Active Directory Domain Services in Windows Server 2008

Jose Luis AuricchioMicrosoft Switzerlandjosea@microsoft.com

Session Objectives And Takeaways

Session Objectives: Identify the key new AD DS features in WS08Explain the value of deploying these featuresDemonstrate these features in real life customer scenarios

Key Takeaways:Understand when and how to deploy the key new AD DS featuresLearn planning tips and best practices for these key features

Agenda

Key Investments

Branch Office: Read-Only Domain Controller

Manageability: Auditing, Backup/Recovery

Security: Fine-Grained Password Policy

Q & A

Terminology

Active Directory Domain ServicesReplaces “Active Directory”

Active Directory Lightweight Directory Services

Replaces “Active Directory Application Mode”

Server Roles Server functionalities like AD DS, AD LDS, and DNSCentrally managed through Server Manager

Server CoreMinimal server installation optionReduces attack surface because fewer components installed

Key Investments

Security

Manageability

Branch Office

Key Investments

Security

Manageability

Branch Office

Read-Only Domain ControllerBranch Office Challenges

Admins face following challenges when deploying a Domain Controller at a branch office:

DC is placed at a physically unsecure locationDC has unreliable network connectivity to hubBranch staffs lack knowledge/privileges to manage DC

DAs remotely manage branch DC, orDAs delegate privileges to branch staffs

To consolidate AD infrastructure, admins wish to remove DCs from branch offices, but

Users cannot logon or access network resources when WAN fails

Read-Only Domain ControllerSecure Branch Office Solution

Adversary might

Steal RODC

No secrets cached by default

RO PAS prevents data replication to RODC

Compromise RODC

Read-only database

Unidirectional replication

Intercept DA credentialsAdmin role separation reduces DA

access

RO

DC

MIT

IGATIO

NS

Directory Service Infrastructure

Data Center or Trusted Network

Edge sites or edge\boundary of network

Read-Only

Read-Only

Read-Only

Read-Only

Read-Only

“Writeable”

Incorporating RODCsinto your AD infrastructure When to use:

• Security concerns or Management costs are driving consolidation of writeable DCs from Branch Offices

• …and there is still a need for benefits from data locality and autonomy if WAN fails

When not to use:

• As a full featured replacement for Full\Writeable Domain Controllers

Read-Only Domain ControllerRecommended Management Models

No accounts cached (default)Pro: Most secure, still provides fast authentication and policy processing. Con: No offline access for anyone. WAN required for Logon

Most accounts cachedPro: Ease of password management. Intended for customers who care most about manageability improvements of RODC and not security. Con: More passwords potentially exposed to RODC

Few accounts (branch-specific accounts) cached Pro: Enables offline access for those that need it, and maximizes security for otherCon: Fine grained administration is new task

Need to map computers per branch

Read-Only Domain ControllerDeployment Scenarios

RODC in Branch Offices (Primary and supported scenario)

Intended for environments with limited physical security

RODC in DMZ Intended for environments with cross Corpnet\DMZ resources access requirements

RODC on the Internet Intended for environments with cross Corpnet\Internet resources access requirements

Read-Only Domain ControllerStep-by-step Deployment Guide

How to deploy RODC from W2K3 environment

1. ADPREP /ForestPrep2. ADPREP /DomainPrep3. Promote a Windows Server 2008 DC4. Verify Forest Functional Mode is Win2k035. ADPREP /RodcPrep6. Verify list of client patches to check

for compatibility7. Promote RODC

Not RODC specific

RODC specific task

Note: You can’t convert a Full DC to RODC or vice versa without a demotion\re-promotion

Read-Only Domain ControllerDelegated RODC Promotion

Pre-create RODC account

Specify RODC parameters

Attach machine to RODC slot

Delegated RODC Promotion

demo

Read-Only Domain ControllerInstall-from-media Promotion

NTDSUtil > IFM

During creation of RODC IFM:

“Secrets” are removedDIT is defragged to remove free space

Read-Only Domain ControllerPutting it all together

Secure Appliance DC

Admin Role

Separation

RODC

Server Core

Key Investments

Security

Manageability

Branch Office

AuditingNew Directory Service Changes Events

Event logs tell you exactly:

Who made a changeWhen the change was madeWhat object/attribute was changedThe beginning and end values

Auditing is controlled byGlobal audit policySACLSchema

Event ID

Event type

Event description

5136 Modify This event is logged when a successful modification is made to an attribute in the directory.

5137 Create This event is logged when a new object is created in the directory.

5138 Undelete This event is logged when an object is undeleted in the directory.

5139 Move This event is logged when an object is moved within the domain.

ADUC: Prevent Object DeletionBackup/Recovery

Existing Object/OU New Organizational Unit

Database Mounting ToolBackup/Recovery

Allows admins to choose best backup

Tool DOES NOT restore objects Now: Tool + tombstone reanimation + LDAPPost-WS08: Undelete is being investigated

NTDSUTIL.EXE

• Takes VSS snapshots of DS/LDS

DSAMAIN.EXE

• Exposes snapshots as LDAP servers

Database Mounting Tool

demo

Backup/Recovery Planning

Windows Server Backup (wbadmin.exe)System state backup/recovery through command-lineMust backup to separate partitionSystem state recovery in DSRM (auth & non-auth)

Database Mounting Tool (dsamain.exe)DSAMain.exe works with offline DITs as well

E.g. Restore backup to alternate location to get offline DITBest Practice: Schedule NTDSUtil.exe to take regular (e.g. nightly) snapshots of AD DS/LDS

Enhancement in ADUCBy default, “Prevent container from accidental deletion” is checked for creation of OUsBest Practice: Check “Prevent object from accidental deletion” for important user objects as well

Dedicated

BackupVolume

Key Investments

Security

Manageability

Branch Office

Fine-grained password policiesOverview

Enables granular administration of password and lockout policies within a domainPolicies can be applied to:

UsersGlobal security groups

RequirementsWindows server 2008 Domain ModeNo client changes needed

No changes were made to the settings themselves E.g., no new “password complexity” options

Multiple policies can be associated with the user, but only one applies

Fine-grained password policies Usage Scenarios

Designed to be used in scenarios where there are different security and business requirements for sets of usersExamples

AdministratorsStrict setting (passwords expire every 14 days)

Service accountsModerate settings (passwords expire every 31 days , different lockout threshold, minimum password length 32 characters)

Average User Relatively lenient setting (passwords expire every 90 days)

3 to 10 policies envisioned for most deployments

No known technical restrictions on number of policies

Fine-grained password policies At a glance

Password Settings Object PSO 1

Password Settings Object PSO 2

Precedence = 10

Precedence = 20

Applies To

Applies To

Applies To

ResultantPSO =

PSO1

ResultantPSO =

PSO1

Fine-grained password policies Step-by-step

Identify sets of users in

the organization

Formulate correspondi

ng password

policies for the

different sets of users

Create groups

that mirror sets of users

Create PSOs that

mirror devised

password policies

Apply PSOs to

the appropri

ate users/gr

oups

Delegate

administratio

n

Fine-grained password policies Administration

Recommendation: Group-based administration

Delegate modification of group membership

Feature itself can be delegatedBy default, only Domain Admins can

create and read PSOsapply a PSO to a group or user

PermissionsOperation to be delegated

Associated Permissions

Create and delete PSOs On the PSC,Create all child objectsDelete all child objects

Applying PSOs to users/groups

On the PSO,Write

Fine-grained password policies

demo

Additional Features

Manageability ToolsData Collection Template (previously known as SPA)AD MP SP1 for W28K DC/RODCs

Enhanced data integrity in directory database

Support for single-bit correction

DC Locator improvementsSite-aware Domain Controller Locator

DNS Server Instant-onStartup performance improvements

Resources

TechNet Documentation for AD DSStep-by-step Guide for RODC Step-by-step Guide for AD DS Installation & RemovalStep-by-step Guide for Restartable AD DSStep-by-step Guide for AD Data Mining (Mounting) ToolStep-by-step Guide for AD DS Backup & RecoveryStep-by-step Guide for Auditing AD DS ChangesStep-by-step Guide for FGPP & Account Lockout Policy Configuration

MSDN Documentation for Schema

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.