Jose Luis Auricchio Microsoft Switzerland [email protected].
-
Upload
randell-poole -
Category
Documents
-
view
215 -
download
0
Transcript of Jose Luis Auricchio Microsoft Switzerland [email protected].
![Page 1: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/1.jpg)
Active Directory Domain Services in Windows Server 2008
Jose Luis AuricchioMicrosoft [email protected]
![Page 2: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/2.jpg)
Session Objectives And Takeaways
Session Objectives: Identify the key new AD DS features in WS08Explain the value of deploying these featuresDemonstrate these features in real life customer scenarios
Key Takeaways:Understand when and how to deploy the key new AD DS featuresLearn planning tips and best practices for these key features
![Page 3: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/3.jpg)
Agenda
Key Investments
Branch Office: Read-Only Domain Controller
Manageability: Auditing, Backup/Recovery
Security: Fine-Grained Password Policy
Q & A
![Page 4: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/4.jpg)
Terminology
Active Directory Domain ServicesReplaces “Active Directory”
Active Directory Lightweight Directory Services
Replaces “Active Directory Application Mode”
Server Roles Server functionalities like AD DS, AD LDS, and DNSCentrally managed through Server Manager
Server CoreMinimal server installation optionReduces attack surface because fewer components installed
![Page 5: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/5.jpg)
Key Investments
Security
Manageability
Branch Office
![Page 6: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/6.jpg)
Key Investments
Security
Manageability
Branch Office
![Page 7: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/7.jpg)
Read-Only Domain ControllerBranch Office Challenges
Admins face following challenges when deploying a Domain Controller at a branch office:
DC is placed at a physically unsecure locationDC has unreliable network connectivity to hubBranch staffs lack knowledge/privileges to manage DC
DAs remotely manage branch DC, orDAs delegate privileges to branch staffs
To consolidate AD infrastructure, admins wish to remove DCs from branch offices, but
Users cannot logon or access network resources when WAN fails
![Page 8: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/8.jpg)
Read-Only Domain ControllerSecure Branch Office Solution
Adversary might
Steal RODC
No secrets cached by default
RO PAS prevents data replication to RODC
Compromise RODC
Read-only database
Unidirectional replication
Intercept DA credentialsAdmin role separation reduces DA
access
RO
DC
MIT
IGATIO
NS
![Page 9: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/9.jpg)
Directory Service Infrastructure
Data Center or Trusted Network
Edge sites or edge\boundary of network
Read-Only
Read-Only
Read-Only
Read-Only
Read-Only
“Writeable”
Incorporating RODCsinto your AD infrastructure When to use:
• Security concerns or Management costs are driving consolidation of writeable DCs from Branch Offices
• …and there is still a need for benefits from data locality and autonomy if WAN fails
When not to use:
• As a full featured replacement for Full\Writeable Domain Controllers
![Page 10: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/10.jpg)
Read-Only Domain ControllerRecommended Management Models
No accounts cached (default)Pro: Most secure, still provides fast authentication and policy processing. Con: No offline access for anyone. WAN required for Logon
Most accounts cachedPro: Ease of password management. Intended for customers who care most about manageability improvements of RODC and not security. Con: More passwords potentially exposed to RODC
Few accounts (branch-specific accounts) cached Pro: Enables offline access for those that need it, and maximizes security for otherCon: Fine grained administration is new task
Need to map computers per branch
![Page 11: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/11.jpg)
Read-Only Domain ControllerDeployment Scenarios
RODC in Branch Offices (Primary and supported scenario)
Intended for environments with limited physical security
RODC in DMZ Intended for environments with cross Corpnet\DMZ resources access requirements
RODC on the Internet Intended for environments with cross Corpnet\Internet resources access requirements
![Page 12: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/12.jpg)
Read-Only Domain ControllerStep-by-step Deployment Guide
How to deploy RODC from W2K3 environment
1. ADPREP /ForestPrep2. ADPREP /DomainPrep3. Promote a Windows Server 2008 DC4. Verify Forest Functional Mode is Win2k035. ADPREP /RodcPrep6. Verify list of client patches to check
for compatibility7. Promote RODC
Not RODC specific
RODC specific task
Note: You can’t convert a Full DC to RODC or vice versa without a demotion\re-promotion
![Page 13: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/13.jpg)
Read-Only Domain ControllerDelegated RODC Promotion
Pre-create RODC account
Specify RODC parameters
Attach machine to RODC slot
![Page 14: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/14.jpg)
Delegated RODC Promotion
demo
![Page 15: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/15.jpg)
Read-Only Domain ControllerInstall-from-media Promotion
NTDSUtil > IFM
During creation of RODC IFM:
“Secrets” are removedDIT is defragged to remove free space
![Page 16: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/16.jpg)
Read-Only Domain ControllerPutting it all together
Secure Appliance DC
Admin Role
Separation
RODC
Server Core
![Page 17: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/17.jpg)
Key Investments
Security
Manageability
Branch Office
![Page 18: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/18.jpg)
AuditingNew Directory Service Changes Events
Event logs tell you exactly:
Who made a changeWhen the change was madeWhat object/attribute was changedThe beginning and end values
Auditing is controlled byGlobal audit policySACLSchema
Event ID
Event type
Event description
5136 Modify This event is logged when a successful modification is made to an attribute in the directory.
5137 Create This event is logged when a new object is created in the directory.
5138 Undelete This event is logged when an object is undeleted in the directory.
5139 Move This event is logged when an object is moved within the domain.
![Page 19: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/19.jpg)
ADUC: Prevent Object DeletionBackup/Recovery
Existing Object/OU New Organizational Unit
![Page 20: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/20.jpg)
Database Mounting ToolBackup/Recovery
Allows admins to choose best backup
Tool DOES NOT restore objects Now: Tool + tombstone reanimation + LDAPPost-WS08: Undelete is being investigated
NTDSUTIL.EXE
• Takes VSS snapshots of DS/LDS
DSAMAIN.EXE
• Exposes snapshots as LDAP servers
![Page 21: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/21.jpg)
Database Mounting Tool
demo
![Page 22: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/22.jpg)
Backup/Recovery Planning
Windows Server Backup (wbadmin.exe)System state backup/recovery through command-lineMust backup to separate partitionSystem state recovery in DSRM (auth & non-auth)
Database Mounting Tool (dsamain.exe)DSAMain.exe works with offline DITs as well
E.g. Restore backup to alternate location to get offline DITBest Practice: Schedule NTDSUtil.exe to take regular (e.g. nightly) snapshots of AD DS/LDS
Enhancement in ADUCBy default, “Prevent container from accidental deletion” is checked for creation of OUsBest Practice: Check “Prevent object from accidental deletion” for important user objects as well
Dedicated
BackupVolume
![Page 23: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/23.jpg)
Key Investments
Security
Manageability
Branch Office
![Page 24: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/24.jpg)
Fine-grained password policiesOverview
Enables granular administration of password and lockout policies within a domainPolicies can be applied to:
UsersGlobal security groups
RequirementsWindows server 2008 Domain ModeNo client changes needed
No changes were made to the settings themselves E.g., no new “password complexity” options
Multiple policies can be associated with the user, but only one applies
![Page 25: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/25.jpg)
Fine-grained password policies Usage Scenarios
Designed to be used in scenarios where there are different security and business requirements for sets of usersExamples
AdministratorsStrict setting (passwords expire every 14 days)
Service accountsModerate settings (passwords expire every 31 days , different lockout threshold, minimum password length 32 characters)
Average User Relatively lenient setting (passwords expire every 90 days)
3 to 10 policies envisioned for most deployments
No known technical restrictions on number of policies
![Page 26: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/26.jpg)
Fine-grained password policies At a glance
Password Settings Object PSO 1
Password Settings Object PSO 2
Precedence = 10
Precedence = 20
Applies To
Applies To
Applies To
ResultantPSO =
PSO1
ResultantPSO =
PSO1
![Page 27: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/27.jpg)
Fine-grained password policies Step-by-step
Identify sets of users in
the organization
Formulate correspondi
ng password
policies for the
different sets of users
Create groups
that mirror sets of users
Create PSOs that
mirror devised
password policies
Apply PSOs to
the appropri
ate users/gr
oups
Delegate
administratio
n
![Page 28: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/28.jpg)
Fine-grained password policies Administration
Recommendation: Group-based administration
Delegate modification of group membership
Feature itself can be delegatedBy default, only Domain Admins can
create and read PSOsapply a PSO to a group or user
PermissionsOperation to be delegated
Associated Permissions
Create and delete PSOs On the PSC,Create all child objectsDelete all child objects
Applying PSOs to users/groups
On the PSO,Write
![Page 29: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/29.jpg)
Fine-grained password policies
demo
![Page 30: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/30.jpg)
Additional Features
Manageability ToolsData Collection Template (previously known as SPA)AD MP SP1 for W28K DC/RODCs
Enhanced data integrity in directory database
Support for single-bit correction
DC Locator improvementsSite-aware Domain Controller Locator
DNS Server Instant-onStartup performance improvements
![Page 31: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/31.jpg)
Resources
TechNet Documentation for AD DSStep-by-step Guide for RODC Step-by-step Guide for AD DS Installation & RemovalStep-by-step Guide for Restartable AD DSStep-by-step Guide for AD Data Mining (Mounting) ToolStep-by-step Guide for AD DS Backup & RecoveryStep-by-step Guide for Auditing AD DS ChangesStep-by-step Guide for FGPP & Account Lockout Policy Configuration
MSDN Documentation for Schema
![Page 32: Jose Luis Auricchio Microsoft Switzerland josea@microsoft.com.](https://reader030.fdocuments.in/reader030/viewer/2022033106/56649f155503460f94c2b380/html5/thumbnails/32.jpg)
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.