Read-Only Domain Controllers provide faster authentication for Users in Branch Offices • However, RODC’s do not store

secrets (passwords) in the AD database (only caches) • You can designate who can and can’t login using a particular RODC • RODC’s are designed to be used in Branch Offices where: – Physical Security is low – Few Users – WAN Link to main site is slow or unreliable     •You must: – Have a Server 2008 Full Writeable Domain Controller in a site connected to the site where Your RODC will live – Be Running A Server 2003 Functional Level or higher – Have no applications running at the Site that require writing to the DC (i.e. Exchange Server) – Run Adprep /rodcprep •Then after all that, you can run dcpromo under the

-Server Core installation limits the server roles and features that can be added. -For applications that stores confidential data in AD database you can create an RODC Filtered attribute set to prevent attributes from replicating to any RODC in the forest. -You can specify which domain controller is the replication partner or let you can simply let the wizard choose. (works better with functional level 2008) SERVER CORE -A server core installation is a minimal installation of windows that give up the windows explorer GUI and the Microsoft . -To configure and manage server locally. -You can administer a server core installation remotely.NET Framework. Oscsetup command is used to manage and add roles. -To install RODC on server core you should run unattended installation. using GUI tools.Advanced Mode on a Server 2008 box •RODC’s don’t work well as time sources – Make sure that you have a Server 2008 Full DC as the PDC Emulator to serve as your time master •Operations Masters cannot live on an RODC -Global catalog can be installed on RODC (in case we have lots of users coming from the other site) -In the Dcpromo wizard we can specify which groups or users password are going to be replicated to the RODC. . you must use command line tools.

which decreases the attack surface. Because fewer applications and services are installed on a server running a Server Core installation. • Reduced attack surface.Server Core installations provide the following benefits: • Reduced maintenance. Roles that can be installed on server core: • • • • • • • • • Active Directory Domain Services Active Directory Lightweight Directory Services (AD LDS) DHCP Server DNS Server File Services Hyper-V Print Server Streaming Media Services Web server IIS . there are fewer applications running on the server. Because Server Core installations are minimal. Because a Server Core installation installs only what is required for the specified server roles. and approximately 2 GB for operations after the installation and can function with 256MB of RAM. less servicing is required than on a full installation of Windows Server 2008. • Reduced management. • Less disk space required. A Server Core installation only requires about 1 gigabyte (GB) of disk space to install. there is less to manage.

if that wasn’t enough. •You’ll also want to download the BitLockerDisk Preparation Tool from Microsoft and run it . the contents will look like garbledygook • • Here’s a sketch on how it works: • It uses a cryptographic key known as the Full Volume Encryption Key to encrypt the entire volume This FVEK is encrypted by another key called the Volume Master Key Then. the VMK is encrypted by a TPM (Trusted Platform Module) or a startup USB stick • • •For Bitlocker to work You need two volumes/Partitions: – 1 For your OS – 1 for the BitLocker – It does work with RAID O.K.BitLocker • BitLocker is a feature in Server 2008 and Vista that actually encrypts your ENTIRE hard drive/volume Great for locations that have low security where a server or disk might be stolen Even if a BitLocker-enabled drive is stolen.

PowerPoint. Outlook. Excel. PowerPoint. and Outlook – Microsoft Office 2007—Word. and InfoPath – SharePoint Server 2007 – Exchange 2007 • A major advantage is that your documents maintain the security even after they leave your network—the security is in the document itself •The security is applied in the application that creates the document •For ADRMS to work it requires AD DS and an SQL server to store the encryption and licensing information . Excel.AD RMS RMS is a Server 2008 Server Role that works in conjunction with RMS applications to provide a high level of control over documents •You can use RMS to provide control over documents created by: – Microsoft Office 2003—Word.

DFS • DFS is a critical component for high availability • Here’s the basics of how File Replication in DFS can work: This scenario is called Replication Group Two topologies of connections exist among members of the replication group: Hub and Spoke: -We can put file on one particular node and have files replicating to all members. Full Mesh: -All members are replicating files to each others Full mesh is recommended for max 10 servers or members. We can specify the bandwidth to be used by the replication and also specify date and time schedule. .

.Why would you use DFS in your network? • You already do if you’re using a Server 2008 Domain Functional Level – Active Directory replicates your SYSVOL directory using DFS • Other great uses for DFS: – Branch office scenarios—provide local copies of a document to each branch office location – Consolidating lots of shared folders into one virtual location using Namespaces for easy locating DFS is a role service which is a part of File server role.

and then distribute the Updates from your WSUS Server •There’s several ways to set up WSUS .WSUS Three Update Methods •Automatic Updates • WSUS •System Center •You already know about Automatics Updates •This is really nifty if you have only a few servers and clients •But it does require separate downloads for each machine. eating up your bandwidth like crazy •Only updates Microsoft stuff Windows Server Update Services •Great when you have lots of servers and clients •Again. only updates MS stuff •You download the updates from Microsoft once.



.    Two Major Account Groups that you need to know about: – WSUS Administrators: This is a local Group on the WSUS Server that allows Users in this group to approve updates and configure which computers which will get the updates via Computer Groups – WSUS Reporters : Another local Group on the WSUS Server that allows users in this Group to create software update reports WSUS gives more management capabilities and the ability to decide which updates are going to be approved and installed on the machine.

but not recommended by Coach) – Also does hardware and software inventory as well – Utilizes client agent software that installs during the “discovery” process • System Center Configuration Manager 2007 is for much larger environments – Requires SQL Server 2005 SP1 or 2008 (no Express—needs more power!) – All the tricks of Essentials.If you’ve got the dollars. System Center can also do updates • System Center Essentials can manage up to 500 client machines and 30 servers – Advantage to System Center Essentials: it can also update non-Microsoft software—a trick WSUS doesn’t do – Requires SQL Server (Express Provided. parent and child sites. plus the ability to use hierarchies. and more –NAP integration –Software Distribution .Operating System Distribution .

and is provided by a Certificate Authority. • There are three kinds of CA’s you’ll encounter .AD CS Introduction to Public Key Infrastructure •A Public Key Infrastructure is necessary only when you have software and hardware that require it •Examples of when you need to start thinking about PKI: – Smartcards become required – VPN’s – Required use of Digital Signatures for documents – Use of Encrypting File System in Server 2008 – IPSec – Web Authentication over SSL •The core of a PKI consists of certificates and certificate authorities •A Certificate provides both identity and encryption. either internal or from a third party • A Certificate Authority (CA) is a server that issues digital certificates for use.

The real workhorses of a PKI Infrastructure •While your CA’s are a critical part of your PKI. they can be of high risk •Subordinate Servers can take the load off by fielding most of the requests for certificates and checking the CRL (Certificate Revocation List)       .

or an Online Responder checks the cert against the CRL to make sure it’s not on it • An Online Responder is a Role Service that allows the use of OSCP (Online Certificate Status Protocol) to check to see if a certificate is on the revocation list or not • You can use Online Responders for faster response in branch offices and other sites that don’t require a full Subordinate CA . the Certificate Authority. another acronym: The CRL • The Certificate Revocation List (CRL) basically just checks to see if a certificate is valid or not •When a certificate is used. Subordinate CA’s.And now.


Sign up to vote on this title
UsefulNot useful