IAM304:IAM304:Active Directory (AD) Design with Active Directory (AD) Design with Longhorn Server Directory ServicesLonghorn Server Directory Services

Kamal JanardhanKamal JanardhanLead Program ManagerLead Program Manager

Directory ServicesDirectory Services

Investment in the FundamentalsInvestment in the Fundamentals

SecuritySecurity ReliabilityReliabilityand Performanceand Performance

ManagementManagement Globalization Globalization and standardsand standards

Investing in the Fundamentals

Reliability and PerformanceReliability and PerformanceServer core/Composite rolesRestartable Active DirectoryError correcting database page checksumDFSR ( aka FRS 2 ) for sysvolDNS server startup enhancementsDNS IP Validation for NDF, DNS MMCsDNS IP Validation for NDF, DNS MMCs

Security Security DC and DNS roles for server coreRead-only Domain Controller for branch officesImproved auditing (“last value” and “new value”)New Creator well-known SIDFine grained password policy

Investing in the Fundamentals

Globalization and standardsGlobalization and standardsFull IPV6 support for DC and DNS server rolesPhonetic sort order support for address booksCommon Criteria Additions

ManagementManagementDC locator site locality enhancementsImproved Role ManagementDC promotion wizard enhancementsDNS Auto-configurationADSIEdit properties page for all objectsNew IFM tool for RODCSingle-label-name resolution (WINS-less)

Agenda

• Longhorn Feature Overview

• Longhorn Server Name Changes

• Server Core

• DCPromo

• Read Only Domain Controller

• Other Longhorn Changes

• Fine Grained Password Policy

• Backup and Restore

• …and many more

Longhorn Server Name Changes

Active Directory Domain ServicesActive Directory Domain ServicesActive Directory Domain Controller

Active Directory Lightweight DirectoryActive Directory Lightweight DirectoryActive Directory Application Mode

Active Directory Rights ManagementActive Directory Rights ManagementWindows Rights Management

Active Directory Certificate ServicesActive Directory Certificate ServicesWindows Certificate Services

Active Directory MetadirectoryActive Directory MetadirectoryIdentity Integration Feature Pack

Agenda

• Longhorn Feature Overview

• Longhorn Server Name Changes

• Server Core

• DCPromo

• Read Only Domain Controller

• Other Longhorn Changes

• Fine Grained Password Policy

• Backup and Restore

• …and many more

Server Core Value Proposition

• Core set of AD, ADAM and DNS server functionality

• Part of the “Windows Server” SKU, available as an install option

• Boot and operate in headless/embedded scenarios

• Reduced attack surface due to reduced set of binaries

Server Core Value Proposition contd.

• Reduced servicing and management costsReduced servicing and management costs• Customers who deploy server to support a single role or

fixed workload have reduced TCO.

• Only services necessary for the role are installed

• Costs for servicing, security, and management of services not essential to the workload are eliminated.

• For server specific IT staff and skills, enables separate servers for separate roles

• For e.g. Active Directory Administrators don’t usually administer web servers (in MORG +)

• Skill sets for SQL Administration are not highly transferable to DHCP administration

Agenda

• Longhorn Feature Overview

• Longhorn Server Name Changes

• Server Core

• DCPromo

• Read Only Domain Controller

• Other Longhorn Changes

• Fine Grained Password Policy

• Backup and Restore

• …and many more

DCPROMO in LonghornDCPROMO in Longhorn

• Supports server core (no UI)

• Use logged on credentials for promotion

• Role selection: DNS (default), GC (default), RODC

• Site selection (with auto detection)

• Seed method: Specific DC, Any DC, IFM

• Advanced features easy to discover (/adv switch not required)

• DNS auto-configuration• DNS Client auto-configured

• DNS Delegations automatically created and configured

Agenda

• Longhorn Feature Overview

• Longhorn Server Name Changes

• Server Core

• DCPromo

• Read Only Domain Controller

• Other Longhorn Changes

• Fine Grained Password Policy

• Backup and Restore

• …and many more

RODC Value Proposition

• DC Attack surface in unsecure locations DC Attack surface in unsecure locations reducedreduced

• By default, no passwords stored on/replicated from RODC.

• Read Only instance of the AD Domain database

• Server Core + RODC further reduces surface area

• Unidirectional replication for AD and FRS\DFSR

• Kerberos key separation: RODC has own KDC Krbtgt account

• Limited write rights in Directory: RODCs have no “Enterprise DC” or “Domain DC” group membership

RODC Value Proposition contd.

• Improved management and configuration of Improved management and configuration of branch officesbranch offices

• Unidirectional replication make bridgehead and replication schedule configuration simpler

• Most Branch Office Guide guidelines enabled by default

• Delegate promotion/recovery of RODCs is possible

• RODC Admin can be restricted to a single RODC separate from the Domain Admin

• Prevents accidental modification of domain by machine administrators

• Does not prevent malicious compromise of RODC data

DCPromo of an RODC

How RODC mitigates “stolen DC”

Hub Admin perspectiveHub Admin perspectiveAttacker perspectiveAttacker perspective

RODC Deployment prerequisites• Works in existing environments!

• No patching to down-level DCs or clients needed

• No domain restructuring

• May be able to consolidate bridgehead servers

• Incremental Requirements• Must be in Win2003 Forest Functional Mode

• Linked value replication required

• RODCs require constrained delegation

• PDC FSMO must be running Longhorn

• Recommend multiple LH DCs per domain to load balance RODC replication

Incorporating RODCS into your ADDirectory Service “Cloud”

Data Center or Trusted Network

Edge sites or edge\boundary of network

Directory Service “Cloud”

Data Center or Trusted Network

Edge sites or edge\boundary of network

Read-Only

Read-Only

Read-Only

Read-Only

Read-Only

“Writeables”

Incorporating RODCS into your AD

Read-only DCRead-only DC• How it worksHow it works: Secret caching during first logon: Secret caching during first logon

Hub

`

Read Only DCHub Longhorn DC

Branch

2. RODC: Looks in DB: "I don't have the users secrets"

3. Forwards Request to LH DC

4. LH DC authenticates request

5. Returns authentication response and TGT back to the RODC

6. RODC gives TGT to User and Queues a replication request for the secrets

7) Hub DC checks Password Replication Policy to see ifPassword can be replicated

1. AS_Req sent to RODC (request for TGT)

1

2

3

4

5

6

6

7

7

Note: At this point the user will have a hub signed TGT

Read Only DCRead Only DC• How it worksHow it works: Authentication requests: Authentication requests

Hub

`

Read Only DCHub Longhorn DC

Branch

File Server

1

4) Client uses session key to connect to File Server. File Server machine account should already have TGT from previous authentication.

2) RODC forwards request to Hub

3) In the response from the hub, the RODC looks at the requesters name. If the RODC sees that it has the secrets for the requester, it returns a Kerberos error to the client which causes the client to automatically re-request a TGT (and this time the client will receive a branch signed TGT)

1) Sends TGS request with hub-signed TGT (based on previous example) to RODC

Hub signed TGT

2

4

Hub signed TGT

3

Session Ticket

Password Replication PolicyPassword Replication PolicyRecommended Management ModelsRecommended Management Models

• No accounts cachedNo accounts cached (default) (default)

• ProPro: Most secure, still provides fast authentication and policy processing. : Most secure, still provides fast authentication and policy processing.

• ConCon: No offline access for anyone. WAN required for Logon: No offline access for anyone. WAN required for Logon

• Most accountsMost accounts cached cached

• ProPro: Ease of password management. Intended for customers who care most : Ease of password management. Intended for customers who care most about manageability improvements of RODC and not security. about manageability improvements of RODC and not security.

• ConCon: More passwords potentially exposed to RODC: More passwords potentially exposed to RODC

• Few accountsFew accounts (branch-specific accounts) cached (branch-specific accounts) cached

• ProPro: Enables offline access for those that need it, and maximizes security for : Enables offline access for those that need it, and maximizes security for otherother

• ConCon: Fine grained administration is new task: Fine grained administration is new task

• Need to map computers per branchNeed to map computers per branch

• Requires watching Auth2 attribute list to manually identify accounts, or use MIIS Requires watching Auth2 attribute list to manually identify accounts, or use MIIS to automate.to automate.

• There is an enhancement to Repadmin under development to help There is an enhancement to Repadmin under development to help automate moving from Auth2 to Allowautomate moving from Auth2 to Allow

Password Replication Policy

Read-only DC: Application Support

• Applications SupportedApplications Supported

• ADFS,DNS, DHCP, FRS V1, DFSR (FRS V2), Group Policy, NAP, PKI, CA, IAS/VPN, DFS, SMS, SMS, ADSI queries, MOMADSI queries, MOM

• Generic LDAP apps which support write referrals and can tolerate write failures if WAN is offline.

• App guidance whitepaper planned post Beta 3

• Will include checklist to verify RODC app compatibility

RODC Admin Role Separation

• New “local administrator” level of access per RODC

• Includes Builtin groups (Backup Operators, etc)

• Prevents accidental AD modifications by machine administrators

• Does not prevent “local administrator” from maliciously modifying the local DB

• Mitigates the need for large numbers of Domain Admins

• Admin Role Separation for full DCs not available

Features Under Consideration (Beta 3)

• RODC GC with support for Outlook clients

• RODC protection for highly sensitive credential attributes (not Windows password): RO-PAS

• Two RODC’s in the same site

• Features NOT under consideration

• RODC to RODC replication

• Exchange server support

• Read-only ADAM

Agenda

• Longhorn Feature Overview

• Longhorn Server Name Changes

• Server Core

• DCPromo

• Read Only Domain Controller

• Other Longhorn Changes

• Fine Grained Password Policy

• Backup and Restore

• …and many more

Fine Grained Password Policy

• Today password policies are domain based

• Not granular enough for large organizations

• Inconvenient for Admin and machine accounts passwords to be equally restrictive

• Password policy feature enables group based policy restrictions

• Creates new PSO object in the schema that may be associated with any security principle

• Precedence rules to ensure resultant policy is correct

• Applies to password and account lockout settings

Longhorn Server Backup and Restore

• LHSB replaces NTBackup as the new in-box backup application

• Not a feature by feature replacement

• Volume based backup

• System Restore available in WINRE

• System State backup under consideration

• May require larger disk space

• Target must be separate logical volume/physical disk

• Online/offline system state recovery under consideration

W2K3 Forest Recovery Whitepaper

http://www.microsoft.com/downloads/details.aspx?FamilyID=afe436fa-8e8a-443a-9027-c522dee35d85&DisplayLang=en

Longhorn Backup and Restore cont.

Feature under consideration: Snapshot Viewer of Snapshot Viewer of Previous AD StatesPrevious AD States

Problem: Restore of accidentally deleted objectsProblem: Restore of accidentally deleted objects

Tombstones contain insufficient data so re-animation does Tombstones contain insufficient data so re-animation does not restore everything, e.g. group membershipsnot restore everything, e.g. group memberships

SolutionSolution

Enables connecting ldp.exe or equivalent to a backup

Backup may be browsed to view group memberships on deleted object

Tombstone reanimation + manual addition to groups enables full restoration of object

Alternatively authoritative restore can be used but with full confidence that undesrirable memberships will not be restored.

And many more….

• Restartable Active DirectoryRestartable Active Directory

• Enables Offline defragEnables Offline defrag

• Enables patches to Enables patches to ntdsai.dll without reboot

• Not a steady state configuration!Not a steady state configuration!

• IPV6 support in AD DS, AD LDS and DNSIPV6 support in AD DS, AD LDS and DNS

• Impacts DCLocator and Sites and Subnets

• DNS DNAME Support

• DNS Single label support (GlobalNames Zone)

• DNS Instant-on

• DNS Client LLMNR (Link Local Multicast)

And many more…. Cont.

• Management PacksManagement Packs

• Active Directory Management Pack SP1Active Directory Management Pack SP1• New Longhorn features (e.g. restartable AD, RODC, etc)

• Multiple replication latency groups

• Multiple forests

• DNS MP SP1DNS MP SP1• New Longhorn features (IPv6, etc)

• Leverage new DNS health model

• Configuration validation

• ADAM MPADAM MP

• Phonetic names support for Address bookPhonetic names support for Address book

Attribute Editor

Resources

• http://www.microsoft.com/windowsserver2003/evaluation/news/bulletins/ADvision.mspx

• http://www.microsoft.com/technet/technetmag/issues/2006/11/FutureOfWindows/default.aspx

• http://www.microsoft.com/windowsserver/longhorn/evaluation/overview.mspx