Windows Server 2008 R2 Unleashed (261 page)

Windows Server 2008 R2 media and product keys.

NOTE

Another alternative to performing a staged RODC installation is to have the branch

office prepare a base installation of the Windows Server 2008 R2 operating system.

After this installation is complete and the server is on the network, a domain adminis-

trator from the hub site can use the Remote Desktop Protocol (RDP) and remotely per-

form the dcpromo process. This strategy also eliminates the need to use branch

personnel in any facet of the domain controller installation process.

Complete the following steps to create an account for a Read-Only Domain Controller

(RODC). You will be using the Active Directory Users and Computers interface in the first

step of this staged approach.

1. On a writable Windows Server 2008 R2 domain controller, invoke Active Directory

Users and Computers by selecting it from the Administrative Tools.

2. In Active Directory Users and Computers, expand the domain tree, and then select

ptg

the Domain Controllers Organizational Unit folder.

3. Right-click the Domain Controllers OU container, and then select Pre-Create Read-

Only Domain Controller Account.

4. The Active Directory Domain Services Installation Wizard is invoked. Review the

Welcome page, and then click Next to continue.

5. On the Network Credentials page, specify the account credentials that will be used

to perform the installation. The options include either My Current Logged On

Credentials or Alternate Credentials. Click Next to continue.

6. Enter a computer name for the RODC in the Computer Name text box located on

the Specify the Computer Name page. This is illustrated in Figure 32.5. Click Next.

NOTE

This procedure creates a computer account in Active Directory Domain Services. The

RODC computer name specified in this step should be the name of the server you plan

on promoting to an RODC. As part of the prerequisite tasks and also to minimize serv-

er name conflicts, do not join the server you plan on using as an RODC to the domain.

The server should reside in a workgroup.

7. On the Select a Site page, select a site for the new domain controller installation,

and then click Next.

8. On the Additional Domain Controller Options page, select the additional options for

the domain controller. Additional items could include a DNS server and a global

Installing a Read-Only Domain Controller

1321

32

FIGURE 32.5

Specifying the computer name of the RODC system.

catalog server. Also, notice that the Read-Only Domain Controller is selected auto-

matically and cannot be unselected.

ptg

NOTE

In general, to minimize unnecessary WAN utilization, it is a best practice to also make

the RODC a DNS server and a global catalog server.

9. On the Delegation of RODC Installation and Administration page, specify a user or

group who will ultimately manage and attach the server to the RODC account being

created. Do this by selecting Set and enter the desired user account or group. Click

Next to continue.

10. Review the summary of the Active Directory installation, and click Next on the

Summary page to finalize the inauguration of the RODC.

11. Click Finish to finalize the creation of the RODC account.

At this point, the RODC account has been created. The next step is to run the Active

Directory Domain Services Installation Wizard on a server that will eventually become the

RODC by leveraging the user or group the RODC installation was delegated to in the

previous steps. To attach a server to an RODC account, follow these simple steps:

1. Using someone with local administrative privileges, log on to the server that will be

the RODC in the branch office.

NOTE

To reaffirm, make sure this server is in a workgroup and not associated with the Active

Directory domain.

1322

CHAPTER 32

Optimizing Windows Server 2008 R2 for Branch Office

Communications

2. Click Start, Run, type the command dcpromo/UseExistingAccount:Attach, and

then click OK.

NOTE

The Active Directory Domain Services binaries will be installed. After this is complete,

the Active Directory Domain Services Installation Wizard will be invoked.

3. On the Welcome to the Active Directory Domain Services Installation Wizard page,

click Next to attach the server to a corresponding domain controller account created

in the previous steps.

4. On the Network Credentials page, first specify the name of the forest where the

RODC installation will occur. Then click Set to specify the alternate account creden-

tials that will be used to perform the installation. Provide the username and pass-

word of the IT support personnel at the branch office, which was delegated in the

previous steps, as shown in Figure 32.6. Click Next.

ptg

FIGURE 32.6

Entering the domain and alternate credentials information for the RODC

installation.

NOTE

If the source server computer account name deviates from the RODC name that was

created in the previous step, the installation is sure to fail. The two account names

must be identical.

5. On the Select Domain Controller page, the wizard will automatically link and match

the server name to the account name of the RODC created in the previous step.

Understanding BitLocker Drive Encryption

1323

Ensure the Computer Name, DC Type, and Domain and Site information located in

the Account Details section is correct. If it is, click Next to continue.

6. Validate the folder location for the Database, Logs Files, and sysvol folder, and then

click Next.

7. Enter and confirm the password for the Directory Services Restore mode administra-

32

tor account, and click Next.

8. Review the summary of the Active Directory installation, and click Next on the

Summary page to finalize the inauguration of the RODC.

9. Click Finish and restart the RODC system.

Understanding BitLocker Drive Encryption

Microsoft added Windows BitLocker Drive Encryption to Windows Server 2008 mostly as a

result of organizations demanding protection not only for their operating systems in

remote locations, but also for the vital data stored on the system volume, data volumes,

and USB flash drives that were used in these locations. BitLocker Drive Encryption,

commonly referred to as just BitLocker, is a software-based Full Disk Encryption (FDE) data-

protection security feature included in all versions of Windows Server 2008 and Windows

ptg

Server 2008 R2, as well as in the Ultimate and Enterprise Editions of Windows Vista and

Windows 7. It is an optional component that must be installed if you choose to use it.

BitLocker increases data at rest protection for an operating system by merging two

concepts together: encrypting a volume and guaranteeing the integrity of the operating

system’s boot components. The first component, drive encryption, safeguards data resid-

ing on the system volume and configured data volumes by preventing unauthorized users

from compromising Windows system files encrypted with BitLocker. The second compo-

nent provides integrity verifications of the early boot components, which essentially refers

to components used during the startup process, by validating that the hard disk has not

been tampered with or removed from its original server. Equally important, when you use

BitLocker, confidential data on a protected server cannot be viewed even if the hard disks

are transferred to another operating system. If these two conditions are met, only then

will data on a BitLocker volume be accessible and the system allowed to boot.

If you have worked with previous versions of Windows Server, you will recognize immedi-

ately that BitLocker is a great addition to Windows Server 2008 R2 as it protects all of the

data residing on a server’s hard disks because everything written to the disk including the

operating system is encrypted. In previous versions of Windows Server, encryption based

on integration with integrity controls was not supported, which meant personal informa-

tion could be compromised. In addition, with BitLocker now on the map, branch offices

concerned over the physical security and theft of their domain controllers stand to benefit

the greatest from leveraging BitLocker because this feature further bolsters security and

ensures confidential data is not disclosed without authorization.

1324

CHAPTER 32

Optimizing Windows Server 2008 R2 for Branch Office

Communications

NOTE

Many professionals are posing questions as they wonder about the differences

between BitLocker and Encrypting File System (EFS). Both technologies offer tools for

encryption; however, BitLocker is intended to protect all personal and system files on a

system and after it is enabled, it is transparent as well as automatic. EFS, on the other

hand, encrypts individual files based on an administrator’s judgment call.

Examining BitLocker’s Drive Encryption

BitLocker was first introduced with the release of Windows Vista. Since entering the

Windows Server 2008 family of operating systems, Microsoft has continued to improve

BitLocker by adding new features, for example: support for data volumes, smart card certifi-

cates, data recovery agents, USB flash drives, a new RSAT BitLocker interface, and so on.

Understanding Its Benefits

By using BitLocker in conjunction with Windows Server 2008 R2, an organization can

enjoy a number of benefits:

. Prevention of unauthorized access to data at rest, which is located on Windows

managed system volumes, data volumes, and USB flash drives.

ptg

. Support for integrity checking of early boot components using Trusted Platform

Module (TPM) to ensure that a machine has not been tampered with and that

encrypted materials are located on the original machine.

. Protection against cold boot attacks by requiring an interactive form of authentica-

tion (including a PIN or a USB key) in addition to the presence of the TPM hardware

before a machine will boot or resume from hibernation.

. Support for escrow of BitLocker recovery materials in Active Directory.

. A streamlined recovery process, which can be delegated to non-Domain

Administrators.

. Windows Server 2008 R2 and Windows 7 automatically creates the necessary

BitLocker disk partitions during installation.

. Support for BitLocker protection on USB flash drives. This feature is called

BitLocker To Go.

. Lastly, support for Data Recovery Agent (DRA) support so that authorized IT admin-

istrators will always have access to BitLocker protected volumes.

Understanding TPM

The term Trusted Platform Module (TPM) is used to refer to both the name of a published

specification by the Trusted Computing Group for a secure cryptoprocessor and the imple-

mentation of that specification in the form of a TPM chip. A TPM chip’s main purpose in

life is the secure generation of cryptographic keys, the protection of those keys, and the

ability to act as a hardware pseudo-random number generator. In addition, a TPM chip

Understanding BitLocker Drive Encryption

1325

can also provide remote attestation and sealed storage. Remote attestation is a feature in

which a hash key summary is created based on a machine’s current hardware and software