Windows Server 2008 R2 Unleashed (258 page)
Read Windows Server 2008 R2 Unleashed Online
Authors: Noel Morimoto
ed with requests for status updates.
ptg
This page intentionally left blank
ptg
IN THIS CHAPTER
.
Understanding Read-Only
Domain Controllers (RODCs)
. Installing a Read-Only Domain
Controller
. Understanding BitLocker Drive
Encryption
. Configuring BitLocker Drive
Encryption on a Windows
Today’s organizations are likely to consist of many branch
Server 2008 R2 Branch Office
offices. On average, a branch office is a small office hosting
Domain Controller
fewer than 50 employees in a remote location. Typically, a
branch office infrastructure is connected to the headquar-
. Understanding and Deploying
BranchCache
ters site, centralized data center, or hub site by means of a
wide area network (WAN) link in a distributed fashion. Due
. Enhancing Replication and WAN
to the high costs associated with purchasing bandwidth,
Utilization at the Branch Office
these WAN links are usually slow, unreliable, and ineffi-
cient. Finally, most branch offices lack physical security and
ptg
IT support personnel.
For many organizations, maintaining branch offices gener-
ates significant operational costs and administrative chal-
lenges. Two scenarios exist when dealing with branch
offices because of the high costs of securing high-speed
links between the branch office and hub site. Either the
organization implements server infrastructure at the branch
office or IT services are provided to the branch office from a
centralized site such as the company headquarters.
By providing branch offices with their own infrastructure
productivity increases; however, operational and manage-
ment costs typically rise. When providing services to a
branch office from a centralized site, its productivity is
reduced as all branch office users must obtain services over
a slow and unreliable WAN link. In addition, if the WAN
link becomes unavailable, productivity at the branch office
can come to a halt until the WAN link is repaired. As you
can see, each scenario has cost and efficiency trade-offs.
Challenges like the one just described might, however,
become a thing of the past for branch offices. Windows
Server 2008 R2 provides new technology solutions that
allow organizations to integrate branch offices seamlessly
1306
CHAPTER 32
Optimizing Windows Server 2008 R2 for Branch Office
Communications
into the organization’s infrastructure. This chapter covers the use of built-in Windows
Server 2008 R2 technologies that help improve the operations, management, administra-
tion, and support for branch offices in any organization. In particular, this chapter
includes the implementation and use of Read-Only Domain Controllers, the use of two-
state domain controller (DC) promotion, an introduction to DFS read-only replicated
folders, and the ability to configure administrative role separation. Also covered in this
chapter is information enabling BitLocker Drive Encryption, BranchCache, and the latest
technologies, which improve WAN utilization between branch offices and hub sites.
Understanding Read-Only Domain Controllers (RODCs)
One of the new features that received close attention in Windows Server 2008 was a new
breed of domain controllers referred to as Read-Only Domain Controllers, also known as
RODCs. The RODC hosts a copy of the Active Directory (AD) database like any other
writable domain controller, but as its name implies, the contents replica of the domain
database residing on the domain controller is read-only and write operations are not
supported. It is equally important to mention that the RODCs do not participate in Active
Directory replication in the same fashion as writable domain controllers. The fundamental
difference between RODC replication and the typical multimaster replication model
ptg
between writable domain controllers is that RODC replication is unidirectional. This
means all changes from a writable domain controller are propagated to the RODCs. As a
result, the RODC receives changes, but does not partake in or perform outbound replica-
tion with other domain controllers. This characteristic of RODCs provides an extra layer
of security as any unauthorized data changes, especially changes made with the intent to
hurt the organization, will not replicate out to other domain controllers. Unidirectional
replication also reduces the workload of bridgehead servers in the hub site and the effort
required to monitor replication.
Another new RODC functionality that improves security is commonly witnessed when
replication transpires between a writable domain controller and an RODC. Here, user
account information is replicated, but account passwords are not replicated. This is a new
phenomenon because of the existence of Windows domain controllers. Security is
bolstered in this situation as the only password that resides on the RODC is the local
administrator’s password and Krbtgt accounts (the account used for Kerberos authentica-
tion). In essence, the read-only philosophy of an RODC is similar to the NT 4.0 Backup
Domain Controller (BDC); however, with the NT 4.0 BDC, all user information is repli-
cated from the Primary Domain Controller (PDC), including passwords.
NOTE
If needed, it is also possible to configure credential caching of passwords for a specific
user account to an RODC. Moreover, by default, security groups with high privileges
such as Domain Administrators and Enterprise Administrators are configured to never
allow their passwords to replicate to RODCs.
Understanding Read-Only Domain Controllers (RODCs)
1307
Although Microsoft fields numerous questions on this new Active Directory technology,
the question that is asked the most is where does the RODC fit in? RODCs are most often
used to provide Active Directory Domain Services (AD DS) to remote locations and branch
offices where heightened security is essential, where Windows Active Directory administra-
tors are lacking, and where the promise of physical security is practically nonexistent. In
many cases, RODCs offer a practical headache-free solution for branch office environ-
32
ments that in the past had to endure solutions that always put them in compromising
situations.
Organizations’ Branch Office Concerns and Dilemmas
The next section illustrates typical branch office concerns about having domain
controllers onsite. This section makes it evident why the RODC is becoming popular if not
extremely necessary for branch offices.
Lack of Physical Security at the Branch Office
Typically, branch office locations do not have the facilities to host a data center. For that
reason, it is common to find domain controllers hiding in closets, tucked away in the
kitchen next to the fridge, or even in a restroom. As such, branch offices lack physical
security when it comes to storing domain controllers, which results in these servers being
ptg
prime targets for thieves.
Domain Controllers Stolen from the Branch Office
With inadequate physical security in the branch offices, it was very common for domain
controllers to be stolen. This posed a major security threat to organizations because
domain controllers contain a copy of all the user accounts associated with the domain.
Confidential items such as highly privileged administrator accounts, DNS records, and the
Active Directory schema could fall into the hands of the wrong people in this situation.
Removing Domain Controllers from the Branch Office
Because of a lack of physical security and concerns over domain controller theft, branch
offices often had their domain controllers removed from their site. After being removed,
users were forced to authenticate over the WAN to a domain controller residing at their
corporate headquarters or to the closest hub site. Although this action solved the security
issue, it also cultivated a new problem. If the WAN link between the branch office and
hub site was unreliable or unavailable, users could not log on to the workstations at the
branch office or the amount of time required to log on was greatly increased. This resulted
in a loss of productivity for users in the branch office or outages that resulted in down-
time if the WAN link was severed. These types of outages commonly lasted for days.
Lack of Administration Role Separation at the Branch Office
In small branch offices, it is also very common for multiple server functions to be hosted
on a single server to reduce costs. For example, a single server might provide domain
controller, file, print, messaging, and other line-of-business (LOB) functionality. In such
cases, it is necessary for the administrators of these applications to log on to the system to
manage their applications. By granting administrators privileges to the domain controller,
1308
CHAPTER 32
Optimizing Windows Server 2008 R2 for Branch Office
Communications
these individuals also received full access to the Active Directory domain, which is consid-
ered to be a major security risk.
Lack of IT Support Personnel at the Branch Office
It is very common for secretaries, receptionists, or even high-level personnel such as
managers and directors without any prior knowledge of IT management or maintenance
to manage servers in a branch office. Typically, these individuals get nominated or
promoted to a branch office IT support role because a local IT administrator does not
exist. Unfortunately, even when conducting basic administration tasks like restarting an
unresponsive server, these individuals can inadvertently wreak havoc on the Active
Directory domain when granted administrator privileges on a domain controller. In a
Windows Server 2003 environment, there was little that could be done about this situa-
tion. You just had to be careful about who you promoted to the exclusive club of domain
administrators.
Understanding When to Leverage RODCs
As you can see, branch offices were faced with numerous challenges. Because of the many
features of RODCs, however, branch offices can now have domain controllers on site
without compromising security.
ptg
The main benefits of running RODC in branch offices are associated with the following:
. Read-only Active Directory Domain Services
. Reduced replication workload over the network
. Credential caching
. Administrator role separation
. Read-Only DNS
. Read-Only SYSVOL
These features of RODCs, which are discussed in detail in the following sections, assist in
alleviating concerns and dilemmas for organizations.
Read-Only Active Directory Domain Services
Poor physical security is typically the most common rationale for deploying an RODC at a
branch office. A read-only copy of the domain controller provides fast and reliable authen-
tication, while simultaneously protecting against data loss in the event the server is
compromised or stolen. Because no changes can originate from an RODC, a malicious
hacker or IT support personnel with little knowledge of Active Directory administration
cannot make changes at the branch level. On a writable domain controller, not only can
changes be made, but these changes would propagate to all other domain controllers,
eventually damaging or polluting the Active Directory domain and forest.
Reduced Replication Workload over the Network
As mentioned earlier, RODCs do not participate in Active Directory replication in the
same fashion as writable domain controllers. Replication with RODC is one-way, meaning
Understanding Read-Only Domain Controllers (RODCs)
1309
all changes from a writable domain controller are propagated to the RODC. An RODC
receives changes, but does not partake in or perform any outbound replication to other
domain controllers. This results in the replication workload being minimized over the
network because changes do not have to be pulled from an RODC and because Active
Directory replication is unidirectional. Also reduced is the amount of time required to
monitor replication, which is another plus for having an RODC.
32
Credential Caching
Credential caching with an RODC provides numerous security enhancements for a
domain controller residing at a branch office. Take, for example, a new functionality in
RODCs that increases security in the event an RODC is stolen. When replication transpires
between a writable domain controller and an RODC, only a user’s account information is
replicated—not the user’s password. Equally important, passwords are not stored on an
RODC. In the event the RODC is stolen, the only accounts that can be hacked and
compromised are the local administrator accounts and the RODC account, which is
specific to the RODC server. These accounts are not considered to be highly privileged,
nor do they have access authorization on the forest and domain. On the other hand,
