Sie sind auf Seite 1von 4

Lesson 5 - Planning a Branch Office Deployment

ITMT 2456 70-647



Designing support identity and access management components
Design the branch office deployment.
3.2

What is a Branch Office?
For a large organization, a branch office can be a headquarters on another continent with
hundreds or thousands of users.
Smaller organizations might have branch offices with only a handful of users.

Basic Branch Offices Resources

Large Branch Offices
In a large branch office running its own domain, there must be at least two AD DS domain
controllers, for fault tolerance purposes, with one or both functioning as Domain Name Service
(DNS) servers as well.
There must also be a Global Catalog server, to provide the branch office users with the ability
to search the other domains in the forest.

Medium-sized Offices
For a medium-sized office with 100 users, there should be at least one domain controller, to provide
the users with local authentication capabilities, as well as a DNS server and a Global Catalog server.
An office of this size should be equipped with a server closet, to physically secure the domain
controller and other vital components.

Small Branch Office
Although it might have its own servers, for local data storage, the small branch office should generally
not have a domain controller, mainly because there is no one at the location who is qualified to
maintain it.
Small offices also typically lack the physical security needed to protect a domain controller from
unauthorized access or theft.

Branch Office Topology Specifications

Domain Controller Options
In addition to the standard, full domain controller, Windows Server 2008 and Windows Server 2008
R2 both include two new types of domain controller: server core and read-only.

Server Core Installations
Server Core is an installation option included with all versions of Windows Server 2008 and Windows
Server 2008 R2 that reduces the footprint of the operating system by eliminating many of its
applications and services, along with the Explorer interface and most of the graphical tools.

Read-Only Domain Controllers
Placing a read-only domain controller (RODC) in a branch office increases security by limiting the AD
DS replication to incoming traffic only.
If attackers manage to gain access to the domain controller whether by remote or physical means
they can damage the local copy of the AD DS database, but those damages cannot contaminate the
rest of the domain.
The AD DS forest must be running at least the Windows Server 2003 forest functional level.
Unless you are running a new Windows Server 2008 or Windows Server 2008 R2 forest, you must
modify the forest schema by running Adprep.exe with the /RODCPrep parameter on the domain
controller functioning as the schema operations master.

Installing a RODC

Password Replication Policy
An RODC does not store user credentials as a read/write domain controllers do.
The RODC forwards all authentication requests to the read/write domain controller, which in the case
of a branch office installation, generates WAN traffic and requires a functioning WAN connection for
authentication to take place.
However, it is possible to modify the default Password Replication Policy so that the RODC caches
password for selected users.

Delegation of Control Wizard
One of the main reasons for dedicating an entire organizational unit to a branch office is so that you
can grant the branch office administrators access to the AD DS objects they are responsible for
managing without granting them access to anything else.
The Delegation of Control Wizard enables you to select security principals users or groups and
grant them access to the contents of an OU in a variety of ways.

Administrative Role Separation
In smaller branch offices with no dedicated IT staff, you might want to grant local users or managers a
certain amount of administrative access to an RODC without giving them any privileges in the AD DS
domain.
This is possible using a feature called Administrative Role Separation, which enables you to
designate a local administrator for an RODC without granting any domain permissions.

Dsmgmt.exe
Once the RODC is deployed, it is possible to create additional local administrators by using the
Dsmgmt.exe program from the servers command prompt.
Dsmgmt.exe is an interactive command line program that administrators can use to manage AD DS
partitions and their behavior.
local roles
list roles
add domain\username administrators
quit
quit

Branch Office Services
You might want to deploy a variety of other infrastructure and application servers at a branch office.
DHCP server
Routing and Remote Access Services (RRAS)
Windows Server Update Services (WSUS)
Distributed File System (DFS) Replication
Microsoft Cluster Services
File servers

BranchCache
BranchCache is a new feature in Windows Server 2008 R2 and Windows 7 that enables networks
with computers at remote locations to conserve bandwidth by storing frequently-accessed files on
local drives.
BranchCache supports two operational modes, as follows:
Distributed cache mode Each Windows 7 workstation on the branch office network caches data
from the content server on its local drive and shares that cached data with other local workstations.
Hosted cache mode Windows 7 workstations on the branch office network cache data from the
content server on a branch office server, enabling other workstations to access the cached data from
there.

BranchCache Settings
To implement BranchCache on your network, you must install the appropriate modules on your
server(s) and configure Group Policy settings on both servers and clients.
To use BranchCache on your network, your files must be stored on a content server running
Windows Server 2008 R2.
To support SMB requests, the server must have the BranchCache for Network Files role service
installed in the File Services role.
To support HTTP and BITS requests, you must install the BranchCache feature.

You Learned
For the purposes of this chapter, imagine an organization with branches in three sizes:
A large office with 1,000 users
A medium-sized office with 100 users
A small office with 10 users.
Each of these offices has users that must access resources hosted by the corporate headquarters,
but they have varying amounts of money, equipment, and administrative expertise with which to do
that.
A 100-user branch office is likely to have one or two dedicated IT staffers to maintain the network.
Therefore, creating a separate organizational unit (OU) for the office is a viable solution.
You can grant the IT staffers at the branch office the permissions needed to administer the OU,
without giving them complete autonomy.
While it is possible to run a branch office with no Active Directory Domain Services presence at all,
this can cause more problems than it resolves in an enterprise that is reliant on AD DS for
authentication and administration.
A full domain controller provides all of the standard domain controller capabilities, replicating the AD
DS bidirectionally with the other domain controllers in the domain and including all of the standard AD
DS management tools.
Server Core is an installation option included with all versions of Windows Server 2008 and Windows
Server 2008 R2 that reduces the footprint of the operating system by eliminating many of its
applications and services, along with the Explorer interface and most of the graphical tools.
A read-only domain controller (RODC) increases security in a branch office by limiting the AD DS
replication to incoming traffic only. If attackers manage to gain access to the domain controller, they
can damage the local copy of the AD DS database, but those damages cannot contaminate the rest
of the domain.
An RODC does not store user credentials as a read/write domain controllers do. RODCs are
designed for locations that have reduced physical security, and are therefore more liable to be stolen
or accessed by unauthorized persons. By not caching credentials, an RODC reduces the information
compromised if someone steals the computer.
It is possible to modify the default Password Replication Policy so that the RODC caches passwords
for selected users.
The Delegation of Control Wizard enables you to select security principals users or groups and
grant them access to the contents of a branch office OU in a variety of ways.
In smaller branch offices with no dedicated IT staff, you might want to use Administrative Role
Separation to grant local users or managers a certain amount of administrative access to an RODC
without giving them any privileges in the AD DS domain.
BranchCache is a new feature in Windows Server 2008 R2 and Windows 7 that enables networks
with computers at remote locations to conserve bandwidth by storing frequently-accessed files on
local drives.