Now Available:

Featured Resource:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Greg.

« Server 2008 Certification Roadmap Part III - The Upgrade Path | Main | Citrix Announces Presentation Server Roadmap »

Read-Only Domain Controllers - What's Old is New Again

Remember back in the dark ages, when Domain Controllers came in two varieties: "Primary" that could be written to, and "Backup" that were read only. Then, we came into the modern age where all DC's were peer-to-peer and all were read/write. Well, what's old is new again with the introduction of Windows 2008 Read-Only Domain Controllers.

Ahhh, how history repeats itself.

Seriously though, the role of the RODC is useful in those situations where you can't reliably control the physical access to a Domain Controller. Microsoft introduced peer-to-peer DC's, and then instructed all of us to lock away our DC's behind lock and key because they hold the keys to everything in the entire forest.

Michael over at 4Sysops, does a nice rundown of the features you'll get with an RODC. There are four big categories:

RODC essentials
Read-only feature: An intruder on the RODC can’t manipulate the Active Directory database.
DNS protection: If the RODC server hosts a DNS server, the intruder won’t be able to tamper with the DNS data.
Password protection: A malicious user won’t be able to access passwords using a brute-force-attack. This applies only if password caching is disabled on the RODC.
Administrator Role Separation: You can delegate a local Administrator role to a domain user.

Read-only Domain Controller
A RODC holds all Active Directory objects and attributes.
RODCs only support unidirectional replication of Active Directory changes (i.e., from the forest to the RODC).
If an application needs write access to Active Directory objects, the RODC will send an LDAP referral response that redirects the application to a writable domain controller.

Read on for the other three...

DNS Protection
A DNS server running on a RDOC doesn’t support dynamic updates.
If a client wants to update its DNS record, the RODC will send a referral for a writeable DNS server.
The client can then update against this DNS server.
This single record will then be replicated from the writable DNS server to the RODC DNS server.

Password Protection
By default, an RODC doesn’t store user or computer credentials. (The only exception is the computer account of the RODC itself and a special krbtgt account.)
However, a RODC can cache passwords.
If a password isn’t cached, the RODC will forward the authentication request to a writeable DC.
The Password Replication Policy determines the user groups for which passwords caching will be allowed (more about this in my next post).

Administrator Role Separation:
A domain user having the Administrator role on an RODC doesn’t have to be a domain admin.
A domain user having the Administrator role can do maintenance work on the RODC such as installing software.
If an intruder gains access to the credentials of this local administrator account, he will not be able to make changes on other domain controllers.

See Michael's full post at:
http://4sysops.com/archives/windows-server-2008-read-only-domain-controller-rodc/

Tags:        
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Greg Shields on June 19, 2007 12:30 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-windowsserver.com/type/mt-tb.cgi/212

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Greg Shields' Bio:

Greg Shields, is an independent author, instructor, and IT consultant based in Denver, Colorado, and a co-founder of Concentrated Technology. With nearly 15 years of experience in information technology, Greg has developed extensive experience in systems administration, engineering, and architecture specializing in Microsoft systems management, remote application, and virtualization technologies. Greg is a Contributing Editor for Redmond Magazine, MCPmag.com, and Virtualization Review Magazine and is the author of five books, including Windows Server 2008:  What’s New / What’s Changed. Greg is also a highly sought-after instructor and speaker, speaking regularly at conferences like TechMentor Events, and producing computer-based training curriculum for CBT Nuggets.  Greg is a recipient of Microsoft "Most Valuable Professional" award with a specialization in Windows Terminal Services.