1
00:00:06,310 --> 00:00:11,980
Branch offices present a unique challenge for an organization's I.T. staff.

2
00:00:11,980 --> 00:00:18,320
Branch offices usually are smaller sites in which no data center exists.

3
00:00:18,340 --> 00:00:26,230
Additionally branch offices might not have a secure facility in which to house server sound.

4
00:00:26,230 --> 00:00:32,380
There might be few if any local I.T. staff to support the servers.

5
00:00:32,410 --> 00:00:40,900
If a wide area network link separates a branch office from your hub site depending on the number of

6
00:00:40,900 --> 00:00:48,850
users and the services that are available in the branch office you must decide whether to place a domain

7
00:00:48,850 --> 00:00:58,510
controller in the branch office ADT is in Windows Server 2008 and newer versions support a new type

8
00:00:58,510 --> 00:01:07,690
of domain controller a reader only controller or raw DC which deploys in this type of environment.

9
00:01:07,750 --> 00:01:11,360
There are several reasons for deploying Reuters CS.

10
00:01:11,440 --> 00:01:19,870
If you do not deploy the main controller in a branch office you must use a when link to direct authentication

11
00:01:19,930 --> 00:01:24,690
and service ticket activities to the Hub side.

12
00:01:24,700 --> 00:01:33,010
When a user first tries to access a specific service the user as client requests as a service ticket

13
00:01:33,010 --> 00:01:41,470
from a domain controller user is typically connect to multiple services during a very good day so service

14
00:01:41,470 --> 00:01:45,270
ticket activity happens regularly.

15
00:01:45,340 --> 00:01:54,040
Authentication and service ticket activity over when link between a branch office and a hub site can

16
00:01:54,040 --> 00:01:58,150
result in slow or unreliable performance.

17
00:01:58,150 --> 00:02:04,970
If you place a domain controller in a branch office authentication a accuracy more afraid efficiently.

18
00:02:04,990 --> 00:02:13,210
However there are several potentially significant concerns which include the following domain controller

19
00:02:13,390 --> 00:02:22,240
maintains a copy of all objects attributes and its domain including secure information such as user

20
00:02:22,240 --> 00:02:23,210
passwords.

21
00:02:23,230 --> 00:02:31,960
If a hacker accesses or steals a domain controller or its hard drive or backup drive determined malicious

22
00:02:31,960 --> 00:02:36,730
user could identify valid usernames and passwords.

23
00:02:36,820 --> 00:02:44,770
At that point your entire domain is compromised and you would have to resend passwords for every user

24
00:02:44,770 --> 00:02:50,170
and computer account in the domain server security branch offices.

25
00:02:50,170 --> 00:02:52,360
Often is not ideal.

26
00:02:52,360 --> 00:02:59,020
So a branch office domain controller poses a considerable security risk.

27
00:02:59,020 --> 00:03:06,130
Another reason is that changes to the Active Directory database on a branch office domain controller

28
00:03:06,400 --> 00:03:12,850
replicate to the hop side and to the environments are the domain controllers.

29
00:03:12,850 --> 00:03:21,370
Therefore corruption to a branch office domain controller poses a risk to the integrity of the organization

30
00:03:21,420 --> 00:03:22,450
ideas.

31
00:03:22,540 --> 00:03:29,800
For example a branch office administrator who performs restoration of the domain controller from an

32
00:03:30,130 --> 00:03:36,400
outdated backup could cause significant problems for the entire domain.

33
00:03:36,400 --> 00:03:43,660
Another concern is that a branch office domain controller might require maintenance such as the installation

34
00:03:43,660 --> 00:03:49,590
of new device drivers to perform maintenance on a standard domain controller.

35
00:03:49,690 --> 00:03:58,090
You must sign in as a member of the administrators group which means that you effectively are an administrator

36
00:03:58,090 --> 00:03:59,220
of the domain.

37
00:03:59,230 --> 00:04:06,180
It might not be appropriate to grant the level of capability to a branch office support team.

38
00:04:06,220 --> 00:04:10,910
These concerns can leave organizations with a difficult decision.

39
00:04:11,020 --> 00:04:18,910
For this reason Microsoft introduced the raw see which addresses the branch office scenario and the

40
00:04:18,970 --> 00:04:25,930
they see the domain controller that maintains a copy of all objects and attributes in the domain.

41
00:04:26,140 --> 00:04:32,440
Except for the secure information such as password related properties.

42
00:04:32,650 --> 00:04:41,470
If you do not configure Kashin and road as seriously sign in requests from branch office users and forwards

43
00:04:41,530 --> 00:04:49,370
them to a domain controller in the hop side for authentication you can configure a password replication

44
00:04:49,420 --> 00:04:58,000
policy for an Roddy C that specifies the user and computer accounts for rich passwords might be cached

45
00:04:58,270 --> 00:05:05,260
on the road see if any user assigned Zi and by using a road see the euro they see requests.

46
00:05:05,710 --> 00:05:10,380
That user's credentials from a full domain controller.

47
00:05:10,380 --> 00:05:17,520
When the user is a member of the password application policy that applies to Android I see and rather

48
00:05:17,520 --> 00:05:25,500
see can retrieve the password and the full domain controller allows the replication of the secret.

49
00:05:25,500 --> 00:05:32,890
This means that the next time they use a request authentication from the same road they see the ROTC

50
00:05:32,890 --> 00:05:40,800
can perform the task locally while the users who are included in the password replication policy sign

51
00:05:40,800 --> 00:05:49,980
in the ROTC builds its cache of credentials so that it can perform authentication locally for those

52
00:05:49,980 --> 00:05:50,850
users.

53
00:05:50,850 --> 00:05:57,780
Normally you add a user or send computers to their password through application bullies who are in the

54
00:05:57,780 --> 00:06:06,470
same physical side as a road is C because the rider sees maintain only a subset of user credentials

55
00:06:06,780 --> 00:06:09,260
security exposure is limited.

56
00:06:09,540 --> 00:06:17,250
Even roads C is compromised or stolen even roads is compromised only the user and computer accounts

57
00:06:17,580 --> 00:06:24,900
that there are roads that cached must have their password to result the euro to the application process

58
00:06:25,140 --> 00:06:34,590
also enhances security and ruthlessly replicates changes to ADT s from rateable domain controllers but

59
00:06:34,590 --> 00:06:38,910
it does not replicate any data to other domain controllers.

60
00:06:38,910 --> 00:06:47,250
This eliminates the exposure of Active Directory Services to corruption because of changes made to a

61
00:06:47,490 --> 00:06:50,610
compromised branch office domain controller.

62
00:06:50,610 --> 00:06:58,380
Finally Reuters Cs have the equal out of our local administrators group who can give one or more local

63
00:06:58,380 --> 00:07:08,040
support personnel the ability to maintain an ROTC fully without granting them the equal and domain admins

64
00:07:08,040 --> 00:07:08,900
rights.

65
00:07:08,940 --> 00:07:17,670
Now some votes about Rhodes see limitations and considerations to reduce security risks and administrative

66
00:07:17,670 --> 00:07:18,500
costs.

67
00:07:18,570 --> 00:07:26,730
Some domain controller options that are available for rightful domain controllers are not available

68
00:07:26,730 --> 00:07:31,810
for road it sees before you decide to deploy on the road SC.

69
00:07:31,950 --> 00:07:39,980
You should be aware of the following limitations and considerations Rhodes audiences can not be operations

70
00:07:39,990 --> 00:07:48,480
master role holders operations master role holders must be available to write information to the Active

71
00:07:48,480 --> 00:07:56,700
Directory database because of the read only nature of road SC is active directory database it can not

72
00:07:56,790 --> 00:08:04,960
act as an operations master role holder or Odysseus can not be breech hat servers bridgehead service

73
00:08:04,980 --> 00:08:14,610
specifically replicate changes from other sites or notices perform only Inbound Replication so they

74
00:08:14,610 --> 00:08:22,750
can not act as a bridgehead server for a site you should have only one road is super aside her domain.

75
00:08:22,860 --> 00:08:31,170
If you have multiple the rider sees the behavior of Kashin is inconsistent because shared secrets are

76
00:08:31,170 --> 00:08:39,460
only cached if a user assigned saying to that specific road is C. It is likely that one road SC has

77
00:08:39,480 --> 00:08:48,720
the shared secrets and another or in the same site does not have them at all road it says can not authenticate

78
00:08:49,000 --> 00:08:53,470
a cross trusts when a when connection is not available.

79
00:08:53,550 --> 00:09:01,020
If your users and computers are in different domains they can not perform log gardens when the branch

80
00:09:01,020 --> 00:09:06,920
site uses a road it sees and is disconnected from the hub site.

81
00:09:06,930 --> 00:09:15,210
Another limitation is that because aided ESC changes can not be written directly to Android road I see

82
00:09:15,510 --> 00:09:20,520
no replication changes originated at road see.

83
00:09:20,550 --> 00:09:29,490
This means that any changes or corruption that a hacker might make at branch locations can not replicate

84
00:09:29,490 --> 00:09:32,640
from the road they see to the forest.

85
00:09:32,640 --> 00:09:41,470
This also reduces the work load of the hops brew which had servers and the effort required to monitor

86
00:09:41,500 --> 00:09:51,630
replication reduces unit directional replication applies to both aided s and distributed file system

87
00:09:51,630 --> 00:09:52,850
replication.

88
00:09:52,850 --> 00:10:02,220
Another limitation is that road can not support any app properly that needs to update 8 it is interactively

89
00:10:02,460 --> 00:10:09,840
such as Microsoft Exchange server if you are going to deploy exchange server or similar apps in a site

90
00:10:10,160 --> 00:10:13,670
you also should deploy a writer Bill domain controller.

91
00:10:13,700 --> 00:10:21,020
Further if you deploy exchange server at a site you also should have a physically secure location for

92
00:10:21,020 --> 00:10:22,170
your servers.

93
00:10:22,190 --> 00:10:30,160
You can install the domain name system server service on the road SD road users can replicate all abductor

94
00:10:30,220 --> 00:10:37,730
of partitions that DNS users including for as DNS zones and demand DNS zones.

95
00:10:37,730 --> 00:10:45,740
If you install a DNS server on Android a C client can query it for name resolution just as they would

96
00:10:45,740 --> 00:10:55,040
query any other DNS server similar to the edit s information on an ROI they see the DNA zone information

97
00:10:55,160 --> 00:11:05,140
on an Roddy C is read only is and therefore it doesn't support client updates directly from client computers

98
00:11:05,170 --> 00:11:14,390
try to register a resource record in a DNS zone hosted on an abroad is see the Odyssey returns the name

99
00:11:14,510 --> 00:11:22,760
of a full domain controller that contains a writer built copy of the zone to the client the client uses

100
00:11:22,820 --> 00:11:26,390
the full domain controller to register the record.

101
00:11:26,690 --> 00:11:27,130
Okay.

102
00:11:27,170 --> 00:11:31,080
Next up we'll be talking about deploying and road is C.

103
00:11:31,110 --> 00:11:32,060
I'll see you there.