Read-Only Domain Controllers

• provide faster authentication for

Users in Branch Offices

• However, RODC’s do not store

secrets (passwords) in the AD
database (only caches)

• You can designate who can and

can’t login using a particular
RODC

• RODC’s are designed to be used

in Branch Offices where:
– Physical Security is low
– Few Users
– WAN Link to main site is
slow or unreliable

•You must:

– Have a Server 2008 Full Writeable Domain

Controller in a site connected to the site where
Your RODC will live

– Be Running A Server 2003 Functional Level or

higher

– Have no applications running at the Site that

require writing to the DC (i.e. Exchange Server)

– Run Adprep /rodcprep

•Then after all that, you can run dcpromo under the
Advanced Mode on a Server 2008 box

•RODC’s don’t work well as time sources

– Make sure that you have a Server

2008 Full DC as the PDC Emulator to
serve as your time master

•Operations Masters cannot live on an

RODC

-Global catalog can be installed on RODC (in case we have lots of users
coming from the other site)

-In the Dcpromo wizard we can specify which groups or users password
are going to be replicated to the RODC.

-You can specify which domain controller is the replication partner or let
you can simply let the wizard choose.

-For applications that stores confidential data in AD database you can

create an RODC Filtered attribute set to prevent attributes from replicating
to any RODC in the forest. (works better with functional level 2008)

SERVER CORE

-A server core installation is a minimal installation of windows that give up

the windows explorer GUI and the Microsoft .NET Framework.

-To configure and manage server locally, you must use command line
tools. Oscsetup command is used to manage and add roles.

-You can administer a server core installation remotely, using GUI tools.

-Server Core installation limits the server roles and features that can be
added.
-To install RODC on server core you should run unattended installation.
Server Core installations provide the following benefits:
• Reduced maintenance. Because a Server Core installation installs
only what is required for the specified server roles, less servicing is
required than on a full installation of Windows Server 2008.
• Reduced attack surface. Because Server Core installations are
minimal, there are fewer applications running on the server, which
decreases the attack surface.
• Reduced management. Because fewer applications and services
are installed on a server running a Server Core installation, there is
less to manage.
• Less disk space required. A Server Core installation only requires
about 1 gigabyte (GB) of disk space to install, and approximately
2 GB for operations after the installation and can function with 256MB
of RAM.

Roles that can be installed on server core:

• Active Directory Domain Services

• Active Directory Lightweight Directory Services (AD LDS)
• DHCP Server
• DNS Server
• File Services
• Hyper-V
• Print Server
• Streaming Media Services
• Web server IIS
 BitLocker

• BitLocker is a feature in Server 2008 and Vista that actually encrypts

your ENTIRE hard drive/volume

• Great for locations that have low security where a server or disk
might be stolen

• Even if a BitLocker-enabled drive is stolen, the contents will look like

garbledygook

Here’s a sketch on how it works:

• It uses a cryptographic key known as the Full

Volume Encryption Key to encrypt the entire
volume

• This FVEK is encrypted by another key called

the Volume Master Key

• Then, if that wasn’t enough, the VMK is

encrypted by a TPM (Trusted Platform
Module) or a startup USB stick

•For Bitlocker to work You need two volumes/Partitions:

– 1 For your OS

– 1 for the BitLocker

– It does work with RAID O.K.

•You’ll also want to download the BitLockerDisk

Preparation Tool from Microsoft and run it
AD RMS

RMS is a Server 2008 Server Role that works in conjunction with

RMS applications to provide a high level of control over documents

•You can use RMS to provide control over documents created by:

– Microsoft Office 2003—Word, Excel, PowerPoint, and Outlook

– Microsoft Office 2007—Word, Excel, PowerPoint, Outlook, and
InfoPath
– SharePoint Server 2007
– Exchange 2007

• A major advantage is that your documents maintain the security

even after they leave your network—the security is in the
document itself

•The security is applied in the application that creates the document

•For ADRMS to work it requires AD DS and an SQL server to store the

encryption and licensing information
DFS

• DFS is a critical component for high availability

• Here’s the basics of how File Replication in DFS can work:

This scenario is called Replication Group

Two topologies of connections exist among members of the replication

group:

Hub and Spoke:

-We can put file on one particular node and have files
replicating to all members.

Full Mesh:

-All members are replicating files to each others

Full mesh is recommended for max 10 servers or members.

We can specify the bandwidth to be used by the replication and also

specify date and time schedule.
Why would you use DFS in your network?

• You already do if you’re using a Server 2008 Domain Functional Level

– Active Directory replicates your SYSVOL directory using DFS

• Other great uses for DFS:

– Branch office scenarios—provide local copies of a document to each

branch office location

– Consolidating lots of shared folders into one virtual location using

Namespaces for easy locating

DFS is a role service which is a part of File server role.

WSUS

Three Update Methods

•Automatic Updates

• WSUS

•System Center

•You already know about Automatics Updates

•This is really nifty if you have only a few servers and clients

•But it does require separate downloads for each machine, eating up

your bandwidth like crazy

•Only updates Microsoft stuff

Windows Server Update Services

•Great when you have lots of servers and clients

•Again, only updates MS stuff

•You download the updates from Microsoft once, and then distribute the
Updates from your WSUS Server

•There’s several ways to set up WSUS

  
 
 
 
 
 

 
  
 
 
 
 
 

 
  
 

Two Major Account Groups that you need to know about:

– WSUS Administrators: This is a local

Group on the WSUS Server that
allows Users in this group to
approve updates and configure
which computers which will get the
updates via Computer Groups

– WSUS Reporters : Another local

Group on the WSUS Server that
allows users in this Group to create
software update reports

WSUS gives more management capabilities and the ability to decide which
updates are going to be approved and installed on the machine.
If you’ve got the dollars, System Center can also do
updates

• System Center Essentials can manage up to 500

client machines and 30 servers

– Advantage to System Center Essentials: it can also

update non-Microsoft software—a trick WSUS
doesn’t do

– Requires SQL Server (Express Provided, but not

recommended by Coach)

– Also does hardware and software inventory as well

– Utilizes client agent software that installs during the

“discovery” process

• System Center Configuration Manager 2007 is for much larger

environments

– Requires SQL Server 2005 SP1 or 2008

(no Express—needs more power!)

– All the tricks of Essentials, plus the ability to use

hierarchies, parent and child sites, and more

–NAP integration

–Software Distribution ,Operating System Distribution

AD CS

Introduction to Public Key Infrastructure

•A Public Key Infrastructure is necessary only when you have

software and hardware that require it

•Examples of when you need to start thinking about PKI:

– Smartcards become required

– VPN’s
– Required use of Digital Signatures for documents
– Use of Encrypting File System in Server 2008
– IPSec
– Web Authentication over SSL

•The core of a PKI consists of certificates and certificate authorities

•A Certificate provides both identity and encryption, and is provided by

a Certificate Authority, either internal or from a third party

• A Certificate Authority (CA) is a server that issues digital certificates for

use.
• There are three kinds of CA’s you’ll encounter
The real workhorses of a PKI Infrastructure

•While your CA’s are a critical part of your PKI, they can be of high risk

•Subordinate Servers can take the load off by fielding most of the
requests for certificates and checking the CRL (Certificate Revocation
List)

 
 
 
And now, another acronym: The CRL

• The Certificate Revocation List (CRL) basically just checks to see if a

certificate is valid or not

•When a certificate is used, the Certificate Authority, Subordinate CA’s, or

an Online Responder checks the cert against the CRL to make sure it’s not
on it

• An Online Responder is a Role Service that allows the use of OSCP

(Online Certificate Status Protocol) to check to see if a certificate is on the
revocation list or not

• You can use Online Responders for faster response in branch offices and
other sites that don’t require a full Subordinate CA