IAM304: Active Directory (AD) Design with Longhorn Server Directory Services Kamal Janardhan Lead Program Manager Directory Services
Investment in the Fundamentals Security Reliability and Performance Management Globalization and standards
Investing in the Fundamentals Reliability and Performance Server core/Composite roles Restartable Active Directory Error correcting database page checksum DFSR ( aka FRS 2 ) for sysvol DNS server startup enhancements DNS IP Validation for NDF, DNS MMCs Security DC and DNS roles for server core Read-only Domain Controller for branch offices Improved auditing (“last value” and “new value”) New Creator well-known SID Fine grained password policy
Investing in the Fundamentals Globalization and standards Full IPV6 support for DC and DNS server roles Phonetic sort order support for address books Common Criteria Additions Management DC locator site locality enhancements Improved Role Management DC promotion wizard enhancements DNS Auto-configuration ADSIEdit properties page for all objects New IFM tool for RODC Single-label-name resolution (WINS-less)
Agenda Longhorn Feature Overview Longhorn Server Name Changes Server Core DCPromo Read Only Domain Controller Other Longhorn Changes Fine Grained Password Policy Backup and Restore …and many more
Longhorn Server Name Changes Active Directory Domain Services Active Directory Domain Controller Active Directory Lightweight Directory Active Directory Application Mode Active Directory Rights Management Windows Rights Management Active Directory Certificate Services Windows Certificate Services Active Directory Metadirectory Identity Integration Feature Pack
Agenda Longhorn Feature Overview Longhorn Server Name Changes Server Core DCPromo Read Only Domain Controller Other Longhorn Changes Fine Grained Password Policy Backup and Restore …and many more
Server Core Value Proposition Core set of AD, ADAM and DNS server functionality Part of the “Windows Server” SKU, available as an install option Boot and operate in headless/embedded scenarios Reduced attack surface due to reduced set of binaries
Server Core Value Proposition contd. Reduced servicing and management costs Reduced servicing and management costs Customers who deploy server to support a single role or fixed workload have reduced TCO. Only services necessary for the role are installed Costs for servicing, security, and management of services not essential to the workload are eliminated. For server specific IT staff and skills, enables separate servers for separate roles For e.g. Active Directory Administrators don’t usually administer web servers (in MORG +) Skill sets for SQL Administration are not highly transferable to DHCP administration
Agenda Longhorn Feature Overview Longhorn Server Name Changes Server Core DCPromo Read Only Domain Controller Other Longhorn Changes Fine Grained Password Policy Backup and Restore …and many more
DCPROMO in Longhorn Supports server core (no UI) Use logged on credentials for promotion Role selection: DNS (default), GC (default), RODC Site selection (with auto detection) Seed method: Specific DC, Any DC, IFM Advanced features easy to discover (/adv switch not required) DNS auto-configuration DNS Client auto-configured DNS Delegations automatically created and configured
Agenda Longhorn Feature Overview Longhorn Server Name Changes Server Core DCPromo Read Only Domain Controller Other Longhorn Changes Fine Grained Password Policy Backup and Restore …and many more
RODC Value Proposition DC Attack surface in unsecure locations reduced DC Attack surface in unsecure locations reduced By default, no passwords stored on/replicated from RODC. Read Only instance of the AD Domain database Server Core + RODC further reduces surface area Unidirectional replication for AD and FRS\DFSR Kerberos key separation: RODC has own KDC Krbtgt account Limited write rights in Directory: RODCs have no “Enterprise DC” or “Domain DC” group membership
RODC Value Proposition contd. Improved management and configuration of branch offices Improved management and configuration of branch offices Unidirectional replication make bridgehead and replication schedule configuration simpler Most Branch Office Guide guidelines enabled by default Delegate promotion/recovery of RODCs is possible RODC Admin can be restricted to a single RODC separate from the Domain Admin Prevents accidental modification of domain by machine administrators Does not prevent malicious compromise of RODC data
DCPromo of an RODC
How RODC mitigates “stolen DC” Hub Admin perspective Attacker perspective
RODC Deployment prerequisites Works in existing environments! No patching to down-level DCs or clients needed No domain restructuring May be able to consolidate bridgehead servers Incremental Requirements Must be in Win2003 Forest Functional Mode Linked value replication required RODCs require constrained delegation PDC FSMO must be running Longhorn Recommend multiple LH DCs per domain to load balance RODC replication
Incorporating RODCS into your AD
Read-only DC How it works: Secret caching during first logon How it works: Secret caching during first logon 2. 2.RODC: Looks in DB: "I don't have the users secrets" 3. 3.Forwards Request to LH DC 4. 4.LH DC authenticates request 5. 5.Returns authentication response and TGT back to the RODC 6. 6.RODC gives TGT to User and Queues a replication request for the secrets 7) Hub DC checks Password Replication Policy to see if Password can be replicated 1. 1.AS_Req sent to RODC (request for TGT) Note: At this point the user will have a hub signed TGT
Read Only DC How it works: Authentication requests How it works: Authentication requests 4) Client uses session key to connect to File Server. File Server machine account should already have TGT from previous authentication. 2) RODC forwards request to Hub 3) In the response from the hub, the RODC looks at the requesters name. If the RODC sees that it has the secrets for the requester, it returns a Kerberos error to the client which causes the client to automatically re-request a TGT (and this time the client will receive a branch signed TGT) 1) 1)Sends TGS request with hub-signed TGT (based on previous example) to RODC
Password Replication Policy Recommended Management Models No accounts cached (default) No accounts cached (default) Pro: Most secure, still provides fast authentication and policy processing. Pro: Most secure, still provides fast authentication and policy processing. Con: No offline access for anyone. WAN required for Logon Con: No offline access for anyone. WAN required for Logon Most accounts cached Most accounts cached Pro: Ease of password management. Intended for customers who care most about manageability improvements of RODC and not security. Pro: Ease of password management. Intended for customers who care most about manageability improvements of RODC and not security. Con: More passwords potentially exposed to RODC Con: More passwords potentially exposed to RODC Few accounts (branch-specific accounts) cached Few accounts (branch-specific accounts) cached Pro: Enables offline access for those that need it, and maximizes security for other Pro: Enables offline access for those that need it, and maximizes security for other Con: Fine grained administration is new task Con: Fine grained administration is new task Need to map computers per branch Need to map computers per branch Requires watching Auth2 attribute list to manually identify accounts, or use MIIS to automate. Requires watching Auth2 attribute list to manually identify accounts, or use MIIS to automate. There is an enhancement to Repadmin under development to help automate moving from Auth2 to Allow There is an enhancement to Repadmin under development to help automate moving from Auth2 to Allow
Password Replication Policy
Read-only DC: Application Support Applications Supported Applications Supported SMS, ADSI queries, MOM ADFS,DNS, DHCP, FRS V1, DFSR (FRS V2), Group Policy, NAP, PKI, CA, IAS/VPN, DFS, SMS, ADSI queries, MOM Generic LDAP apps which support write referrals and can tolerate write failures if WAN is offline. App guidance whitepaper planned post Beta 3 Will include checklist to verify RODC app compatibility
RODC Admin Role Separation New “local administrator” level of access per RODC Includes Builtin groups (Backup Operators, etc) Prevents accidental AD modifications by machine administrators Does not prevent “local administrator” from maliciously modifying the local DB Mitigates the need for large numbers of Domain Admins Admin Role Separation for full DCs not available
Features Under Consideration (Beta 3) RODC GC with support for Outlook clients RODC protection for highly sensitive credential attributes (not Windows password): RO-PAS Two RODC’s in the same site Features NOT under consideration RODC to RODC replication Exchange server support Read-only ADAM
Agenda Longhorn Feature Overview Longhorn Server Name Changes Server Core DCPromo Read Only Domain Controller Other Longhorn Changes Fine Grained Password Policy Backup and Restore …and many more
Fine Grained Password Policy Today password policies are domain based Not granular enough for large organizations Inconvenient for Admin and machine accounts passwords to be equally restrictive Password policy feature enables group based policy restrictions Creates new PSO object in the schema that may be associated with any security principle Precedence rules to ensure resultant policy is correct Applies to password and account lockout settings
Longhorn Server Backup and Restore LHSB replaces NTBackup as the new in-box backup application Not a feature by feature replacement Volume based backup System Restore available in WINRE System State backup under consideration May require larger disk space Target must be separate logical volume/physical disk Online/offline system state recovery under consideration W2K3 Forest Recovery Whitepaper a-8e8a-443a-9027-c522dee35d85&DisplayLang=en
Longhorn Backup and Restore cont. Snapshot Viewer of Previous AD States Feature under consideration: Snapshot Viewer of Previous AD States Problem: Restore of accidentally deleted objects Tombstones contain insufficient data so re-animation does not restore everything, e.g. group memberships Solution Enables connecting ldp.exe or equivalent to a backup Backup may be browsed to view group memberships on deleted object Tombstone reanimation + manual addition to groups enables full restoration of object Alternatively authoritative restore can be used but with full confidence that undesrirable memberships will not be restored.
And many more…. Restartable Active Directory Restartable Active Directory Enables Offline defrag Enables Offline defrag Enables patches to Enables patches to ntdsai.dll without reboot Not a steady state configuration! Not a steady state configuration! IPV6 support in AD DS, AD LDS and DNS IPV6 support in AD DS, AD LDS and DNS Impacts DCLocator and Sites and Subnets DNS DNAME Support DNS Single label support (GlobalNames Zone) DNS Instant-on DNS Client LLMNR (Link Local Multicast)
And many more…. Cont. Management Packs Management Packs Active Directory Management Pack SP1 Active Directory Management Pack SP1 New Longhorn features (e.g. restartable AD, RODC, etc) Multiple replication latency groups Multiple forests DNS MP SP1 DNS MP SP1 New Longhorn features (IPv6, etc) Leverage new DNS health model Configuration validation ADAM MP ADAM MP Phonetic names support for Address book Phonetic names support for Address book
Attribute Editor
Resources /news/bulletins/ADvision.mspx /news/bulletins/ADvision.mspx 06/11/FutureOfWindows/default.aspx 06/11/FutureOfWindows/default.aspx ation/overview.mspx ation/overview.mspx