Presentation is loading. Please wait.

Presentation is loading. Please wait.

Longhorn Academy Branch Office Solutions for Windows Server 2008

Published byLogan Carter Modified over 11 years ago

Similar presentations

Presentation on theme: "Longhorn Academy Branch Office Solutions for Windows Server 2008"— Presentation transcript:

1 Longhorn Academy Branch Office Solutions for Windows Server 2008
3/25/ :02 PM Longhorn Academy Branch Office Solutions for Windows Server 2008

2 Session Objectives and Agenda
3/25/ :02 PM Session Objectives and Agenda The “Branch Office Challenge” Server Core New Active Directory features in Windows Server 2008 for Branch Offices RODC Overview Delegated DCPROMO Read-only Partial Attribute Set Admin Role Separation Restartable Directory Services Auditing © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

3 Session Agenda Improving file access in the branch
3/25/ :02 PM Session Agenda Improving file access in the branch Windows Server 2008 Branch Office Guide status update © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

4 Branch Office Challenges
3/25/ :02 PM Branch Office Challenges WAN performance Service deployment Server management Remote support Security

5 Branch Office Topologies
3/25/ :02 PM Branch Office Topologies Generally fit into one of the following categories: No local Infrastructure Hybrid Full local Infrastructure Centralized applications Fast, reliable WAN Some centralized applications Core services delivered locally Caching mechanism to improve user experience Distributed applications Distributed services

6 Branch Office Benefits
3/25/ :02 PM Branch Office Benefits Security Server Core Read-Only Domain Controller Admin Role Separation BitLocker Drive Encryption Administration/Deployment Auditing Delegated DC Promo Restartable Active Directory Hub Site Optimization SysVol Replication DFS Replication Protocols TCP/IP Stack Branch Office

7 Server Core Reduced footprint server Supported server roles
Available as an option at initial install Boot and operate stand-alone in headless/embedded scenarios Less to install, manage, patch, attack No GUI – all management through command line and remote MMC Supported server roles AD Domain Services, AD Lightweight Directory Services, DHCP, DNS, File, Print, Streaming Media Services, IIS 7.0 Optional Windows features Failover Clustering, Network Load Balancing, Subsystem for UNIX-based Applications, Backup, Multipath IO, Removable Storage, BitLocker Drive Encryption, SNMP, WINS, Telnet Client

8 New AD Features in Windows 2008 for Branch Office Deployments
Read-only Domain Controllers with support for Server Core Admin Role Separation* DCPROMO enhancements Delegated promotion and demotion* Site Selection with auto-detection Role selection (GC, DNS, RODC) Read-only Partial Attribute Set (RO-PAS)* Fine Grained Password Policies*** NTDSUTIL.EXE can now create IFM media For RODC IFM media the tool will strip out all passwords from either Full DC or RODC* * For RODC Only

9 3/25/ :02 PM Read-Only Domain Controller Reduced attack surface for branch office DCs Impact of stolen DC to the Active Directory reduced By default, no users/computers passwords stored on RODC Read-only Partial Attribute Set can prevent application credentials from replicating to RODC Reduced attack surface to the Active Directory for a compromised DC Read-only state with unidirectional replication for AD and FRS/DFSR SYSVOL deletion on RODC does not replicate outside the Branch Office Each RODC has its own KDC KrbTGT account to provide cryptographic key separation Delegated DCPROMO reduces need for DA to TS into RODC Windows Server 2008 writeable DCs register SRV records on behalf of RODCs to prevent DNS pollution in other sites RODCs are workstation accounts from the Active Directory perspective Not members of Enterprise-DC or Domain-DC groups I’m not a BDC  © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 Read-Only Domain Controller
Incorporating RODCs into your AD design When to use: Security concerns or Management costs are driving consolidation of writeable DCs from Branch Offices …and there is still a need for benefits from data locality and autonomy if WAN fails When not to use: As a full featured replacement for Full\Writeable Domain Controllers

11 Read-Only Domain Controller
3/25/ :02 PM Read-Only Domain Controller Deployment scenarios RODC in Branch Offices (Primary and supported scenario) Intended for environments with limited physical security RODC in DMZ (Being evaluated) Intended for environments with cross-Corpnet\DMZ resource access requirements RODC on the Internet (Being evaluated) Intended for environments with cross-Corpnet\Internet resource access requirements © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 Read-Only Domain Controller
3/25/ :02 PM Read-Only Domain Controller How to deploy RODC from a Windows Server 2003 environment ADPREP /ForestPrep ADPREP /DomainPrep Promote a Windows Server 2008 DC Verify Forest Functional Mode is Win2k03 ADPREP /RodcPrep Promote RODC Not RODC specific RODC specific task Note: You can’t convert a Full DC to RODC or vice versa without a demotion\re-promotion © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13 Delegated RODC Promotion
Pre-create RODC account Specify parameters including machine name and delegated admin Attach machine to RODC slot

14 Read-Only Domain Controller Admin role separation
3/25/ :02 PM Read-Only Domain Controller Admin role separation Problem Customers have too many Domain Admins Most of these DAs are really server admins (patch management, etc) Solution Provides a new “local admin” level of access per RODC Also includes all Built-in groups (Backup Operators, etc) Prevents accidental AD modifications by machine administrators Does not prevent “local admin” from maliciously modifying the local database This is a true security feature for Read-only DC © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 Read-Only Domain Controller Partial attribute set
3/25/ :02 PM Read-Only Domain Controller Partial attribute set Problem Applications are storing credentials in Active Directory. If a RODC was stolen this could be catastrophic Solution Don’t replicate “secret like data” to RO-PAS Similar to Global Catalog Partial Attribute Sets, the RO-PAS is a subset of the attributes replicated to RODC Specified in the Schema and Dynamic (cleanup and additions) Considerations RO-PAS is not intended for Admins but rather Application Developers to control. Applications must be aware if attribute is filtered No forest or domain mode requirements © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 Read-Only Domain Controller
How it works: Password replication during first logon AS_Req sent to RODC (request for TGT) RODC: Looks in DB "I don't have the users secrets" Forwards Request to LH DC LH DC authenticates request Returns authentication response and TGT back to the RODC RODC gives TGT to User and Queues a replication request for the secrets Hub DC checks Password Replication Policy to see if Password can be replicated Note: At this point the user will have a hub signed TGT

17 Read-Only Domain Controller
Password replication Passwords replicated to RODC are stored until the password changes There is no secure method to expire or clear the cached passwords without changing the data itself. Once the password changes the next logon by the user\computer will result in an attempt to replicate the new password Whether a password is cached on a RODC is transparent to the client, unless the WAN fails A client processes Logon scripts and Group Policy from a RODC regardless if its passwords are cached Outlook clients can use a RODC GC for Address Book lookups, etc LDAP searches still go to RODC If WAN is offline then users\computers can only logon using the RODC if their password is cached, else clients perform “cached logons” like today (if no DC were present)

18 Password Replication Policy Recommended Management Models
3/25/ :02 PM Password Replication Policy Recommended Management Models No passwords cached (default) Pro: Most secure, still provides fast authentication and local policy processing Con: No offline access for anyone. WAN required for Logon Most passwords cached Pro: Ease of password management. Intended for customers who care most about manageability improvements of RODC and not security Con: More passwords potentially exposed to RODC Few passwords (branch-specific accounts) cached Pro: Enables offline access for those that need it, and maximizes security for other Con: Fine grained administration is new task © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 Read-Only Domain Controller DNS
3/25/ :02 PM Read-Only Domain Controller DNS Domain and Forest DNS zones on RODC are read-only Clients receive a DNS referral during registration RODC will try and replicate just the one updated record almost immediately The entire zone is NOT replicated © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 Read-only DC Mitigates “Stolen DC”
3/25/ :02 PM Read-only DC Mitigates “Stolen DC” Hub Admin Perspective Attacker Perspective

21 Active Directory Restartable Directory Services
3/25/ :02 PM Active Directory Restartable Directory Services Application Routine Maintenance NTDS.Dit Defragmentation Three Possible Modes AD DS Started AD DS Stopped Directory Services Restore Mode Execution MMC Command Line © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22 Enhanced Auditing Capabilities
3/25/ :02 PM Enhanced Auditing Capabilities Audit Directory Service Access Directory Service Access Directory Service Changes Directory Service Replication/Detailed DSR Ability to Audit Directory Service Changes Create Modify Undelete Move What is Logged Previous Value, New Value, What Account Made the Change © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

23 New Audit Event IDs Event ID Type of event Event description 5136
Modify This event is logged when a successful modification is made to an attribute in the directory. 5137 Create This event is logged when a new object is created in the directory. 5138 Undelete This event is logged when an object is undeleted in the directory. 5139 Move This event is logged when an object is moved within the domain.

24 Improving File Access In The Branch
DFS - R First introduced with Windows Server 2003 R2 Multimaster replication engine that supports replication scheduling and bandwidth throttling Replaces File Replication Service (FRS) used in 2000/2003 Remote Differential Compression (RDC) protocol allows for efficient use of bandwidth resources at the branch office RDC detects insertions, removals, and re-arrangements of data in files Enabling Differential replication of changes to files

25 Improving File Access In The Branch
DFS - R Combined with DFS Namespaces to deliver: shared folders in different locations presented as a single folder view Contiguous Namespaces Namespaces gives the following benefits: Increased data availability Load sharing Data Availability

26 Improving File Access In The Branch
DFS - R

27 Improving File Access In The Branch
SysVol Replication DFS-R replaces FRS for SysVol replication Requires Longhorn domain functional level FRS will still be used where 2003 DC’s are present Will greatly improve WAN utilization to the branch office for SysVol replication

28 Improving File Access In The Branch
Metrics for measuring improvement End User Wait Time First time access Subsequent access Efficient use of bandwidth Bytes transmitted Time of day

29 Types Of Data Single User Data Shared Data Published Data
Files accessed by a single user Server copy used mostly for backup purposes Files accessed by multiple users from multiple machines Server allows sharing and collaboration across users Files accessed by many users from many machines Data updates are rare Large file set Single User Data Shared Data Published Data

30 3/25/ :02 PM Client-Side Caching Vista’s client-side caching capabilities are greatly enhanced and work with Longhorn Server as well as with previous versions of Windows Server Additionally, client-side caching between Vista and Longhorn Server accrues extra benefits from underlying networking improvements Seamless state transitions No user intervention is required (offline changes are silently synchronized in the background) Fast synchronization and differential transfers All types of files are supported (bitmap differential transfer enables transfer of only modified data between client and server) Improved slow link mode Detection has been improved, and the user can stay in this mode (all requests are satisfied from the cache) until they wish to force a transition to online mode © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

31 Single User Data Benefits of cached access
Move user data from local drive to central server, while preserving access speed Provides central backup of user data Easy data migration to new machines Data synchronization can be scheduled when bandwidth is cheap

32 Shared Data – Streaming Improvement
Parallel requests greatly increase read/write speed Request Download speed (kb/sec), 100 ms RTT Response SMB1 SMB2

33 Shared Data – Chattiness Improvement
Compounding reduces roundtrips Open Dir Open Dir Response Query Dir Query Dir Query Volume Response Response Query Volume Close Dir Response Close Dir Query Dir Response Satisfied from cache Query Volume

34 Published Data Client caching of data set is impractical
Improvements in data access (streaming, compounding) improve access However, high cost of data transfer since every access is a first access

35 Published Data Windows Server 2003 R2 Windows Server 2008
DFS Replication to pre-stage data in the branch DFS Namespaces for location and fault tolerance RDC differencing engine for delta replication Windows Server 2008 Improved scalability and performance Windows-based branch appliances offer caching of data in the branch

36 Improving File Access In The Branch
Client and server improvements Windows Vista Client + Windows Server 2003 R2 (or earlier) Improved offline experience offers user fast response times while keeping data synchronized between client and server Windows Vista Client + Windows Server 2008 Data streaming improves file transfer times Operation compounding reduces chattiness

37 Active Directory Branch Office Guide
Windows Server 2008 status update A Windows Server 2008 Branch Office Guide is planned Goal is to release the “planning” chapters by Windows Server 2008 RTM Scale lab testing is underway for Windows Server 2008 680 RODCs in one domain were tested prior to Beta3 Goal is 1200 RODCs tested by RTM We want to push the current recommended limit of 1200 DCs in a domain higher and will test possibly up to 3000 after WS08 Ships Scale lab topology Hub+Spoke All Branch DCs in one domain Virtual Server with RODC on Server core 32 Guests per host

38 Resources

39 © 2005 Microsoft Corporation. All rights reserved.
3/25/ :02 PM © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "Longhorn Academy Branch Office Solutions for Windows Server 2008"

Similar presentations

Copyright line. Configuring Server Roles in Windows 2008 Exam Objectives New Roles in 2008 New Roles in 2008 Read-Only Domain Controllers (RODCs) Read-Only.

Copyright line. Configuring Server Roles in Windows 2008 Exam Objectives New Roles in 2008 New Roles in 2008 Read-Only Domain Controllers (RODCs) Read-Only.
What’s New in Windows Server 2008 AD?

What’s New in Windows Server 2008 AD?
Implementing and Administering AD DS Sites and Replication

Implementing and Administering AD DS Sites and Replication
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Module 10: Troubleshooting AD DS, DNS, and Replication Issues.

Module 10: Troubleshooting AD DS, DNS, and Replication Issues.
Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
More Control and Flexibility Vitalis Konopelec Technology Solution Professional Microsoft Slovakia s.r.o.

More Control and Flexibility Vitalis Konopelec Technology Solution Professional Microsoft Slovakia s.r.o.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Michael Kleef Technology Advisor | Microsoft Australia

Michael Kleef Technology Advisor | Microsoft Australia
1.1 Installing Windows Server 2008 Windows Server 2008 Editions Windows Server 2008 Installation Requirements X64 Installation Considerations Preparing.

1.1 Installing Windows Server 2008 Windows Server 2008 Editions Windows Server 2008 Installation Requirements X64 Installation Considerations Preparing.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.

By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Understanding Active Directory

Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Windows Server 2008 Chapter 8 Last Update 2012.05.31 1.0.0.

Windows Server 2008 Chapter 8 Last Update
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008

Similar presentations

Ads by Google