applications
• Core services delivered locally
• Caching mechanism to improve user experience
• Distributed applications
• Distributed services
Branch Office Topologies
Hub Site
Branch Office
Branch Office BenefitsBranch Office Benefits
SecurityServer CoreRead-Only Domain ControllerAdmin Role SeparationBitLocker Drive Encryption
Administration/DeploymentAuditingDelegated DC PromoRestartable Active Directory
OptimizationSysVol ReplicationDFS ReplicationProtocolsTCP/IP Stack
Server Core
Reduced footprint server Available as an option at initial install Boot and operate stand-alone in headless/embedded scenarios Less to install, manage, patch, attack No GUI – all management through command line and remote
MMC
Supported server roles AD Domain Services, AD Lightweight Directory Services, DHCP,
DNS, File, Print, Streaming Media Services, IIS 7.0
Optional Windows features Failover Clustering, Network Load Balancing, Subsystem for
UNIX-based Applications, Backup, Multipath IO, Removable Storage, BitLocker Drive Encryption, SNMP, WINS, Telnet Client
New AD Features in Windows 2008 for Branch Office Deployments Read-only Domain Controllers with support for Server
Core Admin Role Separation* DCPROMO enhancements
Delegated promotion and demotion* Site Selection with auto-detection Role selection (GC, DNS, RODC)
Read-only Partial Attribute Set (RO-PAS)* Fine Grained Password Policies*** NTDSUTIL.EXE can now create IFM media
For RODC IFM media the tool will strip out all passwords from either Full DC or RODC*
* For RODC Only
Read-Only Domain ControllerReduced attack surface for branch office DCs
1. Impact of stolen DC to the Active Directory reduced• By default, no users/computers passwords stored on RODC• Read-only Partial Attribute Set can prevent application credentials from
replicating to RODC
2. Reduced attack surface to the Active Directory for a compromised DC• Read-only state with unidirectional replication for AD and FRS/DFSR
• SYSVOL deletion on RODC does not replicate outside the Branch Office
• Each RODC has its own KDC KrbTGT account to provide cryptographic key separation
• Delegated DCPROMO reduces need for DA to TS into RODC• Windows Server 2008 writeable DCs register SRV records on behalf of RODCs
to prevent DNS pollution in other sites• RODCs are workstation accounts from the Active Directory perspective
• Not members of Enterprise-DC or Domain-DC groups
Read-Only Domain Controller Incorporating RODCs into your AD design
Directory Service “Cloud”
Data Center or Trusted Network
Edge sites or edge\boundary of network
Read-Only
Read-Only
Read-Only
Read-Only
Read-Only
“Writeables”
When to use:•Security concerns
or Management costs are driving consolidation of
writeable DCs from Branch Offices
•…and there is still a need for benefits from data locality and autonomy if
WAN fails
When not to use:
•As a full featured replacement for Full\Writeable
Domain Controllers
RODC in Branch Offices (Primary and supported scenario) Intended for environments with limited physical
security
RODC in DMZ (Being evaluated) Intended for environments with cross-Corpnet\DMZ
resource access requirements
RODC on the Internet (Being evaluated) Intended for environments with cross-Corpnet\Internet
resource access requirements
Deployment scenariosDeployment scenarios
Read-Only Domain Controller
• How to deploy RODC from a Windows Server 2003 environment
1. ADPREP /ForestPrep
2. ADPREP /DomainPrep
3. Promote a Windows Server 2008 DC
4. Verify Forest Functional Mode is Win2k03
5. ADPREP /RodcPrep
6. Promote RODC
Not RODC specific
RODC specific
task
Note: You can’t convert a Full DC to RODC or vice versa without a demotion\re-promotion
Delegated RODC Promotion
Read-Only Domain ControllerAdmin role separation• Problem
• Customers have too many Domain Admins• Most of these DAs are really server admins
(patch management, etc)
• Solution• Provides a new “local admin” level of access per RODC
• Also includes all Built-in groups (Backup Operators, etc)
• Prevents accidental AD modifications by machine administrators
• Does not prevent “local admin” from maliciously modifying the local database
• This is a true security feature for Read-only DC
Read-Only Domain ControllerPartial attribute set• Problem
• Applications are storing credentials in Active Directory. If a RODC was stolen this could be catastrophic
• Solution• Don’t replicate “secret like data” to RO-PAS• Similar to Global Catalog Partial Attribute Sets, the RO-PAS is a subset of the
attributes replicated to RODC• Specified in the Schema and Dynamic (cleanup and additions)
• Considerations• RO-PAS is not intended for Admins but rather Application Developers to
control. • Applications must be aware if attribute is filtered• No forest or domain mode requirements
Read-Only Domain Controller How it works: Password replication during first
logon
Hub
`
Read Only DCHub Longhorn DC
Branch2. RODC: Looks in DB "I don't have
the users secrets"
3. Forwards Request to LH DC
4. LH DC authenticates request
5. Returns authentication response and TGT back to the RODC
6. RODC gives TGT to User and Queues a replication request for
the secrets
7. Hub DC checks Password Replication Policy to see
if Password can be replicated
1. AS_Req sent to RODC (request for TGT)
1
23
4
5
6
6
7
7
Note: At this point the user will have a hub signed TGT
Password replication
Passwords replicated to RODC are stored until the password changes
There is no secure method to expire or clear the cached passwords without changing the data itself.
Once the password changes the next logon by the user\computer will result in an attempt to replicate the new password
Whether a password is cached on a RODC is transparent to the client, unless the WAN fails
A client processes Logon scripts and Group Policy from a RODC regardless if its passwords are cached
Outlook clients can use a RODC GC for Address Book lookups, etc
LDAP searches still go to RODC
If WAN is offline then users\computers can only logon using the RODC if their password is cached, else clients perform “cached
logons” like today (if no DC were present)
Password Replication PolicyRecommended Management Models1. No passwords cached (default)
• Pro: Most secure, still provides fast authentication and local policy processing • Con: No offline access for anyone. WAN required for Logon
2. Most passwords cached• Pro: Ease of password management. Intended for customers who care most
about manageability improvements of RODC and not security• Con: More passwords potentially exposed to RODC
3. Few passwords (branch-specific accounts) cached • Pro: Enables offline access for those that need it, and maximizes security for
other• Con: Fine grained administration is new task
Read-Only Domain ControllerDNS
• Domain and Forest DNS zones on RODC are read-only
• Clients receive a DNS referral during registration
• RODC will try and replicate just the one updated record almost immediately
• The entire zone is NOT replicated
Read-only DC Mitigates “Stolen DC”Read-only DC Mitigates “Stolen DC”
Attacker PerspectiveHub Admin Perspective
Active DirectoryRestartable Directory Services• Application
• Routine Maintenance• NTDS.Dit Defragmentation
• Three Possible Modes• AD DS Started• AD DS Stopped• Directory Services Restore Mode
• Execution• MMC• Command Line
Enhanced Auditing Capabilities Audit Directory Service Access
Directory Service Access Directory Service Changes Directory Service Replication/Detailed DSR
Ability to Audit Directory Service Changes Create Modify Undelete Move
What is Logged Previous Value, New Value, What Account
Made the Change
New Audit Event IDs
Event ID Type of event Event description
5136 Modify This event is logged when a successful modification is made to an attribute in the directory.
5137 Create This event is logged when a new object is created in the directory.
5138 Undelete This event is logged when an object is undeleted in the directory.
5139 Move This event is logged when an object is moved within the domain.
First introduced with Windows Server 2003 R2 Multimaster replication engine that supports
replication scheduling and bandwidth throttling Replaces File Replication Service (FRS) used in
2000/2003 Remote Differential Compression (RDC)
protocol allows for efficient use of bandwidth resources at the branch office
RDC detects insertions, removals, and re-arrangements of data in files Enabling Differential replication of changes to files
DFS - RDFS - R
Combined with DFS Namespaces to deliver: shared folders in different locations presented as a
single folder view Contiguous Namespaces
Namespaces gives the following benefits: Increased data availability Load sharing Data Availability
DFS - RDFS - R
DFS - RDFS - R
DFS-R replaces FRS for SysVol replication Requires Longhorn domain functional level FRS will still be used where 2003 DC’s are present
Will greatly improve WAN utilization to the branch office for SysVol replication
SysVol ReplicationSysVol Replication
End User Wait Time First time access Subsequent access
Efficient use of bandwidth Bytes transmitted Time of day
Metrics for measuring improvementMetrics for measuring improvement
Types Of Data
Single User DataSingle User Data
Shared DataShared Data
Published DataPublished Data
Files accessed by a single user
Server copy used mostly for backup purposes
Files accessed by multiple users from multiple machines
Server allows sharing and collaboration across users
Files accessed by many users from many machines
Data updates are rare Large file set
Client-Side Caching
Vista’s client-side caching capabilities are greatly enhanced and work with Longhorn Server as well as with previous versions of Windows Server Additionally, client-side caching between Vista and Longhorn Server
accrues extra benefits from underlying networking improvements Seamless state transitions
No user intervention is required (offline changes are silently synchronized in the background)
Fast synchronization and differential transfers All types of files are supported (bitmap differential transfer enables transfer
of only modified data between client and server) Improved slow link mode
Detection has been improved, and the user can stay in this mode (all requests are satisfied from the cache) until they wish to force a transition to online mode
Move user data from local drive to central server, while preserving access speed
Provides central backup of user data Easy data migration to new machines Data synchronization can be scheduled when
bandwidth is cheap
Benefits of cached accessBenefits of cached access
Parallel requests greatly increase read/write speedParallel requests greatly increase read/write speed
Download speed (kb/sec), 100 ms RTTDownload speed (kb/sec), 100 ms RTTRequestRequest
ResponseResponse
SMB1SMB1 SMB2SMB2
Compounding reduces roundtripsCompounding reduces roundtrips
Open DirOpen Dir
Query Dir
Query Dir
Query VolumeQuery
Volume
Response
Response
Response
Response
Response
Response
Open DirOpen Dir
Query DirQuery Dir
Query VolumeQuery
Volume ResponseResponseClose DirClose Dir
Close DirClose DirRespons
eRespons
e
Query DirQuery Dir
Query VolumeQuery
Volume
Satisfied Satisfied from from cachecache
Published Data
Client caching of data set is impractical Improvements in data access (streaming,
compounding) improve access However, high cost of data transfer since
every access is a first access
Published Data
Windows Server 2003 R2 DFS Replication to pre-stage data in the branch DFS Namespaces for location and fault tolerance RDC differencing engine for delta replication
Windows Server 2008 Improved scalability and performance
Windows-based branch appliances offer caching of data in the branch
Windows Vista Client + Windows Server 2003 R2 (or earlier) Improved offline experience offers user fast response
times while keeping data synchronized between client and server
Windows Vista Client + Windows Server 2008 Data streaming improves file transfer times Operation compounding reduces chattiness
Client and server improvementsClient and server improvements
Windows Server 2008 status updateWindows Server 2008 status update• A Windows Server 2008 Branch Office Guide is planned
• Goal is to release the “planning” chapters by Windows Server 2008 RTM
• Scale lab testing is underway for Windows Server 2008• 680 RODCs in one domain were tested prior to Beta3
• Goal is 1200 RODCs tested by RTM• We want to push the current recommended limit of 1200 DCs in
a domain higher and will test possibly up to 3000 after WS08 Ships
• Scale lab topology• Hub+Spoke
• All Branch DCs in one domain• Virtual Server with RODC on Server core
• 32 Guests per host
Resources
http://www.microsoft.com/technet/branchoffice/default.mspx
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.