The first issue to consider in the branch office is the establishment of the proper level of access
and authority for the branch office administrator. The branch office administrator is generally
less skilled and less trusted than the administrators in the corporate HQ. Branch office administrators
are responsible for lower-level administrative functions related to application installation,
performing operating system and application updates, and restarting servers and domain
controllers (DCs). However, the branch office administrator is generally not authorized to perform
Active Directory–related administrative functions. Because branch office administrators
are not as skilled or as trusted as the HQ administrators and because they typically are responsible
only for their local branch office systems, it is generally not desirable to add the branch
office administrators to the Domain Admins group or to other domain-related built-in groups.
This is usually too much privilege.
As in Windows Server 2003, you can use the Delegation of Control Wizard in Windows Server
2008 to delegate preconfigured levels of privilege at the Active Directory site, the domain, and
Lesson 1: Branch Office Deployment 291
the organizational unit (OU). Several additional preconfigured levels of privilege have been
added at the domain level to the wizard in Windows Server 2008.
Because the branch office almost always represents an Active Directory site, it might seem that
the Delegation of Control Wizard should be used at the site level to delegate privilege to the
branch office administrator. However, the preconfigured privileges available at the site level
number exactly one—Manage Group Policy Links, just as it was in Windows Server 2003. The
Delegation of Control Wizard enables you to create custom tasks to delegate, but when privilege
is delegated at the site level, the branch office administrator’s level of authority would
approximate that of an Enterprise Admin. Enterprise Admin is far too much authority for the
branch office administrator and is usually not a good choice for delegation in this case.
If the branch office is configured in Active Directory as its own domain, the branch office
administrator can be granted Domain Admin status in his or her home domain. This might or
might not be too much authority because members of the Domain Admins group can write
GPOs, delegate authority, and define a great deal of policy and control over the domain. Delegation
at the domain level would require a skilled and trusted branch office administrator. If the
branch office administrator is up to this level of challenge, responsibility, and authority in the
enterprise, in which the branch office is its own domain, making the branch office administrator
a domain administrator in his or her home domain could be a viable option.
It is generally better to delegate administrative authority at the lowest possible container
within the Active Directory structure—the OU. For more granular administrative control, create
an OU for each branch office and delegate authority to the branch office administrator at
the OU level. Then place all local branch office users and computers into the proper branch
office OU. At the OU level, the Delegation of Control Wizard has about a dozen preconfigured
levels of privilege. Members of the Enterprise Admins group can still create and link GPOs at
the Site level, with the optional “Enforced” setting enabled, for high-level, enterprise administrative
control. Members of the Domain Admins group can also create and link GPOs at the
domain level, again with the optional “Enforced” setting enabled, for high-level administrative
NOTE Domain restructuring
Windows Server 2008 provides for domain restructuring in an entirely new way. Branch offices are
often isolated from the main office not just geographically but financially (like a different cost center)
or administratively (politically), with different network administration, and they might even have
different requirements regarding security and compliance concerns.
No matter how the branch office is configured within Active Directory, the branch office might be
restructured to better fit the business needs of the enterprise with the control and administration
models supported by the different Active Directory containers.
The topic of restructuring domains is covered in Chapter 3, “Planning Migrations, Trusts, and
292 Chapter 6 Design a Branch Office Deployment
Although you can use delegation of authority at the site, domain, or OU to provide administrative
control over member computers and users, what about the domain controller that is
physically located in the branch office? Domain controllers should never be moved from the
Domain Controllers OU. How can the local branch office administrator manage that operating
system and applications? You don’t want the local administrator working with Active Directory,
but you need his or her help in maintaining the server operating system underlying Active
Directory. Windows Server 2008 introduces Administrator Role Separation specifically to
address this issue.
Administrator Role Separation
A new feature of Windows Server 2008 is the ability to delegate local administrative privilege
on a domain controller (DC). This grants the delegated user or group local administrator privilege
on the server, with the ability to log on to the server, update drivers, and restart the server,
but disallows them from being able to manage Active Directory or the Directory Services. This
is called Administrator Role Separation.
You must perform Administrator Role Separation delegation on a server-by-server basis. The
delegated user or group will not have any administrative privileges on other DCs in the
domain. To implement Administrator Role Separation on a single DC, at a command prompt,
and press Enter. At the DSMGMT prompt, type:
and press Enter. You can type a question mark (?) to get help at any level in the DSMGMT
application. Next, type:
to view the possible delegations on the server. Now, for the delegation, type:
add <domain>\<username or group name> administrators
You should receive the following response:
Successfully Updated Local Role
Next, to confirm the delegation, type:
show role administrators
You should see the user or group that has been delegated the Administrator Role Separation
role. Keep in mind that this grants the delegated user or group administrative privilege only on
this one DC. To grant administrative privilege to the branch office administrator over users
Lesson 1: Branch Office Deployment 293
and computers in the branch office, you will also need to delegate privilege at the site, domain,
or OU level for the branch office, as appropriate.
Components and Services in the Branch Office
The branch office typically has relatively few users, relatively few computers, a smaller budget
for information services, reduced network infrastructure devices (like servers and firewalls),
and, most unfortunately, lesser security and less-skilled administration. The users in the
branch office will still need access to enterprise resources, along with a reasonable level of performance,
coupled with an appropriate level of security for the information systems. Furthermore,
there might be the need to provide additional infrastructure in the branch office to
remain in compliance with industry regulations and laws. There needs to be a balance
between the needs of the users in the branch office and the cost of providing infrastructure,
support, performance, and reliability for the network. It is not prudent business practice to
“just throw money” at the issue, hoping that the complaints and other problems go away.
Consequently, a branch office will need an infrastructure to provide information services. This
section will explore some of the options and discuss the benefits, along with the price you’ll
pay to implement the service in the remote and potentially unsupported and nonsecure
branch office. As a branch office grows, the need for local services and support also grows. Following
is a list of information system components and services that might be desirable in the
■ Client computers
❑ Member or standalone, to support services like File Services, Print Services, and
other infrastructure services
❑ Full server or Server Core installation
■ Domain controller (DC)
❑ Full server: DC or Read-Only DC (RODC)
❑ Server Core: DC or RODC
■ Global catalog (GC)
■ Operations master roles
■ Domain Name System (DNS)
■ Multisite cluster nodes
■ Distributed File System (DFS) or Distributed File System with Replication
■ Routing and Remote Access Services
❑ For dial-in and VPN, DHCP relay agent, and Network Address Translation (NAT)
294 Chapter 6 Design a Branch Office Deployment
■ Windows Server Update Services, to provide Microsoft operating system (OS) and application
■ Windows Server Virtualization (WSv) services
In addition, the branch office will typically need at least one firewall/router and a wide area
network (WAN) link to provide connectivity to the HQ networks, as well as to the Internet. A
more detailed discussion of the elements on this list follows.
The branch office network typically connects to the HQ over dedicated WAN links, like a T1
or a T3, or they connect through VPNs over the Internet’s public network. In either case, for
performance and reliability reasons, it is often desired to place network infrastructure systems
in the branch office.
Windows Deployment Services
What is the value of a branch office without computers? How do you get those standardized
operating system and application installations to the branch office? Microsoft has redesigned
the earlier Remote Installation Services (RIS) in Windows Server 2008 to enhance the remote
deployment and reimaging of computers using preconfigured images complete with applications
and settings. Windows Deployment Services (WDS) is a server role that can be added to
any Windows Server 2008 server.
WDS is optimized to deploy Windows Vista and Server 2008, but it can deploy earlier versions
of Windows operating systems. It relies on preboot execution environment (PXE) technology
and requires Transmission Control Protocol/Internet Protocol (TCP/IP) connectivity between
the WDS server and the target client. WDS can deploy remote clients using multicast transmission
to deploy an image to a large number of client computers simultaneously.
Windows Server 2008 Server—Member or Standalone In the enterprise, the most common
deployment of client and server class computers is to make them members of the domain
by joining them to the domain. This must be done on the local computer, by script, or by
answer file during an unattended installation. Joining these systems to the domain implements
the administrative control desired (required) by the administration and by the enterprise
security policy. The majority of administrative control is accomplished through the GPO
within Active Directory. The benefit to the user of the system is single sign-on to access
resources enterprise-wide. The impact of joining the domain for a computer is giving up
administrative control of the computer. The administrators in the enterprise now own the control
of the system.
For the administrator in the enterprise, almost the only circumstances in which it might be
desirable to have a company computer remain a standalone system and not join the domain
is when there is little or no need to access enterprise resources and when there is significant
risk of the computer being compromised. The compromise could be physical theft or access,
or it could be an attack through the network.
Lesson 1: Branch Office Deployment 295
Windows Server 2008 Server Core Server Core is the securest installation of Windows
Server 2008. Server Core installs a minimal operating system, providing minimal services and
applications, with no Windows shell and a limited graphical user interface (GUI). This
reduces the maintenance, the management, and the hardware requirements of the server.
(Server Core requires only about 1 GB of hard disk drive space for installation and about 2 GB
for ongoing server operations.)
Perhaps more significant, Server Core reduces the attack surface of the server, making it the
securest installation of Windows Server 2008. It is designed as a bastion host or hardened
server, already minimizing the attack vectors of the operating system. Almost always, the way
that a hacker is able to compromise a computer is through vulnerabilities in services and applications
(program code) running (in memory) on the computer. These vulnerabilities are
inherent in all program code. By reducing the number of services and applications that run on
a computer, you are reducing the number of attack vectors available to the hacker. This is
exactly what Server Core does. It operates with a bare minimum of services and programs
running in memory.
Furthermore, if the hacker can break into a running process, the hacker’s level of privilege is
that of the user account that initially launched the compromised process. After a hacker
accesses a computer through one of the vulnerabilities in running program code, the hacker’s
next objective is to elevate his or her level of privilege in order to acquire greater control over
the computer. This is commonly accomplished by triggering the execution of a service (or
other process) that runs at a higher level of privilege. Because vulnerabilities are inherent in all
program code, the hacker now breaks into the process that runs at the higher level of privilege,
acquiring a higher level of privilege on the computer. Again, because Server Core has a reduced
set of services and applications installed and available on the computer, the hacker has fewer
targets with elevated privilege to execute and exploit. This reduces the likelihood that a hacker
can elevate his or her level of privilege on the Server Core server, keeping the hacker at a lower
level of privilege. These are the principal mechanisms that make Server Core the securest
implementation of Windows Server 2008.
NOTE The many facets of security
The reduction of programs in memory and on the hard disk drive does not alone ensure security of
the computer. These features, combined with a comprehensive, multilayered, and monitored security
structure, are the best defense against hacker compromise of the computer system.
It only takes one vulnerability in a system to enable the hacker to exploit the system. You must
attempt to secure them all. Many of these other security measures are addressed later in this
Because Server Core has no Explorer shell and a limited GUI, local administration and administration
through a Remote Desktop (Terminal Services) connection must be performed using
commands at a command prompt. Figure 6-1 shows the Server Core console.
296 Chapter 6 Design a Branch Office Deployment
Figure 6-1 The Server 2008 Server Core console
Many Control Panel items are available in Server Core. Type the name of the .cpl item at the
command prompt, like intl.cpl and timedate.cpl. These Control Panel items provide about
the only limited GUI for local server administration. Other useful administrative tools are
RegEdit.exe, RegEdt32.exe, and bcdedit.exe. You can also use scripts, based on Extensible
Markup Language (XML), to configure the Server Core server.
You can also manage the Server Core server remotely, using the Microsoft Management Console
(MMC) or through remote command-line tools. The MMC used through a remote connection
to the Server Core server is the only way to administer the Server Core server through a GUI
Server Core supports the following server roles:
■ Active Directory Domain Services (AD DS)
■ Active Directory Lightweight Directory Services (AD LDS)
■ DHCP Server
■ DNS Server
■ File Server
■ Print Server
■ Streaming Media Services
■ Web Server (IIS)
You must select Server Core during the installation of the operating system. Figure 6-2 shows
the selection menu from which you need to select the Server Core installation during the
installation of Windows Server 2008.
Windows Server 2008 Server Core in the branch office, whether configured as a standalone,
member, domain controller, or read-only domain controller server, provides the securest
Windows Server 2008 operating system platform because of its server hardening by design.
You should use this implementation when the server has a significant risk of being either physically
or electronically exposed to compromise or when the server will be supporting the most
Lesson 1: Branch Office Deployment 297
sensitive data or processes, even in a well-protected LAN or branch office environment. The
potential minor cost savings in hardware should typically not be a consideration in making
Figure 6-2 Selecting Windows Server 2008 Full Installation or Server Core Installation
Windows Server 2008—Full Installation The full installation of Windows Server 2008 is
what most administrators are used to. It provides all of the desired features through a familiar
GUI. Unfortunately, all the “make life easy for the administrator” gadgets, GUIs, tools, utilities,
and applications create substantially more opportunities for hackers to break into and take
over a server, as previously described.
Windows Server 2008—full installation is generally safe to use on the well-protected LAN or
branch office environment where the threat of compromise is reduced and where the server is
supporting less than highly sensitive data and processes.
Adding a Domain Controller
Access to the domain controller server is required for successful authentication of users and
computers in the enterprise. Adding a DC to a branch office introduces increased risk, cost,
and administrative overhead in human terms, and in terms of directory services, it involves the
■ The additional hardware (cost) at the branch office.
■ Enterprise Admins must create, configure, and maintain a site in Active Directory for the
298 Chapter 6 Design a Branch Office Deployment
■ There will be Active Directory replication traffic over the WAN link between HQ and the
■ There will be the need for additional infrastructure devices or services, or both.
■ The remote DC must be maintained (at the server level), requiring that Administrator
Role Separation be configured.
■ There are security concerns about having a copy of the entire Active Directory database,
complete with usernames and passwords, along with the additional infrastructure systems
and services in this potentially unsecure facility.
On the other hand, having a DC in the branch office provides a notable improvement in performance
and reliability for the branch office for the following reasons:
■ Branch office users can authenticate faster and can authenticate even if the WAN link is
■ All other local requests of Active Directory Domain Services respond faster and are successful
even if the WAN link is down.
■ Not having a DC in the branch office means the branch office relies more heavily on the
performance and reliability of the WAN link.
■ The DC provides an additional level of fault tolerance to the Active Directory database.
Microsoft recommends the addition of a DC in any site (like a branch office) in the following
■ More than 100 users are in the site.
■ The site is using an application that relies on a custom Active Directory partition for replication.
■ Domain logons must be successful (typically expressed as the requirement to access
domain resources) even if the WAN link is down.
NOTE Active Directory Domain Services binaries
A new process that runs prior to initializing the Active Directory Installation Wizard is the installation
of the DCPromo binaries (executables) onto the server. You can initiate this by adding the AD
DS server role to the server. Then you can execute DCPromo. Alternatively, if you don’t first install
the AD DS server role, you’ll see it automatically initiate by simply running DCPromo at a command
In the situations where the DC is required in the branch office, the next decision is “What type
of DC shall be deployed in the branch office?” This question has new potential answers in
Windows Server 2008. Windows Server 2008 can now provide the following types of DCs,
engineered to help satisfy reliability, performance, and security concerns in the branch office.
Lesson 1: Branch Office Deployment 299
Full Domain Controller Based on a full installation of controller Windows Server 2008 (as
opposed to a Server Core installation), the full domain contains all of the standard components
of Active Directory, just as it did in Windows Server 2003. These DCs perform bidirectional
replication with other DCs in the domain and forest, just as they did in earlier versions
of the operating system.
The full domain controller is the least secure implementation of the DC. It has the full operating
system, with many opportunities for the hacker to exploit. It has the full Active Directory
database, complete with usernames and passwords. The Active Directory database is writable,
providing the opportunity for inappropriate modification, which is a violation of the integrity
of the data in the Active Directory database. These potential violations of integrity can be the
result of either an authorized user’s accidental misconfiguration or willful misuse or of an
unauthorized user (hacker) manipulating Active Directory.
Read-Only Domain Controller The RODC is a more secured version of a DC. Based on a
full installation of Windows Server 2008 (as opposed to a Server Core installation), the RODC
contains all of the standard components of Active Directory, except for account passwords.
Clients are not able to write any changes to the RODC, however. Lightweight Directory Access
Protocol (LDAP) applications that perform write operations are referred to writable DCs that
are located in the nearest site over an available WAN link. RODCs receive only inbound, oneway
domain data replication from Windows Server 2008 DCs in the domain.
In addition to the read-only Active Directory database and the one-way replication, RODC features
include the following:
■ Credential caching Limited contents are stored in the password database in case of
compromise. Administrators must configure a Password Replication Policy to allow
password replication of only specified accounts to occur to the RODC.
■ Administrator Role Separation Described earlier in this lesson.
■ RODC filtered attribute set To allow administrators to selectively filter attributes on
Active Directory objects, typically for security purposes.
■ Read-only DNS All Active Directory–integrated zones get replicated to the read-only
DNS server; however, the zones are nondynamic. When clients attempt to update their
DNS information, the read-only DNS server returns a referral to the client with the
address of a DNS server with a writable copy of the zone.
NOTE Increased RODC security comes at a price
Although the RODC provides additional security against unauthorized changes to Active Directory
and minimizes the number of passwords that might be compromised if the DC gets stolen from the
branch office, the RODC cannot be used to make any changes to Active Directory data. If the WAN
link is down, no changes can be made to Active Directory through the RODC.
300 Chapter 6 Design a Branch Office Deployment
The RODC was largely designed for the branch office implementation. It can be installed on
the full installation or the Server Core installation of Windows Server 2008—Server Core, of
course, being the more secure of the two. The option to install the DC as a RODC is a new setting
in the DCPromo utility, as shown in Figure 6-3.
Figure 6-3 Selecting the read-only domain controller during DCPromo
The RODC will be covered in more detail in Lesson 2, “Branch Office Server Security.”
Server Core Domain Controller As stated previously, Server Core is the securest installation
of Windows Server 2008. Server Core installs a minimal operating system, providing minimal
services and applications, with no Windows shell and a limited GUI.
Server Core is not a DC by default, but AD DS can be added to the Server Core installation.
When the more secure RODC role is added to the Server Core installation, you have the securest
DC installation possible, optimized for the risky branch office implementation. You add
the AD DS role to the Server Core server using the DCPromo /unattend <unattend.txt> command,
along with a preconfigured answer file (Unattend.txt) for the DCPromo utility.
Windows Server 2008 Server Core in the branch office, whether configured as a standalone,
member, DC, or read-only DC server, provides the securest Windows Server 2008 operating
system platform due to its server hardening by design.
Global Catalog The global catalog server is required for successful authentication of users
and computers in the enterprise. The global catalog (GC) must reside on a DC. Microsoft recommends
that you place a GC in a branch office in the following situations:
■ There is a DC in the branch office, and:
■ The WAN link is unreliable.
■ There are more than 100 users in the branch office.
Lesson 1: Branch Office Deployment 301
■ Universal group membership caching is not enabled.
■ The branch office supports Active Directory–aware or Distributed Component Object
Model (DCOM) applications.
Placing a GC in the branch office will improve the performance of LDAP queries, user logons,
and Active Directory–aware and DCOM applications for users in the branch office.
Placing a GC in the branch office requires a DC in the branch office, raising the risk of the DC
being compromised. Furthermore, it increases the risk of compromise of sensitive GC data,
and it increases the amount of AD DS replication traffic to and from the branch office over the
Operations Masters Few situations would warrant placing one or more operations masters
in a branch office. These are significant components that reside on DCs within the AD DS environment,
and placing them in an isolated, and potentially disconnected, branch office could
cause problems for the entire forest. About the only cases where it might be appropriate are:
■ There is a DC in the branch office, and:
■ The branch office is its own domain. A DC in the branch office would hold the relative
ID (RID) master, the infrastructure master, and the PDC emulator operations master
■ The branch office is its own forest. A DC in the branch office would hold the domain
naming master, the schema master, the RID master, the infrastructure master, and the
PDC emulator operations master roles.
■ The branch office has the bulk of down-level clients in the enterprise. A DC in the branch
office would hold the PDC emulator operations master roles.
In almost every other case, the operations master roles should typically remain on the wellsecured,
stable, and well-connected HQ network.
Domain Name System The Domain Name System (DNS) server is required for successful
authentication of users and computers in the enterprise and for Internet access. Clients in the
branch office will need to locate AD DS servers and other infrastructure services. It is useful,
and can be a requirement, that a DNS server be placed in the branch office. This provides rapid
registration and query responses, even if the WAN link to HQ is down or busy.
Providing a DNS server in the branch office is a requirement if the branch office is configured
as its own domain in AD DS. Local clients will need local DNS to locate domain-related services.
From the perspective of the user or a computer, the act of locating AD DS is accomplished
through service location (SRV) records within the DNS zone for the domain. In
addition, other AD DS DNS zones throughout the forest must:
■ Be configured as Active Directory–integrated DNS zones with proper replication partitions
■ Have secondary DNS zones and zone transfers configured.
302 Chapter 6 Design a Branch Office Deployment
■ Have forwarders or stub zones configured.
■ If the branch office domain is a child domain, a delegation record in the parent DNS
zone will need to be configured.
Dynamic Host Configuration Protocol (DHCP) Services Another network infrastructure
service that is often required is DHCP for the dynamic assignment of IP addresses and
other configuration settings to clients. Again, for performance and reliability reasons, placing
a DHCP server in the branch office is often desirable. This aids IP connectivity for branch office
clients even if the WAN link is down for extended periods.
Multisite (Branch Office) Clustering with Microsoft Cluster Services Failover clusters
provide server fault tolerance for highly available applications and services, such as SQL
Server, Exchange Server, Windows Server Virtualization (also known as Hyper-V or WSv)
servers, DHCP servers, and file and print services. You can place cluster nodes in each
branch office site to provide local access with increased availability to applications, services,
Distributed File System Replication for Data Fault Tolerance Another fault tolerant
mechanism that can be used in the branch office is distributed file system (DFS) replication.
DFS Replication is typically used to replicate data files to multiple and geographically dispersed
DFS replica sets, which is ideal for the branch office deployment. DFS Replication
has been overhauled in Windows Server 2008, with improvements in performance, data reliability,
and replication on demand (called Replicate Now), and it can be used on the new
Windows Server 2008 RODC server. DFS Replication is so much better than the earlier
(Windows 2000 Server and Windows Server 2003) File Replication Service (FRS) that it
replaces FRS for SYSVOL replication for domains configured to use the Windows Server 2008
domain functional level.
Routing and Remote Access Services The Routing and Remote Access Services (RRAS)
server hosts several useful but potentially risky services. It is now a component of the Network
Policy and Access Services server role, but it can be installed independently of NAP. New in
Windows Server 2008 is support for IPv6.
RRAS can be particularly useful in the branch office because it includes the following services:
■ VPN server
■ Demand-dial routing—for use with establishing on-demand VPNs
■ Network address translation (NAT) with:
❑ IP routing (small scale, just perfect for satisfying the limited routing needs in the
❑ DHCP relay agent
Lesson 1: Branch Office Deployment 303
In addition, RRAS provides support for these typically lesser-used but sometimes helpful services:
■ Dial-in connections
■ IGMP—Multicast routing
■ Routing Information Protocol (RIP) v1 and v2
If you decide to place an RRAS server in the branch office, if it doesn’t exist in the branch office
already, you’ll want to consider the potential placement of a DC in the branch office. If the
RRAS server will be authenticating users and VPN connections, you might prefer to provide
local authentication services.
The VPN server component of the RRAS server provides tremendous benefits in securing
information in transit between the branch office and HQ, between two branch offices, and
between the branch office and remote authorized users. It can provide core network infrastructure
services with NAT, IP routing, and the DHCP relay agent.
However, remember that a dial-in server, like RRAS, allows remote users, both authorized
users and hackers, to gain access to the internal network and its resources. This device is a gap
in the security fortress and must be implemented with careful consideration and planning. It
requires ongoing monitoring and analysis to maintain and maximize security on this portal
into your network infrastructure.
Windows Server Update Services (WSUS) Microsoft Windows Server Update Services
(WSUS), currently v3.0 SP1, enables administrators to deploy the latest Microsoft product
updates to computers running the Windows operating system. This server downloads, stores,
and distributes approved Microsoft operating system and application updates to computers in
the enterprise. Placing a WSUS server in a branch office reduces update traffic, either from the
HQ or from the Internet. The WSUS server in the branch office can be managed from HQ, so
no administrative privilege is required other than local administrator privilege (Administrator
Role Separation, which was covered earlier in this chapter) for underlying server support. HQ
administration can, of course, grant update approval authority to the branch office administrator,
The down side, again, is the hardware cost, the slightly increased local administration overhead,
and the increase of the attack surface of the server and the branch office network.
Virtualization in the Branch Office Another new technology that can be a major benefit in
the branch office is Microsoft’s Hyper-V technology. Hyper-V provides support for running
multiple virtual machines on a single physical computer host. This is referred to as server consolidation.
Because most computers operate using only 10 to 25 percent of a computer system’s
available resources, such as RAM and CPU clock cycles, the hardware is severely
underutilized. By running multiple virtual machines on a single physical server host, these
server resources are much better utilized, requiring fewer physical servers and providing better
304 Chapter 6 Design a Branch Office Deployment
return on investment. Having fewer physical devices in the branch office reduces the number
and difficulty of physically securing those fewer devices.
Microsoft’s virtualization technology provides for rapid and easy deployment of virtual
machines and simplifies the migration of virtual machines from one physical host to another.
These features can be essential components of the enterprise’s business continuity and disaster
recovery plans. Hyper-V can be implemented on Windows Server 2008 Server Core servers
for increased security and can be clustered to provide server failover fault tolerance.
Hyper-V is included with Windows Server 2008 Standard, Windows Server 2008 Enterprise,
and Windows Server 2008 Datacenter. Windows Server 2008 Standard includes one virtual
instance per license. Windows Server 2008 Enterprise includes four virtual instances per
license. With Windows Server 2008 Datacenter, customers receive unlimited virtual instances
per license. You can buy these versions without Hyper-V, but the savings are negligible.
Branch Office Communications Considerations
Branch office networks need to connect to resources in the HQ network. This connection can
be on dedicated lines, like a T1 or T3, or it can communicate over the public wires of the Internet.
In either case, these channels of communication should be protected from the sniffer or
eavesdropper. Furthermore, it is not uncommon for the WAN link between the branch office
and HQ to go down, forcing the network administrator to view WAN links as unreliable. These
unsecure and unreliable WAN links are required to carry sensitive corporate, medical, financial,
and otherwise private data requiring protection by laws and regulations, as well as data to
support AD DS. The types of data an enterprise must consider in its branch office deployment
design are the following:
■ User data—accessed over the WAN links and for centralized backups at HQ
■ DFS replicated data
■ AD DS replication data—if the branch office holds a DC
■ Global catalog replication data—if the branch office holds a GC
■ DNS data—either within AD DS replication Active Directory Integrated zones or in zone
■ Multisite clustering heartbeat data
Site Link Considerations for the Branch Office
Each defined site must connect to AD DS by means of a site link. A site link is the logical connection
object between sites for AD DS replication. This logical connection, of course, requires
physical connectivity to be in place and to be functioning properly for replication to succeed.
Due to the security constraints on different types of data that must be replicated and to provide
redundancy for failed replication servers, there are often replication paths for Active
Directory replication data that would fail without the addition of site link bridges.
Lesson 1: Branch Office Deployment 305
The good news is that from as early as Windows 2000 Server, site link bridging is enabled by
default on all site links. If tighter control over replication paths is required, the Bridge All Site
Links option can be disabled. The administrator must then manually construct any specific
site link bridges required to provide the proper connectivity and redundancy on these logical
Another aspect of AD DS replication, new to Windows Server 2008, is the need to ensure replication
to the new RODC. Unfortunately, down-level domain controllers (Windows 2000
Server and Windows Server 2003) do not recognize an RODC because of its one-way replication
processes and will not replicate data to it. This requires that any site with only RODCs
(one or more) must have a site link directly to a site with at least one Windows Server 2008
DC. The Windows Server 2008 DC does recognize the RODC and will replicate AD DS data to
Confidentiality for Data in Transit
No matter what type of connection you use, you should employ VPNs to secure data in transit
between the branch office and HQ and between remote clients and the branch office. Windows
Server 2008 provides VPN support for the following VPN protocols:
■ Point-to-Point Tunneling Protocol (PPTP) The early and original Microsoft VPN protocol.
This VPN is easy to set up and provides reasonable security based on the RC4 cipher
for encryption. It uses TCP port 1723.
■ Layer 2 Tunneling Protocol (L2TP) Operates at layer 2 of the OSI model, so no IP network
is required. L2TP provides strong authentication, nonrepudiation, and strong
integrity validation by using X.509 digital certificates on the end point servers. It does
not provide confidentiality (encryption). It uses TCP port 1701.
■ IP Security (IPsec) Operates at layer 3 of the OSI model, so an IP network is required.
It has become the de facto VPN protocol of choice. With Windows Server 2008, it uses
3DES or AES for encryption and can provide weak authentication and integrity validation
based on Kerberos. It can be strengthened to provide strong authentication, nonrepudiation,
and integrity validation based on X.509 digital certificates. It uses UDP
■ Secure Sockets Transport Protocol (SSTP) This is a new feature in Windows Server 2008.
This VPN protocol is based on the very popular Hypertext Transfer Protocol (HTTP)
over Secure Sockets Layer (SSL) and Transport Layer Security (TLS), but it has been
refined for use on the LAN (versus its original use for Web-based services and applications).
It can provide only client-to-server functionality and provides strong authenticity,
nonrepudiation, and integrity validation of the server (only), along with weak authentication
and integrity validation of the client. SSTP has native support for IPv6. It is based
on an X.509 digital certificate on the server, uses the popular RC4 and AES ciphers, and
runs over TCP port 443.
306 Chapter 6 Design a Branch Office Deployment
■ The branch office is typically isolated, with minimal support, infrastructure, and security
than the enterprise HQ. Therefore, the branch office is more likely to be compromised
than systems at the more developed HQ.
■ Delegate privilege to the branch office administrator following the principle of least privilege,
using Administrator Role Separation and the Delegation of Control Wizard at the
lowest level in the Active Directory hierarchy.
■ Consider restructuring the AD DS to optimize administrative control and limit exposure
in the branch office.
■ Analyze the need for information systems services in the branch office. Balance the
needs and benefits of placing these infrastructure services in the remote and less secure
branch office with the associated costs and risks.
■ Understand the dependencies that services installed in the branch office might require,
along with their associated costs and risks.
■ Carefully plan and understand the connectivity (WAN links) between the branch office
and HQ so that proper security and fault tolerant measures can be implemented.
You can use the following questions to test your knowledge of the information in Lesson 1,
“Branch Office Deployment.” The questions are also available on the companion CD if you
prefer to review them in electronic form.
Answers to these questions and explanations of why each answer choice is correct or incorrect are
located in the “Answers” section at the end of the book.
1. What new feature of Windows Server 2008 gives a branch office administrator the privilege
of logging onto a DC for server administration but does not give the administrator
the privilege of administering Active Directory?
A. Read-only domain controller (RODC)
B. Server Core domain controller
C. Administrator Role Separation
Lesson 1: Branch Office Deployment 307
2. Which of the following provides user data fault tolerance in a branch office?
A. Read-only domain controller (RODC)
C. Server Core
D. DFS Replication
3. Your HQ has a DHCP server. You are designing a new branch office. You need to provide
dynamic IP addressing to branch office clients, even if the wide area network (WAN) link
fails between headquarters (HQ) and the new branch office. What should you do?
A. Install a DHCP relay agent in the branch office.
B. Configure a superscope on the DHCP server in HQ.
C. Install DHCP on a multisite cluster node in the branch office.
D. Install demand dial routing in the HQ.