An RODC is a new type of domain controller introduced in Windows Server 2008 that hosts read-only partitions of the Active Directory database. It provides faster authentication and access to resources for users in branch offices and remote locations that may lack adequate physical security for a regular writable domain controller. Key features of an RODC include read-only replication of AD data, unidirectional replication to prevent changes made on the RODC from replicating elsewhere, credential caching to allow faster authentication after initial login, role separation to delegate local administration without domain rights, and read-only DNS. Administrators should prepare for RODC deployment by updating the AD schema and ensuring the domain and forest are at the appropriate functional level.
Azure Role Based Access Control with an use case and explanation about various concepts like Global Administrators, Role Assignments, Account Administrators, Azure Roles, Custom Roles for both Azure AD and Azure Subscriptions
This slidedeck provides a quick overview about Active Directory Federation Services technology for federated authentication with Office 365 and other relying parties.
Azure Role Based Access Control with an use case and explanation about various concepts like Global Administrators, Role Assignments, Account Administrators, Azure Roles, Custom Roles for both Azure AD and Azure Subscriptions
This slidedeck provides a quick overview about Active Directory Federation Services technology for federated authentication with Office 365 and other relying parties.
Powering the Cloud with Oracle WebLogicLucas Jellema
This presentation discusses the concept of the Cloud, Platform as a Service, the Application Server and the Application. It then moves on to explain what WebLogic has to offer to provide the platform in the cloud to implement the PaaS. It mentions a few of the most important features in WLS that help to power the cloud.
WebSphere Application Server is a platform on which Java-based business applications run. WebSphere Application Server Is an implementation of the Java 2 Enterprise Edition(J2ee) Specification.
SQL Server 2012 is a cloud-ready information platform that helps organizations unlock breakthrough insights across the organization and quickly build solutions to extend data across on-premises and public cloud, backed by mission critical confidence. Sujit Rai, a technical expert at Convonix shares its uses in business intelligence.
Cause 2013: A Flexible Approach to Creating an Enterprise Directoryrwgorrel
Leveraging Microsoft Active Directory LDS to create a flexible enterprise directory.
As UNCG sought to replace Novell Directory Services with the next generation enterprise authentication and directory services (LDAP), we examined OpenLDAP, Active Directory, and Active Directory Lightweight Domain Services. Hear why we picked a somewhat uncommon approach in the less known AD LDS product and the flexibility it afforded us a middle ground between OpenLDAP and the urge to use existing Active Directory domain. We will also discuss the ADAMSync tool used to populate this environment as well as the MSUserProxy object to centralize authentication.
Windows Server 2003 Migration - Presented by AtidanDavid J Rosenthal
End of support means:
No updates
37 critical updates were released in 2013 for Windows Server 2003/R2 under Extended Support. No updates will be developed or released after end of support.
No compliance
Lack of compliance with various standards and regulations can be devastating. This may include various regulatory and industry standards for which compliance can no longer be achieved. For example, lack of compliance with the Payment Card Industry (PCI) Data Security Standards might mean companies such as Visa and MasterCard will no longer do business with you. Or, the new cost of doing business will include paying catastrophic penalties and astronomically high transaction fees.
No safe haven
Both virtualized and physical instances of Windows Server 2003 are vulnerable and would not pass a compliance audit. Microsoft Small Business Server (SBS) 2003 servers are also affected.
Staying put will cost more in the end. Maintenance costs for aging hardware will also increase. Added costs will be incurred for intrusion detection systems, more advanced firewalls, network segmentation, and so on—simply to isolate Windows Server 2003 servers.
Many applications will also cease to be supported, once the operating system they are running on is unsupported. This includes all Microsoft applications.
Now is the time to act
You must start planning migration now.
Servers may still be running Windows Server 2003/R2 for a number of reasons. You can use these reasons as a discussion point:
Perceived challenges of upgrading applications
Presence of custom and legacy applications
Budget and resource constraints
Microsoft released SQL Azure more than two years ago - that's enough time for testing (I hope!). So, are you ready to move your data to the Cloud? If you’re considering a business (i.e. a production environment) in the Cloud, you need to think about methods for backing up your data, a backup plan for your data and, eventually, restoring with Red Gate Cloud Services. In this session, you’ll see the differences, functionality, restrictions, and opportunities in SQL Azure and On-Premise SQL Server 2008/2008 R2/2012. We’ll consider topics such as how to be prepared for backup and restore, and which parts of a cloud environment are most important: keys, triggers, indexes, prices, security, service level agreements, etc.
Powering the Cloud with Oracle WebLogicLucas Jellema
This presentation discusses the concept of the Cloud, Platform as a Service, the Application Server and the Application. It then moves on to explain what WebLogic has to offer to provide the platform in the cloud to implement the PaaS. It mentions a few of the most important features in WLS that help to power the cloud.
WebSphere Application Server is a platform on which Java-based business applications run. WebSphere Application Server Is an implementation of the Java 2 Enterprise Edition(J2ee) Specification.
SQL Server 2012 is a cloud-ready information platform that helps organizations unlock breakthrough insights across the organization and quickly build solutions to extend data across on-premises and public cloud, backed by mission critical confidence. Sujit Rai, a technical expert at Convonix shares its uses in business intelligence.
Cause 2013: A Flexible Approach to Creating an Enterprise Directoryrwgorrel
Leveraging Microsoft Active Directory LDS to create a flexible enterprise directory.
As UNCG sought to replace Novell Directory Services with the next generation enterprise authentication and directory services (LDAP), we examined OpenLDAP, Active Directory, and Active Directory Lightweight Domain Services. Hear why we picked a somewhat uncommon approach in the less known AD LDS product and the flexibility it afforded us a middle ground between OpenLDAP and the urge to use existing Active Directory domain. We will also discuss the ADAMSync tool used to populate this environment as well as the MSUserProxy object to centralize authentication.
Windows Server 2003 Migration - Presented by AtidanDavid J Rosenthal
End of support means:
No updates
37 critical updates were released in 2013 for Windows Server 2003/R2 under Extended Support. No updates will be developed or released after end of support.
No compliance
Lack of compliance with various standards and regulations can be devastating. This may include various regulatory and industry standards for which compliance can no longer be achieved. For example, lack of compliance with the Payment Card Industry (PCI) Data Security Standards might mean companies such as Visa and MasterCard will no longer do business with you. Or, the new cost of doing business will include paying catastrophic penalties and astronomically high transaction fees.
No safe haven
Both virtualized and physical instances of Windows Server 2003 are vulnerable and would not pass a compliance audit. Microsoft Small Business Server (SBS) 2003 servers are also affected.
Staying put will cost more in the end. Maintenance costs for aging hardware will also increase. Added costs will be incurred for intrusion detection systems, more advanced firewalls, network segmentation, and so on—simply to isolate Windows Server 2003 servers.
Many applications will also cease to be supported, once the operating system they are running on is unsupported. This includes all Microsoft applications.
Now is the time to act
You must start planning migration now.
Servers may still be running Windows Server 2003/R2 for a number of reasons. You can use these reasons as a discussion point:
Perceived challenges of upgrading applications
Presence of custom and legacy applications
Budget and resource constraints
Microsoft released SQL Azure more than two years ago - that's enough time for testing (I hope!). So, are you ready to move your data to the Cloud? If you’re considering a business (i.e. a production environment) in the Cloud, you need to think about methods for backing up your data, a backup plan for your data and, eventually, restoring with Red Gate Cloud Services. In this session, you’ll see the differences, functionality, restrictions, and opportunities in SQL Azure and On-Premise SQL Server 2008/2008 R2/2012. We’ll consider topics such as how to be prepared for backup and restore, and which parts of a cloud environment are most important: keys, triggers, indexes, prices, security, service level agreements, etc.
Case Project 12-2 Devising an AD DS Design with RODC, AD RMS, and A.pdfAmansupan
Carbon Factors manufactures emission detectors and employs a job-order costing system. During
June, the company’s transactions and accounts included the following
Raw materials purchased $265,000
Direct materials used in production 262,000
Raw materials inventory, beginning 4,200
Corporate administrative costs 21,400
Selling expenses 18,500
Sales 334,000
Total manufacturing overhead applied 39,200
Total manufacturing overhead incurred 38,100
Finished goods, beginning 17,200
Work in process inventory, beginning 13,700
Work in process inventory, ending 15,600
Direct labor cost incurred 48,000
Finished goods, ending 16,300
How much is cost of goods manufactured for June? Show all your computations.
Solution
Direct materials used in production $ 262,000 Direct labor cost incurred $ 48,000
Total manufacturing overhead incurred $ 38,100 Add: Work in process inventory,
beginning $ 13,700 Less: Work in process inventory, ending $ 15,600 Cost ofgoods
manufactured $ 346,200.
Reply 1 neededThere are a couple of options available when upg.docxsodhi3
Reply 1 needed
There are a couple of options available when upgrading from Server 2008 (R2) to Server 2012. The first and easiest option is a clean install. In this option, data must first be backed up as this will delete the previous OS and install the new version. The second option is a standard upgrade. This option preserves all the server roles currently in place as well as the hardware being used. (Microsoft, n.d).
Some limitations to consider when upgrading are as follows:
-Windows Server 2012 only supports 64-bit hardware
-Upgrade from one language to another is not supported
-Upgrading to certain editions are dependent on the previous OS you are running.
-Some roles that are previously installed may not work properly and may need additional upgrades.
I would recommend a clean install to avoid any issues that may develop during or after an in-place upgrade. I think that it would be more difficult to troubleshoot a standard upgrade failure than a clean install. Clean install may also alleviate the issues of previous application not working properly and may solve any current issues the server maybe experiencing.
Reference:
Microsoft. (n.d). Windows Server Installation and Upgrade. Retrieved from:
https://technet.microsoft.com/en-us/windowsserver/dn527667.aspx
Reply 2 needed
Server Core is good for a very large enterprise environment. In this kind of environment, where hundreds of servers are employed, it is not ideal for the administrator to go to the individual server and manage them locally. Most of these configurations would be run through scripts and remote administrator tools, therefore, server core should be utilized.
Some roles that I would install are active directory which handles network management of users data and security. Another would be Hyper-V which consolidates multiple servers into one single system. Other roles that could be used with server core includes DNS, DHCP, File Services, Print Services, Streaming Media Services, Web Server. (Microsoft, n.d).
There are several advantages of using Server Core. One advantage would be security. Since server core has less services running on it, there are fewer possible of malicious attacks. It has greater stability since it requires less processes and services fewer things can go wrong. It also has a smaller footprint and requires fewer resources such as RAM as compared to using a full GUI. The disadvantages of Server Core is it has a steep learning curve and is limited to nine server roles
Reference:
Microsoft. (n.d). Why is Server Core Useful? Retrieved from: https://msdn.microsoft.com/en-us/library/dd184076.aspx
Reply 1 needed
When migrating from Windows Server 2008 to Windows Server 2012, the system requirements remain unchanged. Some features such as virtual domain controller cloning require that the PDC emulator run Windows Server 2012 and a computer running Windows Server 2012 with the Hyper-V role installed. Here are some big issues to keep in mind ...
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...Concentrated Technology
“The Cloud” is everywhere, but did you know that creating your own everywhere accessible cloud applications isn’t difficult. All you need are some certificates and Microsoft’s Remote Desktop Services. Greg Shields is a Microsoft MVP in RDS, and he’s got the step-by-step solution for cloud-enabling your applications. Join him in this session to learn exactly how you’ll securely extend your applications to everywhere with an Internet connection. Your boss and your users will love you for it.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
The Metaverse and AI: how can decision-makers harness the Metaverse for their...Jen Stirrup
The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives?
How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
1. AD DS: Read-Only Domain Controllers
Updated: January 13, 2011
Applies To: Windows Server 2008
A read-only domain controller (RODC) is a new type of domain controller in the Windows Server® 2008 operating
system. With an RODC, organizations can easily deploy a domain controller in locations where physical security
cannot be guaranteed. An RODC hosts read-only partitions of the Active Directory® Domain Services (AD DS)
database.
Before the release of Windows Server 2008, if users had to authenticate with a domain controller over a wide area
network (WAN), there was no real alternative. In many cases, this was not an efficient solution. Branch offices often
cannot provide the adequate physical security that is required for a writable domain controller. Furthermore, branch
offices often have poor network bandwidth when they are connected to a hub site. This can increase the amount of
time that is required to log on. It can also hamper access to network resources.
Beginning with Windows Server 2008, an organization can deploy an RODC to address these problems. As a result,
users in this situation can receive the following benefits:
Improved security
Faster logon times
More efficient access to resources on the network
For more information about RODCs, see the Read-Only Domain Controller (RODC) Planning and Deployment
Guide (http://go.microsoft.com/fwlink/?LinkID=135993).
What does an RODC do?
Inadequate physical security is the most common reason to consider deploying an RODC. An RODC provides a way
to deploy a domain controller more securely in locations that require fast and reliable authentication services but
cannot ensure physical security for a writable domain controller.
However, your organization may also choose to deploy an RODC for special administrative requirements. For
example, a line-of-business (LOB) application may run successfully only if it is installed on a domain controller. Or,
the domain controller might be the only server in the branch office, and it may have to host server applications.
In such cases, the LOB application owner must often log on to the domain controller interactively or use Terminal
Services to configure and manage the application. This situation creates a security risk that may be unacceptable on
a writable domain controller.
An RODC provides a more secure mechanism for deploying a domain controller in this scenario. You can grant a
nonadministrative domain user the right to log on to an RODC while minimizing the security risk to the
Active Directory forest.
You might also deploy an RODC in other scenarios where local storage of all domain user passwords is a primary
threat, for example, in an extranet or application-facing role.
Who will be interested in this feature?
2. RODC is designed primarily to be deployed in remote or branch office environments. Branch offices typically have
the following characteristics:
Relatively few users
Poor physical security
Relatively poor network bandwidth to a hub site
Little knowledge of information technology (IT)
You should review this section, and the additional supporting documentation about RODC, if you are in any of the
following groups:
IT planners and analysts who are technically evaluating the product
Enterprise IT planners and designers for organizations
Those responsible for IT security
AD DS administrators who deal with small branch offices
Are there any special considerations?
To deploy an RODC, at least one writable domain controller in the domain must be running Windows Server 2008.
In addition, the functional level for the domain and forest must be Windows Server 2003 or higher.
For more information about prerequisites for deploying an RODC, see How should I prepare to deploy this feature?
What new functionality does this feature provide?
RODC addresses some of the problems that are commonly found in branch offices. These locations might not have a
domain controller. Or, they might have a writable domain controller but not the physical security, network
bandwidth, or local expertise to support it. The following RODC functionality mitigates these problems:
Read-only AD DS database
Unidirectional replication
Credential caching
Administrator role separation
Read-only Domain Name System (DNS)
Read-only AD DS database
Except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable domain
controller holds. However, changes cannot be made to the database that is stored on the RODC. Changes must be
made on a writable domain controller and then replicated back to the RODC.
3. Local applications that request Read access to the directory can obtain access. Lightweight Directory Application
Protocol (LDAP) applications that request Write access receive an LDAP referral response. This response directs
them to a writable domain controller, normally in a hub site.
RODC filtered attribute set
Some applications that use AD DS as a data store might have credential-like data (such as passwords, credentials, or
encryption keys) that you do not want to be stored on an RODC in case the RODC is compromised.
For these types of applications, you can dynamically configure a set of attributes in the schema for domain objects
that will not replicate to an RODC. This set of attributes is called the RODC filtered attribute set. Attributes that are
defined in the RODC filtered attribute set are not allowed to replicate to any RODCs in the forest.
A malicious user who compromises an RODC can attempt to configure it in such a way that it tries to replicate
attributes that are defined in the RODC filtered attribute set. If the RODC tries to replicate those attributes from a
domain controller that is running Windows Server 2008, the replication request is denied. However, if the RODC
tries to replicate those attributes from a domain controller that is running Windows Server 2003, the replication
request can succeed.
Therefore, as a security precaution, ensure that forest functional level is Windows Server 2008 if you plan to
configure the RODC filtered attribute set. When the forest functional level is Windows Server 2008, an RODC that
is compromised cannot be exploited in this manner because domain controllers that are running
Windows Server 2003 are not allowed in the forest.
You cannot add system-critical attributes to the RODC filtered attribute set. An attribute is system-critical if it is
required for AD DS; Local Security Authority (LSA); Security Accounts Manager (SAM; and Microsoft-specific
Security Service Provider Interfaces (SSPIs), such as Kerberos; to function properly. A system-critical attribute has
a schemaFlagsEx attribute value equal to 1 (schemaFlagsEx attribute value & 0x1 = TRUE).
The RODC filtered attribute set is configured on the server that holds the schema operations master role. If you try
to add a system-critical attribute to the RODC filtered set while the schema master is running Windows Server 2008,
the server returns an "unwillingToPerform" LDAP error. If you try to add a system-critical attribute to the RODC
filtered attribute set on a Windows Server 2003 schema master, the operation appears to succeed but the attribute is
not actually added. Therefore, it is recommended that the schema master be a Windows Server 2008 domain
controller when you add attributes to RODC filtered attribute set. This ensures that system-critical attributes are not
included in the RODC filtered attribute set.
Unidirectional replication
Because no changes are written directly to the RODC, no changes originate at the RODC. Accordingly, writable
domain controllers that are replication partners do not have to pull changes from the RODC. This means that any
changes or corruption that a malicious user might make at branch locations cannot replicate from the RODC to the
rest of the forest. This also reduces the workload of bridgehead servers in the hub and the effort required to monitor
replication.
RODC unidirectional replication applies to both AD DS and Distributed File System (DFS) Replication of
SYSVOL. The RODC performs normal inbound replication for AD DS and SYSVOL changes.
Note
Any other shares on an RODC that you configure to replicate using DFS Replication would be bidirectional.
4. RODCs also perform automatic load balancing of inbound replication connection objects across a set of bridgehead
servers in a hub site. For more information, see Bridgehead Server Selection
(http://go.microsoft.com/fwlink/?LinkID=208721).
Credential caching
Credential caching is the storage of user or computer credentials. Credentials consist of a small set of approximately
10 passwords that are associated with security principals. By default, an RODC does not store user or computer
credentials. The exceptions are the computer account of the RODC and a special krbtgt account that each RODC
has. You must explicitly allow any other credential caching on an RODC.
The RODC is advertised as the Key Distribution Center (KDC) for the branch office. The RODC uses a different
krbtgt account and password than the KDC on a writable domain controller uses when it signs or encrypts ticket-
granting ticket (TGT) requests.
After an account is successfully authenticated, the RODC attempts to contact a writable domain controller at the hub
site and requests a copy of the appropriate credentials. The writable domain controller recognizes that the request is
coming from an RODC and consults the Password Replication Policy in effect for that RODC.
The Password Replication Policy determines if a user's credentials or a computer's credentials can be replicated from
the writable domain controller to the RODC. If the Password Replication Policy allows it, the writable domain
controller replicates the credentials to the RODC, and the RODC caches them.
After the credentials are cached on the RODC, the RODC can directly service that user's logon requests until the
credentials change. (When a TGT is signed with the krbtgt account of the RODC, the RODC recognizes that it has a
cached copy of the credentials. If another domain controller signs the TGT, the RODC forwards requests to a
writable domain controller.)
By limiting credential caching only to users who have authenticated to the RODC, the potential exposure of
credentials by a compromise of the RODC is also limited. Typically, only a small subset of domain users has
credentials cached on any given RODC. Therefore, in the event that the RODC is stolen, only those credentials that
are cached can potentially be cracked.
Leaving credential caching disabled might further limit exposure, but it results in all authentication requests being
forwarded to a writable domain controller. An administrator can modify the default Password Replication Policy to
allow users' credentials to be cached at the RODC.
Administrator role separation
You can delegate local administrative permissions for an RODC to any domain user without granting that user any
user rights for the domain or other domain controllers. This permits a local branch user to log on to an RODC and
perform maintenance work on the server, such as upgrading a driver. However, the branch user cannot log on to any
other domain controller or perform any other administrative task in the domain. In this way, the branch user can be
delegated the ability to effectively manage the RODC in the branch office without compromising the security of the
rest of the domain.
Read-only DNS
You can install the DNS Server service on an RODC. An RODC is able to replicate all application directory
partitions that DNS uses, including ForestDNSZones and DomainDNSZones. If the DNS server is installed on an
RODC, clients can query it for name resolution as they query any other DNS server.
5. However, the DNS server on an RODC is read-only and therefore does not support client updates directly. For more
information about how DNS client updates are processed by a DNS server on an RODC, see DNS updates for
clients that are located in an RODC site.
What settings have been added or changed?
To support the RODC Password Replication Policy, Windows Server 2008 AD DS includes new attributes. The
Password Replication Policy is the mechanism for determining whether a user's credentials or a computer's
credentials are allowed to replicate from a writable domain controller to an RODC. The Password Replication Policy
is always set on a writable domain controller running Windows Server 2008.
AD DS attributes that are added in the Windows Server 2008 Active Directory schema to support RODCs include
the following:
msDS-Reveal-OnDemandGroup
msDS-NeverRevealGroup
msDS-RevealedList
msDS-AuthenticatedToAccountList
For more information about these attributes, see the RODC Planning and Deployment Guide
(http://go.microsoft.com/fwlink/?LinkID=135993).
How should I prepare to deploy this feature?
The prerequisites for deploying an RODC are as follows:
The RODC must forward authentication requests to a writable domain controller running Windows
Server 2008. The Password Replication Policy is set on this domain controller to determine if credentials
are replicated to the branch location for a forwarded request from the RODC.
The domain functional level must be Windows Server 2003 or higher so that Kerberos constrained
delegation is available. Constrained delegation is used for security calls that must be impersonated under
the context of the caller.
The forest functional level must be Windows Server 2003 or higher so that linked-value replication is
available. This provides a higher level of replication consistency.
You must run adprep /rodcprep once in the forest to update the permissions on all the DNS application
directory partitions in the forest. This way, all RODCs that are also DNS servers can replicate the
permissions successfully.
What's the difference between transferring a FSMO role and
seizing one? Which one should you NOT seize? Why?
Seizing an FSMO can be a destructive process and
should only be attempted if the existing server with the
6. FSMO is no longer available.
If you perform a seizure of the FSMO roles from a DC, you
need to ensure two things:
the current holder is actually dead and offline, and that
the old DC will NEVER return to the network.
If you do an FSMO role Seize and then bring the previous
holder back online, you'll have a problem.
An FSMO role TRANSFER is the graceful movement of
the roles from a live, working DC to another live DC
During the process, the current DC holding the role(s) is
updated, so it becomes aware it is no longer the role holder