Windows 2008 Active Directory Branch office Management_MVP Sampath Perera
1. Windows 2008 Active Directory Branch office Management Sampath Perera sampath@nanotechglobal.net, sampath_mails@hotmail.com www.khgeeks.org
2. Session Objectives & Takeaways Session Objectives: Identify the key new AD DS features in WS08 Explain the value of deploying these features Demonstrate these features in real life scenarios Key Takeaways: Understand when and how to deploy the key new AD DS features
10. So how can we deploy a Domain Controller in this environment?!
11. Read-Only Domain Controller 1-Way Replication Admin Role Separation No replication from RODC to Full-DC RODC Server Admin does NOT need to be a Domain Admin Prevents Branch Admin from accidentally causing harm to the AD Delegated promotion Attack on RODC does not propagate to the AD RODC Passwords not cached by-default Policy to configure caching branch specific passwords (secrets) on RODC Policy to filter schema attributes from replicating to RODC
12. RODC – Attacker “experience” I have a Read-Only database. Also, no other DC in the enterprise replicates data from me. Damn! Let’s steal this RODC By default I do not have any secrets cached. I do not hold any custom app specific attributes either. Let’s tamper data on this RODC and use its identity Let’s intercept Domain Admin credentials sent to this RODC With Admin role separation, the Domain Admin doesn’t need to log-in to me. RODC Attacker RODC
15. Read-Only Domain ControllerHow it works? Branch HUB Logon request sent to RODC RODC RODC: Looks in DB "I don't have the users secrets" Full DC Forwards Request to Full DC Full DC authenticates user Returns authentication response and TGT back to the RODC RODC gives TGT to User and Queues a replication request for the secrets Hub DC checks Password Replication Policy to see if Password can be replicated
16. Read-Only Domain ControllerRecommended Deployment Models No accounts cached (default) Pro: Most secure, still provides fast authentication and policy processing Con: No offline access for anyone Most accounts cached Pro: Ease of password management. Manageability improvements of RODC and not security. Con: More passwords potentially exposed to RODC Few accounts (branch-specific accounts) cached Pro: Enables offline access for those that need it, and maximizes security for other Con: Fine grained administration is new task
17. Read-Only Domain ControllerUpgrade path from Windows 2003 Domain Deployment steps: ADPREP /ForestPrep ADPREP /DomainPrep Promote a Windows Server 2008 DC Verify Forest Functional Mode is Windows 2003 ADPREP /RodcPrep Promote RODC Test RODCs for application compatibility in your environment! Not RODC specific RODC Specific task
21. Branch Office & Replication Optimization DFS-R replication provides more robust and detailed replication of SYSVOL contents Requires Windows Server 2008 Domain Mode
23. Directory Service AuditingNew Directory Service Changes Events Event logs tell you exactly: Who made a change When the change was made What object/attribute was changed The beginning & endvalues Auditing controlled by Global audit policy SACL Schema
25. Fine-Grained Password PoliciesOverview Granular administration of password and lockout policies within a domain Usage Examples: Administrators Strict setting (passwords expire every 14 days) Service accounts Moderate settings (passwords expire every 31 days, minimum password length 32 characters) Average User “light” setting (passwords expire every 90 days)
26. Fine-Grained Password PoliciesAt a glance Policies can be applied to: Users Global security groups Does NOT apply to: Computer objects Organizational Units Multiple policies can be associated with the user, but only one applies
29. Restartable AD DS Without a reboot you can now perform offline defragmentation DS stopped similar to member server: NTDS.dit is offline Can log on locally with DSRM password Server Core Fewer reboots for servicing Restartable AD DS
Change auditing is not enabled by default. To do so:1) Turn on change auditing by auditpol /set /subcategory:"directory service changes" /success:enable2) Set up auditing in object SACLS through ADUC > Security (Advanced) > Auditing3) Filter out excessive events by modifying schema (by setting bit 9 in searchFlags to turn off auditing)
Note: No changes were made to the settings themselves (E.g., no new “password complexity” options)