Jose Luis Auricchio Microsoft Switzerland [email protected].
-
Upload
randell-poole -
Category
Documents
-
view
219 -
download
0
Transcript of Jose Luis Auricchio Microsoft Switzerland [email protected].
Active Directory Domain Services in Windows Server 2008
Jose Luis AuricchioMicrosoft [email protected]
Session Objectives And Takeaways
Session Objectives: Identify the key new AD DS features in WS08Explain the value of deploying these featuresDemonstrate these features in real life customer scenarios
Key Takeaways:Understand when and how to deploy the key new AD DS featuresLearn planning tips and best practices for these key features
Agenda
Key Investments
Branch Office: Read-Only Domain Controller
Manageability: Auditing, Backup/Recovery
Security: Fine-Grained Password Policy
Q & A
Terminology
Active Directory Domain ServicesReplaces “Active Directory”
Active Directory Lightweight Directory Services
Replaces “Active Directory Application Mode”
Server Roles Server functionalities like AD DS, AD LDS, and DNSCentrally managed through Server Manager
Server CoreMinimal server installation optionReduces attack surface because fewer components installed
Key Investments
Security
Manageability
Branch Office
Key Investments
Security
Manageability
Branch Office
Read-Only Domain ControllerBranch Office Challenges
Admins face following challenges when deploying a Domain Controller at a branch office:
DC is placed at a physically unsecure locationDC has unreliable network connectivity to hubBranch staffs lack knowledge/privileges to manage DC
DAs remotely manage branch DC, orDAs delegate privileges to branch staffs
To consolidate AD infrastructure, admins wish to remove DCs from branch offices, but
Users cannot logon or access network resources when WAN fails
Read-Only Domain ControllerSecure Branch Office Solution
Adversary might
Steal RODC
No secrets cached by default
RO PAS prevents data replication to RODC
Compromise RODC
Read-only database
Unidirectional replication
Intercept DA credentialsAdmin role separation reduces DA
access
RO
DC
MIT
IGATIO
NS
Directory Service Infrastructure
Data Center or Trusted Network
Edge sites or edge\boundary of network
Read-Only
Read-Only
Read-Only
Read-Only
Read-Only
“Writeable”
Incorporating RODCsinto your AD infrastructure When to use:
• Security concerns or Management costs are driving consolidation of writeable DCs from Branch Offices
• …and there is still a need for benefits from data locality and autonomy if WAN fails
When not to use:
• As a full featured replacement for Full\Writeable Domain Controllers
Read-Only Domain ControllerRecommended Management Models
No accounts cached (default)Pro: Most secure, still provides fast authentication and policy processing. Con: No offline access for anyone. WAN required for Logon
Most accounts cachedPro: Ease of password management. Intended for customers who care most about manageability improvements of RODC and not security. Con: More passwords potentially exposed to RODC
Few accounts (branch-specific accounts) cached Pro: Enables offline access for those that need it, and maximizes security for otherCon: Fine grained administration is new task
Need to map computers per branch
Read-Only Domain ControllerDeployment Scenarios
RODC in Branch Offices (Primary and supported scenario)
Intended for environments with limited physical security
RODC in DMZ Intended for environments with cross Corpnet\DMZ resources access requirements
RODC on the Internet Intended for environments with cross Corpnet\Internet resources access requirements
Read-Only Domain ControllerStep-by-step Deployment Guide
How to deploy RODC from W2K3 environment
1. ADPREP /ForestPrep2. ADPREP /DomainPrep3. Promote a Windows Server 2008 DC4. Verify Forest Functional Mode is Win2k035. ADPREP /RodcPrep6. Verify list of client patches to check
for compatibility7. Promote RODC
Not RODC specific
RODC specific task
Note: You can’t convert a Full DC to RODC or vice versa without a demotion\re-promotion
Read-Only Domain ControllerDelegated RODC Promotion
Pre-create RODC account
Specify RODC parameters
Attach machine to RODC slot
Delegated RODC Promotion
demo
Read-Only Domain ControllerInstall-from-media Promotion
NTDSUtil > IFM
During creation of RODC IFM:
“Secrets” are removedDIT is defragged to remove free space
Read-Only Domain ControllerPutting it all together
Secure Appliance DC
Admin Role
Separation
RODC
Server Core
Key Investments
Security
Manageability
Branch Office
AuditingNew Directory Service Changes Events
Event logs tell you exactly:
Who made a changeWhen the change was madeWhat object/attribute was changedThe beginning and end values
Auditing is controlled byGlobal audit policySACLSchema
Event ID
Event type
Event description
5136 Modify This event is logged when a successful modification is made to an attribute in the directory.
5137 Create This event is logged when a new object is created in the directory.
5138 Undelete This event is logged when an object is undeleted in the directory.
5139 Move This event is logged when an object is moved within the domain.
ADUC: Prevent Object DeletionBackup/Recovery
Existing Object/OU New Organizational Unit
Database Mounting ToolBackup/Recovery
Allows admins to choose best backup
Tool DOES NOT restore objects Now: Tool + tombstone reanimation + LDAPPost-WS08: Undelete is being investigated
NTDSUTIL.EXE
• Takes VSS snapshots of DS/LDS
DSAMAIN.EXE
• Exposes snapshots as LDAP servers
Database Mounting Tool
demo
Backup/Recovery Planning
Windows Server Backup (wbadmin.exe)System state backup/recovery through command-lineMust backup to separate partitionSystem state recovery in DSRM (auth & non-auth)
Database Mounting Tool (dsamain.exe)DSAMain.exe works with offline DITs as well
E.g. Restore backup to alternate location to get offline DITBest Practice: Schedule NTDSUtil.exe to take regular (e.g. nightly) snapshots of AD DS/LDS
Enhancement in ADUCBy default, “Prevent container from accidental deletion” is checked for creation of OUsBest Practice: Check “Prevent object from accidental deletion” for important user objects as well
Dedicated
BackupVolume
Key Investments
Security
Manageability
Branch Office
Fine-grained password policiesOverview
Enables granular administration of password and lockout policies within a domainPolicies can be applied to:
UsersGlobal security groups
RequirementsWindows server 2008 Domain ModeNo client changes needed
No changes were made to the settings themselves E.g., no new “password complexity” options
Multiple policies can be associated with the user, but only one applies
Fine-grained password policies Usage Scenarios
Designed to be used in scenarios where there are different security and business requirements for sets of usersExamples
AdministratorsStrict setting (passwords expire every 14 days)
Service accountsModerate settings (passwords expire every 31 days , different lockout threshold, minimum password length 32 characters)
Average User Relatively lenient setting (passwords expire every 90 days)
3 to 10 policies envisioned for most deployments
No known technical restrictions on number of policies
Fine-grained password policies At a glance
Password Settings Object PSO 1
Password Settings Object PSO 2
Precedence = 10
Precedence = 20
Applies To
Applies To
Applies To
ResultantPSO =
PSO1
ResultantPSO =
PSO1
Fine-grained password policies Step-by-step
Identify sets of users in
the organization
Formulate correspondi
ng password
policies for the
different sets of users
Create groups
that mirror sets of users
Create PSOs that
mirror devised
password policies
Apply PSOs to
the appropri
ate users/gr
oups
Delegate
administratio
n
Fine-grained password policies Administration
Recommendation: Group-based administration
Delegate modification of group membership
Feature itself can be delegatedBy default, only Domain Admins can
create and read PSOsapply a PSO to a group or user
PermissionsOperation to be delegated
Associated Permissions
Create and delete PSOs On the PSC,Create all child objectsDelete all child objects
Applying PSOs to users/groups
On the PSO,Write
Fine-grained password policies
demo
Additional Features
Manageability ToolsData Collection Template (previously known as SPA)AD MP SP1 for W28K DC/RODCs
Enhanced data integrity in directory database
Support for single-bit correction
DC Locator improvementsSite-aware Domain Controller Locator
DNS Server Instant-onStartup performance improvements
Resources
TechNet Documentation for AD DSStep-by-step Guide for RODC Step-by-step Guide for AD DS Installation & RemovalStep-by-step Guide for Restartable AD DSStep-by-step Guide for AD Data Mining (Mounting) ToolStep-by-step Guide for AD DS Backup & RecoveryStep-by-step Guide for Auditing AD DS ChangesStep-by-step Guide for FGPP & Account Lockout Policy Configuration
MSDN Documentation for Schema
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.