Kartik. Solanki, profile picture
Uploaded byKartik. Solanki
DOCX, PDF951 views

Ad ds rodc

An RODC is a new type of domain controller introduced in Windows Server 2008 that hosts read-only partitions of the Active Directory database. It provides faster authentication and access to resources for users in branch offices and remote locations that may lack adequate physical security for a regular writable domain controller. Key features of an RODC include read-only replication of AD data, unidirectional replication to prevent changes made on the RODC from replicating elsewhere, credential caching to allow faster authentication after initial login, role separation to delegate local administration without domain rights, and read-only DNS. Administrators should prepare for RODC deployment by updating the AD schema and ensuring the domain and forest are at the appropriate functional level.

Embed presentation

Downloaded 42 times
AD DS: Read-Only Domain Controllers Updated: January 13, 2011 Applies To: Windows Server 2008 A read-only domain controller (RODC) is a new type of domain controller in the Windows Server® 2008 operating system. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed. An RODC hosts read-only partitions of the Active Directory® Domain Services (AD DS) database. Before the release of Windows Server 2008, if users had to authenticate with a domain controller over a wide area network (WAN), there was no real alternative. In many cases, this was not an efficient solution. Branch offices often cannot provide the adequate physical security that is required for a writable domain controller. Furthermore, branch offices often have poor network bandwidth when they are connected to a hub site. This can increase the amount of time that is required to log on. It can also hamper access to network resources. Beginning with Windows Server 2008, an organization can deploy an RODC to address these problems. As a result, users in this situation can receive the following benefits: Improved security Faster logon times More efficient access to resources on the network For more information about RODCs, see the Read-Only Domain Controller (RODC) Planning and Deployment Guide (http://go.microsoft.com/fwlink/?LinkID=135993). What does an RODC do? Inadequate physical security is the most common reason to consider deploying an RODC. An RODC provides a way to deploy a domain controller more securely in locations that require fast and reliable authentication services but cannot ensure physical security for a writable domain controller. However, your organization may also choose to deploy an RODC for special administrative requirements. For example, a line-of-business (LOB) application may run successfully only if it is installed on a domain controller. Or, the domain controller might be the only server in the branch office, and it may have to host server applications. In such cases, the LOB application owner must often log on to the domain controller interactively or use Terminal Services to configure and manage the application. This situation creates a security risk that may be unacceptable on a writable domain controller. An RODC provides a more secure mechanism for deploying a domain controller in this scenario. You can grant a nonadministrative domain user the right to log on to an RODC while minimizing the security risk to the Active Directory forest. You might also deploy an RODC in other scenarios where local storage of all domain user passwords is a primary threat, for example, in an extranet or application-facing role. Who will be interested in this feature?
RODC is designed primarily to be deployed in remote or branch office environments. Branch offices typically have the following characteristics: Relatively few users Poor physical security Relatively poor network bandwidth to a hub site Little knowledge of information technology (IT) You should review this section, and the additional supporting documentation about RODC, if you are in any of the following groups: IT planners and analysts who are technically evaluating the product Enterprise IT planners and designers for organizations Those responsible for IT security AD DS administrators who deal with small branch offices Are there any special considerations? To deploy an RODC, at least one writable domain controller in the domain must be running Windows Server 2008. In addition, the functional level for the domain and forest must be Windows Server 2003 or higher. For more information about prerequisites for deploying an RODC, see How should I prepare to deploy this feature? What new functionality does this feature provide? RODC addresses some of the problems that are commonly found in branch offices. These locations might not have a domain controller. Or, they might have a writable domain controller but not the physical security, network bandwidth, or local expertise to support it. The following RODC functionality mitigates these problems: Read-only AD DS database Unidirectional replication Credential caching Administrator role separation Read-only Domain Name System (DNS) Read-only AD DS database Except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the RODC. Changes must be made on a writable domain controller and then replicated back to the RODC.
Local applications that request Read access to the directory can obtain access. Lightweight Directory Application Protocol (LDAP) applications that request Write access receive an LDAP referral response. This response directs them to a writable domain controller, normally in a hub site. RODC filtered attribute set Some applications that use AD DS as a data store might have credential-like data (such as passwords, credentials, or encryption keys) that you do not want to be stored on an RODC in case the RODC is compromised. For these types of applications, you can dynamically configure a set of attributes in the schema for domain objects that will not replicate to an RODC. This set of attributes is called the RODC filtered attribute set. Attributes that are defined in the RODC filtered attribute set are not allowed to replicate to any RODCs in the forest. A malicious user who compromises an RODC can attempt to configure it in such a way that it tries to replicate attributes that are defined in the RODC filtered attribute set. If the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2008, the replication request is denied. However, if the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2003, the replication request can succeed. Therefore, as a security precaution, ensure that forest functional level is Windows Server 2008 if you plan to configure the RODC filtered attribute set. When the forest functional level is Windows Server 2008, an RODC that is compromised cannot be exploited in this manner because domain controllers that are running Windows Server 2003 are not allowed in the forest. You cannot add system-critical attributes to the RODC filtered attribute set. An attribute is system-critical if it is required for AD DS; Local Security Authority (LSA); Security Accounts Manager (SAM; and Microsoft-specific Security Service Provider Interfaces (SSPIs), such as Kerberos; to function properly. A system-critical attribute has a schemaFlagsEx attribute value equal to 1 (schemaFlagsEx attribute value & 0x1 = TRUE). The RODC filtered attribute set is configured on the server that holds the schema operations master role. If you try to add a system-critical attribute to the RODC filtered set while the schema master is running Windows Server 2008, the server returns an "unwillingToPerform" LDAP error. If you try to add a system-critical attribute to the RODC filtered attribute set on a Windows Server 2003 schema master, the operation appears to succeed but the attribute is not actually added. Therefore, it is recommended that the schema master be a Windows Server 2008 domain controller when you add attributes to RODC filtered attribute set. This ensures that system-critical attributes are not included in the RODC filtered attribute set. Unidirectional replication Because no changes are written directly to the RODC, no changes originate at the RODC. Accordingly, writable domain controllers that are replication partners do not have to pull changes from the RODC. This means that any changes or corruption that a malicious user might make at branch locations cannot replicate from the RODC to the rest of the forest. This also reduces the workload of bridgehead servers in the hub and the effort required to monitor replication. RODC unidirectional replication applies to both AD DS and Distributed File System (DFS) Replication of SYSVOL. The RODC performs normal inbound replication for AD DS and SYSVOL changes. Note Any other shares on an RODC that you configure to replicate using DFS Replication would be bidirectional.
RODCs also perform automatic load balancing of inbound replication connection objects across a set of bridgehead servers in a hub site. For more information, see Bridgehead Server Selection (http://go.microsoft.com/fwlink/?LinkID=208721). Credential caching Credential caching is the storage of user or computer credentials. Credentials consist of a small set of approximately 10 passwords that are associated with security principals. By default, an RODC does not store user or computer credentials. The exceptions are the computer account of the RODC and a special krbtgt account that each RODC has. You must explicitly allow any other credential caching on an RODC. The RODC is advertised as the Key Distribution Center (KDC) for the branch office. The RODC uses a different krbtgt account and password than the KDC on a writable domain controller uses when it signs or encrypts ticket- granting ticket (TGT) requests. After an account is successfully authenticated, the RODC attempts to contact a writable domain controller at the hub site and requests a copy of the appropriate credentials. The writable domain controller recognizes that the request is coming from an RODC and consults the Password Replication Policy in effect for that RODC. The Password Replication Policy determines if a user's credentials or a computer's credentials can be replicated from the writable domain controller to the RODC. If the Password Replication Policy allows it, the writable domain controller replicates the credentials to the RODC, and the RODC caches them. After the credentials are cached on the RODC, the RODC can directly service that user's logon requests until the credentials change. (When a TGT is signed with the krbtgt account of the RODC, the RODC recognizes that it has a cached copy of the credentials. If another domain controller signs the TGT, the RODC forwards requests to a writable domain controller.) By limiting credential caching only to users who have authenticated to the RODC, the potential exposure of credentials by a compromise of the RODC is also limited. Typically, only a small subset of domain users has credentials cached on any given RODC. Therefore, in the event that the RODC is stolen, only those credentials that are cached can potentially be cracked. Leaving credential caching disabled might further limit exposure, but it results in all authentication requests being forwarded to a writable domain controller. An administrator can modify the default Password Replication Policy to allow users' credentials to be cached at the RODC. Administrator role separation You can delegate local administrative permissions for an RODC to any domain user without granting that user any user rights for the domain or other domain controllers. This permits a local branch user to log on to an RODC and perform maintenance work on the server, such as upgrading a driver. However, the branch user cannot log on to any other domain controller or perform any other administrative task in the domain. In this way, the branch user can be delegated the ability to effectively manage the RODC in the branch office without compromising the security of the rest of the domain. Read-only DNS You can install the DNS Server service on an RODC. An RODC is able to replicate all application directory partitions that DNS uses, including ForestDNSZones and DomainDNSZones. If the DNS server is installed on an RODC, clients can query it for name resolution as they query any other DNS server.
However, the DNS server on an RODC is read-only and therefore does not support client updates directly. For more information about how DNS client updates are processed by a DNS server on an RODC, see DNS updates for clients that are located in an RODC site. What settings have been added or changed? To support the RODC Password Replication Policy, Windows Server 2008 AD DS includes new attributes. The Password Replication Policy is the mechanism for determining whether a user's credentials or a computer's credentials are allowed to replicate from a writable domain controller to an RODC. The Password Replication Policy is always set on a writable domain controller running Windows Server 2008. AD DS attributes that are added in the Windows Server 2008 Active Directory schema to support RODCs include the following: msDS-Reveal-OnDemandGroup msDS-NeverRevealGroup msDS-RevealedList msDS-AuthenticatedToAccountList For more information about these attributes, see the RODC Planning and Deployment Guide (http://go.microsoft.com/fwlink/?LinkID=135993). How should I prepare to deploy this feature? The prerequisites for deploying an RODC are as follows: The RODC must forward authentication requests to a writable domain controller running Windows Server 2008. The Password Replication Policy is set on this domain controller to determine if credentials are replicated to the branch location for a forwarded request from the RODC. The domain functional level must be Windows Server 2003 or higher so that Kerberos constrained delegation is available. Constrained delegation is used for security calls that must be impersonated under the context of the caller. The forest functional level must be Windows Server 2003 or higher so that linked-value replication is available. This provides a higher level of replication consistency. You must run adprep /rodcprep once in the forest to update the permissions on all the DNS application directory partitions in the forest. This way, all RODCs that are also DNS servers can replicate the permissions successfully. What's the difference between transferring a FSMO role and seizing one? Which one should you NOT seize? Why? Seizing an FSMO can be a destructive process and should only be attempted if the existing server with the
FSMO is no longer available. If you perform a seizure of the FSMO roles from a DC, you need to ensure two things: the current holder is actually dead and offline, and that the old DC will NEVER return to the network. If you do an FSMO role Seize and then bring the previous holder back online, you'll have a problem. An FSMO role TRANSFER is the graceful movement of the roles from a live, working DC to another live DC During the process, the current DC holding the role(s) is updated, so it becomes aware it is no longer the role holder

More Related Content

DOCX
Rodc features
bypothurajr
 
PPTX
Active Directory 2008 R2 Updates
byAmit Gatenyo
 
PPTX
Azure role based access control (rbac)
bySrikanth Kappagantula
 
PDF
Windows server 2012_r2_
byHello_World_2016
 
PPTX
AD FS Workshop | Part 1 | Quick Overview
byGranikos GmbH & Co. KG
 
PPTX
Active directory ds ws2008 r2
byMICTT Palma
 
PDF
Active directory migration from windows server 2003 to windows server 2012
byRavi Kumar Lanke
 
PPTX
Ad ds ws2008 r2
byMICTT Palma
 
Rodc features
bypothurajr
 
Active Directory 2008 R2 Updates
byAmit Gatenyo
 
Azure role based access control (rbac)
bySrikanth Kappagantula
 
Windows server 2012_r2_
byHello_World_2016
 
AD FS Workshop | Part 1 | Quick Overview
byGranikos GmbH & Co. KG
 
Active directory ds ws2008 r2
byMICTT Palma
 
Active directory migration from windows server 2003 to windows server 2012
byRavi Kumar Lanke
 
Ad ds ws2008 r2
byMICTT Palma
 

What's hot

PPTX
Active Directory
byrainrjcahili
 
PDF
O365con14 - information protection and control in office 365
byNCCOMMS
 
PPTX
Microsoft SQL Azure - Building Applications Using SQL Azure Presentation
byMicrosoft Private Cloud
 
PPTX
WINDOWS SERVER 2008
byTawose Olamide Timothy
 
PPTX
Powering the Cloud with Oracle WebLogic
byLucas Jellema
 
DOCX
Web Sphere Application Server Features
bySymbyo Technologies
 
PPTX
Windows Server 2008 R2 Overview
byJaguaraci Silva
 
PPTX
Sql Server 2012
byPerformics.Convonix
 
PPTX
Cause 2013: A Flexible Approach to Creating an Enterprise Directory
byrwgorrel
 
PDF
Weblogic configuration
byAditya Bhuyan
 
PPT
Novell® iChain® 2.3
bywebhostingguy
 
PPTX
Windows Server 2003 Migration - Presented by Atidan
byDavid J Rosenthal
 
PDF
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO
byPeter Selch Dahl
 
PDF
KoprowskiT_SQLSat230_Rheinland_SQLAzure-fromPlantoBackuptoCloud
byTobias Koprowski
 
PPTX
24 HOP edición Español -Diferentes técnicas de administración de logins y usu...
bySpanishPASSVC
 
PPT
SharePoint Topology
byInformation Technology
 
DOCX
Pramodkumar_SQL_DBA(5YRS EXP)
bypramod singh
 
PDF
Dogfood Conference 2010 - What Every SharePoint 2010 Administrator Must Know
byvmaximiuk
 
PPTX
SharePoint 2010 Global Deployment
byJoel Oleson
 
PDF
Getting SharePoint 2010 Deployment Right final
byvmaximiuk
 
Active Directory
byrainrjcahili
 
O365con14 - information protection and control in office 365
byNCCOMMS
 
Microsoft SQL Azure - Building Applications Using SQL Azure Presentation
byMicrosoft Private Cloud
 
WINDOWS SERVER 2008
byTawose Olamide Timothy
 
Powering the Cloud with Oracle WebLogic
byLucas Jellema
 
Web Sphere Application Server Features
bySymbyo Technologies
 
Windows Server 2008 R2 Overview
byJaguaraci Silva
 
Sql Server 2012
byPerformics.Convonix
 
Cause 2013: A Flexible Approach to Creating an Enterprise Directory
byrwgorrel
 
Weblogic configuration
byAditya Bhuyan
 
Novell® iChain® 2.3
bywebhostingguy
 
Windows Server 2003 Migration - Presented by Atidan
byDavid J Rosenthal
 
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO
byPeter Selch Dahl
 
KoprowskiT_SQLSat230_Rheinland_SQLAzure-fromPlantoBackuptoCloud
byTobias Koprowski
 
24 HOP edición Español -Diferentes técnicas de administración de logins y usu...
bySpanishPASSVC
 
SharePoint Topology
byInformation Technology
 
Pramodkumar_SQL_DBA(5YRS EXP)
bypramod singh
 
Dogfood Conference 2010 - What Every SharePoint 2010 Administrator Must Know
byvmaximiuk
 
SharePoint 2010 Global Deployment
byJoel Oleson
 
Getting SharePoint 2010 Deployment Right final
byvmaximiuk
 

Similar to Ad ds rodc

PDF
Case Project 12-2 Devising an AD DS Design with RODC, AD RMS, and A.pdf
byAmansupan
 
PDF
Windows Server 2008 - Active Directory Components
byAndré Braga
 
PPTX
Windows 2008 Active Directory Branch office Management_MVP Sampath Perera
byQuek Lilian
 
PDF
Mcse 2012
byMohammed Zainul Abiddin
 
PDF
REVIEW OF ACCESS CONTROL MODELS FOR CLOUD COMPUTING
bycscpconf
 
PDF
Review of access control models for cloud computing
bycsandit
 
DOCX
2Windows Server Proposal for Dynamic SolarKelvin L.docx
bytamicawaysmith
 
DOC
Security
byalmabsli
 
PDF
Final domain control policy
byBhagyashriJadhav16
 
PPTX
Windows 2008 R2 Security
byAmit Gatenyo
 
PPT
FSMO.ppt
byBlazeWarriors
 
PPTX
Active Directory
byHameda Hurmat
 
PPTX
Lecture 8 permissions
byWiliam Ferraciolli
 
PDF
Security on z/OS
byIBM India Smarter Computing
 
PPT
70 640 Lesson01 Ppt 041009
byCoffeyville Community College
 
PPTX
Windows Server 2008 Security Enhancements
byPresentologics
 
PPTX
Microsoft Days 09 Windows 2008 Security
bydkaya
 
DOCX
Reply 1 neededThere are a couple of options available when upg.docx
bysodhi3
 
PPT
Authentication Authorization-Lesson-2-Slides.ppt
byMuhammadAbdullah311866
 
PDF
29041329 interview-questions-for-server-2003
byrafiq123
 
Case Project 12-2 Devising an AD DS Design with RODC, AD RMS, and A.pdf
byAmansupan
 
Windows Server 2008 - Active Directory Components
byAndré Braga
 
Windows 2008 Active Directory Branch office Management_MVP Sampath Perera
byQuek Lilian
 
Mcse 2012
byMohammed Zainul Abiddin
 
REVIEW OF ACCESS CONTROL MODELS FOR CLOUD COMPUTING
bycscpconf
 
Review of access control models for cloud computing
bycsandit
 
2Windows Server Proposal for Dynamic SolarKelvin L.docx
bytamicawaysmith
 
Security
byalmabsli
 
Final domain control policy
byBhagyashriJadhav16
 
Windows 2008 R2 Security
byAmit Gatenyo
 
FSMO.ppt
byBlazeWarriors
 
Active Directory
byHameda Hurmat
 
Lecture 8 permissions
byWiliam Ferraciolli
 
Security on z/OS
byIBM India Smarter Computing
 
70 640 Lesson01 Ppt 041009
byCoffeyville Community College
 
Windows Server 2008 Security Enhancements
byPresentologics
 
Microsoft Days 09 Windows 2008 Security
bydkaya
 
Reply 1 neededThere are a couple of options available when upg.docx
bysodhi3
 
Authentication Authorization-Lesson-2-Slides.ppt
byMuhammadAbdullah311866
 
29041329 interview-questions-for-server-2003
byrafiq123
 

Recently uploaded

PDF
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
PPTX
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
PDF
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PDF
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
PDF
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PPTX
WEEK 1-introduction of industrial arts grade 7.pptx
byrosierufinomaliongan
 
PDF
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
PDF
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PDF
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
PDF
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
AI for Risk Management & Fraud Detection ppt.pdf
byalexmartincaneda
 
PPTX
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
PDF
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
 
PPTX
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
WEEK 1-introduction of industrial arts grade 7.pptx
byrosierufinomaliongan
 
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
AI for Risk Management & Fraud Detection ppt.pdf
byalexmartincaneda
 
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
 
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 

Ad ds rodc

  • 1.
    AD DS: Read-OnlyDomain Controllers Updated: January 13, 2011 Applies To: Windows Server 2008 A read-only domain controller (RODC) is a new type of domain controller in the Windows Server® 2008 operating system. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed. An RODC hosts read-only partitions of the Active Directory® Domain Services (AD DS) database. Before the release of Windows Server 2008, if users had to authenticate with a domain controller over a wide area network (WAN), there was no real alternative. In many cases, this was not an efficient solution. Branch offices often cannot provide the adequate physical security that is required for a writable domain controller. Furthermore, branch offices often have poor network bandwidth when they are connected to a hub site. This can increase the amount of time that is required to log on. It can also hamper access to network resources. Beginning with Windows Server 2008, an organization can deploy an RODC to address these problems. As a result, users in this situation can receive the following benefits: Improved security Faster logon times More efficient access to resources on the network For more information about RODCs, see the Read-Only Domain Controller (RODC) Planning and Deployment Guide (http://go.microsoft.com/fwlink/?LinkID=135993). What does an RODC do? Inadequate physical security is the most common reason to consider deploying an RODC. An RODC provides a way to deploy a domain controller more securely in locations that require fast and reliable authentication services but cannot ensure physical security for a writable domain controller. However, your organization may also choose to deploy an RODC for special administrative requirements. For example, a line-of-business (LOB) application may run successfully only if it is installed on a domain controller. Or, the domain controller might be the only server in the branch office, and it may have to host server applications. In such cases, the LOB application owner must often log on to the domain controller interactively or use Terminal Services to configure and manage the application. This situation creates a security risk that may be unacceptable on a writable domain controller. An RODC provides a more secure mechanism for deploying a domain controller in this scenario. You can grant a nonadministrative domain user the right to log on to an RODC while minimizing the security risk to the Active Directory forest. You might also deploy an RODC in other scenarios where local storage of all domain user passwords is a primary threat, for example, in an extranet or application-facing role. Who will be interested in this feature?
  • 2.
    RODC is designedprimarily to be deployed in remote or branch office environments. Branch offices typically have the following characteristics: Relatively few users Poor physical security Relatively poor network bandwidth to a hub site Little knowledge of information technology (IT) You should review this section, and the additional supporting documentation about RODC, if you are in any of the following groups: IT planners and analysts who are technically evaluating the product Enterprise IT planners and designers for organizations Those responsible for IT security AD DS administrators who deal with small branch offices Are there any special considerations? To deploy an RODC, at least one writable domain controller in the domain must be running Windows Server 2008. In addition, the functional level for the domain and forest must be Windows Server 2003 or higher. For more information about prerequisites for deploying an RODC, see How should I prepare to deploy this feature? What new functionality does this feature provide? RODC addresses some of the problems that are commonly found in branch offices. These locations might not have a domain controller. Or, they might have a writable domain controller but not the physical security, network bandwidth, or local expertise to support it. The following RODC functionality mitigates these problems: Read-only AD DS database Unidirectional replication Credential caching Administrator role separation Read-only Domain Name System (DNS) Read-only AD DS database Except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the RODC. Changes must be made on a writable domain controller and then replicated back to the RODC.
  • 3.
    Local applications thatrequest Read access to the directory can obtain access. Lightweight Directory Application Protocol (LDAP) applications that request Write access receive an LDAP referral response. This response directs them to a writable domain controller, normally in a hub site. RODC filtered attribute set Some applications that use AD DS as a data store might have credential-like data (such as passwords, credentials, or encryption keys) that you do not want to be stored on an RODC in case the RODC is compromised. For these types of applications, you can dynamically configure a set of attributes in the schema for domain objects that will not replicate to an RODC. This set of attributes is called the RODC filtered attribute set. Attributes that are defined in the RODC filtered attribute set are not allowed to replicate to any RODCs in the forest. A malicious user who compromises an RODC can attempt to configure it in such a way that it tries to replicate attributes that are defined in the RODC filtered attribute set. If the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2008, the replication request is denied. However, if the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2003, the replication request can succeed. Therefore, as a security precaution, ensure that forest functional level is Windows Server 2008 if you plan to configure the RODC filtered attribute set. When the forest functional level is Windows Server 2008, an RODC that is compromised cannot be exploited in this manner because domain controllers that are running Windows Server 2003 are not allowed in the forest. You cannot add system-critical attributes to the RODC filtered attribute set. An attribute is system-critical if it is required for AD DS; Local Security Authority (LSA); Security Accounts Manager (SAM; and Microsoft-specific Security Service Provider Interfaces (SSPIs), such as Kerberos; to function properly. A system-critical attribute has a schemaFlagsEx attribute value equal to 1 (schemaFlagsEx attribute value & 0x1 = TRUE). The RODC filtered attribute set is configured on the server that holds the schema operations master role. If you try to add a system-critical attribute to the RODC filtered set while the schema master is running Windows Server 2008, the server returns an "unwillingToPerform" LDAP error. If you try to add a system-critical attribute to the RODC filtered attribute set on a Windows Server 2003 schema master, the operation appears to succeed but the attribute is not actually added. Therefore, it is recommended that the schema master be a Windows Server 2008 domain controller when you add attributes to RODC filtered attribute set. This ensures that system-critical attributes are not included in the RODC filtered attribute set. Unidirectional replication Because no changes are written directly to the RODC, no changes originate at the RODC. Accordingly, writable domain controllers that are replication partners do not have to pull changes from the RODC. This means that any changes or corruption that a malicious user might make at branch locations cannot replicate from the RODC to the rest of the forest. This also reduces the workload of bridgehead servers in the hub and the effort required to monitor replication. RODC unidirectional replication applies to both AD DS and Distributed File System (DFS) Replication of SYSVOL. The RODC performs normal inbound replication for AD DS and SYSVOL changes. Note Any other shares on an RODC that you configure to replicate using DFS Replication would be bidirectional.
  • 4.
    RODCs also performautomatic load balancing of inbound replication connection objects across a set of bridgehead servers in a hub site. For more information, see Bridgehead Server Selection (http://go.microsoft.com/fwlink/?LinkID=208721). Credential caching Credential caching is the storage of user or computer credentials. Credentials consist of a small set of approximately 10 passwords that are associated with security principals. By default, an RODC does not store user or computer credentials. The exceptions are the computer account of the RODC and a special krbtgt account that each RODC has. You must explicitly allow any other credential caching on an RODC. The RODC is advertised as the Key Distribution Center (KDC) for the branch office. The RODC uses a different krbtgt account and password than the KDC on a writable domain controller uses when it signs or encrypts ticket- granting ticket (TGT) requests. After an account is successfully authenticated, the RODC attempts to contact a writable domain controller at the hub site and requests a copy of the appropriate credentials. The writable domain controller recognizes that the request is coming from an RODC and consults the Password Replication Policy in effect for that RODC. The Password Replication Policy determines if a user's credentials or a computer's credentials can be replicated from the writable domain controller to the RODC. If the Password Replication Policy allows it, the writable domain controller replicates the credentials to the RODC, and the RODC caches them. After the credentials are cached on the RODC, the RODC can directly service that user's logon requests until the credentials change. (When a TGT is signed with the krbtgt account of the RODC, the RODC recognizes that it has a cached copy of the credentials. If another domain controller signs the TGT, the RODC forwards requests to a writable domain controller.) By limiting credential caching only to users who have authenticated to the RODC, the potential exposure of credentials by a compromise of the RODC is also limited. Typically, only a small subset of domain users has credentials cached on any given RODC. Therefore, in the event that the RODC is stolen, only those credentials that are cached can potentially be cracked. Leaving credential caching disabled might further limit exposure, but it results in all authentication requests being forwarded to a writable domain controller. An administrator can modify the default Password Replication Policy to allow users' credentials to be cached at the RODC. Administrator role separation You can delegate local administrative permissions for an RODC to any domain user without granting that user any user rights for the domain or other domain controllers. This permits a local branch user to log on to an RODC and perform maintenance work on the server, such as upgrading a driver. However, the branch user cannot log on to any other domain controller or perform any other administrative task in the domain. In this way, the branch user can be delegated the ability to effectively manage the RODC in the branch office without compromising the security of the rest of the domain. Read-only DNS You can install the DNS Server service on an RODC. An RODC is able to replicate all application directory partitions that DNS uses, including ForestDNSZones and DomainDNSZones. If the DNS server is installed on an RODC, clients can query it for name resolution as they query any other DNS server.
  • 5.
    However, the DNSserver on an RODC is read-only and therefore does not support client updates directly. For more information about how DNS client updates are processed by a DNS server on an RODC, see DNS updates for clients that are located in an RODC site. What settings have been added or changed? To support the RODC Password Replication Policy, Windows Server 2008 AD DS includes new attributes. The Password Replication Policy is the mechanism for determining whether a user's credentials or a computer's credentials are allowed to replicate from a writable domain controller to an RODC. The Password Replication Policy is always set on a writable domain controller running Windows Server 2008. AD DS attributes that are added in the Windows Server 2008 Active Directory schema to support RODCs include the following: msDS-Reveal-OnDemandGroup msDS-NeverRevealGroup msDS-RevealedList msDS-AuthenticatedToAccountList For more information about these attributes, see the RODC Planning and Deployment Guide (http://go.microsoft.com/fwlink/?LinkID=135993). How should I prepare to deploy this feature? The prerequisites for deploying an RODC are as follows: The RODC must forward authentication requests to a writable domain controller running Windows Server 2008. The Password Replication Policy is set on this domain controller to determine if credentials are replicated to the branch location for a forwarded request from the RODC. The domain functional level must be Windows Server 2003 or higher so that Kerberos constrained delegation is available. Constrained delegation is used for security calls that must be impersonated under the context of the caller. The forest functional level must be Windows Server 2003 or higher so that linked-value replication is available. This provides a higher level of replication consistency. You must run adprep /rodcprep once in the forest to update the permissions on all the DNS application directory partitions in the forest. This way, all RODCs that are also DNS servers can replicate the permissions successfully. What's the difference between transferring a FSMO role and seizing one? Which one should you NOT seize? Why? Seizing an FSMO can be a destructive process and should only be attempted if the existing server with the
  • 6.
    FSMO is nolonger available. If you perform a seizure of the FSMO roles from a DC, you need to ensure two things: the current holder is actually dead and offline, and that the old DC will NEVER return to the network. If you do an FSMO role Seize and then bring the previous holder back online, you'll have a problem. An FSMO role TRANSFER is the graceful movement of the roles from a live, working DC to another live DC During the process, the current DC holding the role(s) is updated, so it becomes aware it is no longer the role holder