Windows 2008 Active Directory Branch office

ManagementSampath Perera

sampath@nanotechglobal.net, sampath_mails@hotmail.com

www.khgeeks.org

Session Objectives & Takeaways

• Session Objectives: – Identify the key new AD DS features in WS08– Explain the value of deploying these features– Demonstrate these features in real life scenarios

• Key Takeaways:– Understand when and how to deploy the key new

AD DS features

Key Investments areas

Security Manageability

Branch Office

Key Investments areas

Security Manageability

Branch Office

Hub Site

Branch Office

Windows 2008 Branch Office Benefits

SecurityBitLockerServer CoreRead-Only Domain ControllerAdmin Role Separation

OptimizationSysVol RéplicationDFS RéplicationProtocols

AdministrationPrint Management ConsolePowerShell, WinRS, WinRMVirtualizationRestartable Active Directory

Branch Office Dilemma

Small Number of Employees WAN: Congested, Unreliable Security: Not Sure Admin Proficiency: Generalist

HQ Data CenterHub Network

Branch Office

Option 1:Consolidate and remove DCs from branch

Branch authentication & authorization fails when WAN goes down

Option 2:Put full DC in branch

Either give branch admin privilege or manage remotelyBranch DC being compromised jeopardizes security of corporate AD!!!

Branch Office

HQ Data CenterHub Network

Branch Office Dilemma

So how can we deploy a Domain Controller in this environment?!

RODC Server Admin does NOT need to be a Domain AdminPrevents Branch Admin from accidentally causing harm to the ADDelegated promotion

Admin Role Separation

Policy to configure caching branch specific passwords (secrets) on RODCPolicy to filter schema attributes from replicating to RODC

Passwords not cached by-default

No replication from RODC to Full-DC

1-Way Replication

Attack on RODC does not propagate to the AD

RO

D C

Read-Only Domain Controller

RODC – Attacker “experience”

Let’s intercept Domain Admin

credentials sent to this RODC

With Admin role separation, the Domain

Admin doesn’t need to log-in to me.

Let’s steal this RODC

By default I do not have any secrets cached.

I do not hold any custom app specific attributes

either.

Let’s tamper data on this RODC and

use its identity

I have a Read-Only database. Also, no other DC in the enterprise replicates

data from me.Damn!

Attacker RODC

RO

D C

Read-Only Domain ControllerPassword Replication Policy

Read-Only Domain ControllerHow it works?

2.RODC: Looks in DB "I don't have the users secrets"3.Forwards Request to Full DC4.Full DC authenticates user5.Returns authentication response and TGT back to the RODC6.RODC gives TGT to User and Queues a replication request for the secrets7.Hub DC checks Password Replication Policy to see if Password can be replicated

1.Logon request sent to RODC

1

2

34

5

6

6

7

7

BranchHUBFull DC RODC

Read-Only Domain ControllerRecommended Deployment Models

• No accounts cached (default)– Pro: Most secure, still provides fast authentication and policy

processing– Con: No offline access for anyone

• Most accounts cached– Pro: Ease of password management. Manageability improvements of

RODC and not security. – Con: More passwords potentially exposed to RODC

• Few accounts (branch-specific accounts) cached – Pro: Enables offline access for those that need it, and maximizes

security for other– Con: Fine grained administration is new task

Read-Only Domain ControllerUpgrade path from Windows 2003 Domain

• Deployment steps:1. ADPREP /ForestPrep2. ADPREP /DomainPrep3. Promote a Windows Server 2008 DC4. Verify Forest Functional Mode is Windows 20035. ADPREP /RodcPrep6. Promote RODC

Test RODCs for application compatibility in your environment!

Not RODC specific

RODC Specific task

Read-Only Domain ControllerDelegated Administrator (“Local Roles”)

• Delegated RODC Promotion

Read-Only Domain ControllerAdmin role separation

Branch Office & Replication Optimization

• DFS-R replication provides more robust and detailed replication of SYSVOL contents– Requires Windows Server 2008 Domain Mode

Key Investments areas

Security Manageability

Branch Office

Directory Service AuditingNew Directory Service Changes Events

• Event logs tell you exactly:– Who made a change– When the change was made– What object/attribute was changed– The beginning & end

values

• Auditing controlled by– Global audit policy– SACL– Schema

Event ID Event type Event description

5136 Modify This event is logged when a successful modification is made to an attribute in the directory.

5137 Create This event is logged when a new object is created in the directory.

5138 Undelete This event is logged when an object is undeleted in the directory.

5139 Move This event is logged when an object is moved within the domain.

Directory Service Auditingin Windows Server 2008

Fine-Grained Password PoliciesOverview

• Granular administration of password and lockout policies within a domain

• Usage Examples:– Administrators

• Strict setting (passwords expire every 14 days)– Service accounts

• Moderate settings (passwords expire every 31 days, minimum password length 32 characters)

– Average User• “light” setting (passwords expire every 90 days)

Fine-Grained Password PoliciesAt a glance

• Policies can be applied to:– Users– Global security groups

• Does NOT apply to: – Computer objects– Organizational Units

• Multiple policies can be associated with the user, but only one applies

Password Settings Object PSO 1

Password Settings Object PSO 2

Precedence = 20

Applies To

Resultant PSO = PSO1

Fine-Grained Password PoliciesExample

Precedence = 10

Resultant PSO = PSO1

Applies To

Applies To

Key Investments areas

Security Manageability

Branch Office

Restartable AD DS

• Without a reboot you can now perform offline defragmentation

• DS stopped similar to member server:– NTDS.dit is offline– Can log on locally with DSRM password

Server CoreRestartable AD DS

Fewer reboots for

servicing

Manageability Improvements

Summary – Key features in Active Directory Directory Services 2008

• Read-Only Domain Controller (RODC)• Fine Grained Password Policies• Enhanced Auditing Capabilities• Restartable AD DS• AD DS Database Mounting Tool• DFS-R Sysvol Replication

Your potential. Our passion.