deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 10:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

prereq updates for hybrid key trust

Browse Source 
First attempt at creating tables for adequate DC content
This commit is contained in:
Mike Stephens
2017-10-20 09:46:58 -07:00
parent 0c13c2cf69
commit 8879c1e48a
2 changed files with 11 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
windows/access-protection/hello-for-business/hello-adequate-domain-controllers.md
View File

@ -17,19 +17,23 @@ ms.date: 10/09/2017
- Windows<77>10
>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
>This section only applies to Hybrid and On-premises key trust deployments.
## One size does not fit all
## How many is adequate
How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic. Windows Server 2016 includes the KDC AS Requests performance counter. You can use these counters to determine how much of a domain controllers load is due to initial Kerberos authentication. It<49>s important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication<6F>it remains unchanged.
Windows 10 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2016 domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers. Therefore, user in a key trust deployment user must authenticate to a Windows Server 2016 domain controller.
Windows 10 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2016 domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers. Therefore, users in a key trust deployment must authenticate to a Windows Server 2016 domain controller.
Determining an adequate number of Windows Server 2016 domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding the most current version of a domain controller (in this case Windows Server 2016) to a deployment of existing domain controllers (Windows Server 2008R2 or Windows Server 2012R2) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as <20>piling on<6F>. To illustrate the <20>piling on<6F> concept, consider the following scenario.
Determining an adequate number of Windows Server 2016 domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding the most current version of a domain controller (in this case Windows Server 2016) to a deployment of existing domain controllers (Windows Server 2008R2 or Windows Server 2012R2) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as <20>piling on<6F>. To illustrate the <20>piling on<6F> concept, consider the following scenario.
Consider a controlled environment where there are 1000 client computers and the authentication load of these 1000 client computers is evenly distributed across 10 domain controllers in the environment. The Kerberos AS requests load would look something like the following.
![dc-chart1](images/dc-chart1.png)
|: Kerberos AS Requests :|
| |:DC1:|:DC1:|:DC1:|:DC1:|:DC1:|:DC1:|:DC1:|:DC1:|:DC1:|:DC1:|:DC1:|:DC1:|
|:WHFB|:0:|:0:|:0:|:0:|:0:|:0:|:0:|:0:|:0:|:0:|:0:|:0:|
|:Pasword|:100:|100:|100:|100:|100:|100:|100:|100:|100:|100:|100:|1000:|
The environment changes. The first change includes DC1 upgraded to Windows Server 2016 to support Windows Hello for Business key-trust authentication. Next, 100 clients enroll for Windows Hello for Business using the public key trust deployment. Given all other factors stay constant, the authentication would now look like the following.

6
windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
View File

@ -9,7 +9,7 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
localizationpriority: high
ms.date: 10/09/2017
ms.date: 10/20/2017
---
# Hybrid Windows Hello for Business Prerequisites
@ -30,11 +30,11 @@ The distributed systems on which these technologies were built involved several
* [Device Registration](#device-registration)
## Directories ##
Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2.
Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2. The
A hybrid Windows Hello for Busines deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, may not require Azure Active Directory premium subscription.
Windows Hello for Business can be deployed in any environment with Windows Server 2008 R2 or later domain controllers. Azure device registration and Windows Hello for Business require the Windows Server 2016 Active Directory schema. In addition to the Windows Server 2016 Active Directory schema, key trust deployments need an adequate number of Windows Server 2016 domain controllers at each site where users authenticate using Windows Hello for Business.
You can deploye Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. Azure device registration and Windows Hello for Business require the Windows Server 2016 Active Directory schema. In addition to the Windows Server 2016 Active Directory schema, key trust deployments need an adequate number of Windows Server 2016 domain controllers at each site where users authenticate using Windows Hello for Business.
Review these requirements and those from the Windows Hello for Business planning guide and worksheet. Based on your deployment decisions you may need to upgrade your on-premises Active Directory or your Azure Active Directory subscription to meet your needs.