Active Directory Architecture: Read-Only Domain Controllers

Recently we had a situation come up where it was necessary to provide a domain controller in a unique location. This was a “one off” scenario for us; this location was in a third-world country (not unique) and connected with a government controlled crappy DSL line (very unique) and physical security of the equipment could not yet be guaranteed (very, very unique). Nevertheless, we had to provide a local domain controller (as always, like… right now) for a variety of reasons.

While the personnel onsite were our personnel, the overwhelming majority were new to the company.

As we have recently begun migrating all of our domain controllers to Microsoft Windows Server 2008 R2, a read-only domain controller was the perfect fit (actually, the perfect fit would have been better bandwidth and App-V in a country with plumbing).

Read Only Domain Controllers (RODC’s) allow for granular control of the password database; that is you can choose which accounts are cached locally, and which accounts must transverse the WAN for authentication. In addition, the local Active Directory database is read-only. Modifications to it are not replicated to the other domain controllers.

This is important in a situation where physical security cannot be guaranteed initially (as in our case) or network bandwidth is less than ideal (also in our case). If an interested party (and there are a lot) obtained physical access to a standard domain controller, it is possible (alright, easy) to decrypt the Active Directory database and obtain all passwords… this would be particularly devastating if they were able to obtain the passwords for accounts with admin access.

In cases where bandwidth is a concern, the updates that are pushed to a Read Only domain controller are much smaller as they do not contain all account information.

Deploying an RODC is actually quite simple and not much different than a standard domain controller.

First, you need to prepare your domain for the addition of a RODC. Assuming you already have a Windows 2008-based domain controller, you need to run the following command in order to prep the directory:

Adprep /rodcprep

Adprep.exe is located on your Windows Server 2008 CD under the Support Tools directory. It doesn’t take very long to run and is a relatively safe operation (though, by nature, I’m pretty paranoid about anything that makes modifications to the schema).

Now, you’re ready to promote a domain controller as a new RODC. Assuming you have a prepped Windows Server 2008 box by selecting the Active Directory Domain Services role in Server Manager, just run dcpromo as always. Ideally, select “Advanced Mode” on the first screen so that you can configure the password replication policy and other settings during the AD DS installation.

As you pass through the promotion screens, simply select “Read-only domain controller” (RODC) on the same screen where you select the DNS Server and Global Catalog options. I think making the RODC a DNS server is important, but making it a Global Catalog is a matter of debate.

When you get to the password replication screen, you are presented with a number of options. By default, no passwords will be replicated except those accounts that are members of the “Read-Only Domain Controllers” group. I think that unless there is an exceptional circumstance, it is best to leave this be.

Now, add the accounts for the local users at that site to the Read-Only Domain Controllers group. This will allow them to log on locally without their credentials traversing the WAN. It’s important to note that if a user is not a member of this group, and the site link is terminated due to WAN issues, they will not be able to log on at that site until WAN access is restored.

It’s important to note that the following operations will fail if the WAN link is terminated for any reason:

  • Password changes
  • Attempts to join a computer to the domain
  • Computer rename operations
  • Authentications attempts for accounts whose credentials are not cached on the RODC
  • Group Policy updates that an administrator might attempt by running the gpupdate /force command

However, these operations will still succeed even with the WAN link terminated:

  • Authentication and logon attempts, if the credentials for the resource and the requester are already cached
  • Local RODC server administration performed by a delegated RODC server administrator

Read-only Domain Controllers give the Active Directory Architect an important tool in intelligent AD design… allowing them to further refine their architecture when heightened consideration must be given to security and bandwidth.

Hopefully, this article has given you a “real world” introduction to RODC’s. I highly encourage any administrator to thoroughly review Microsoft’s Read-only Domain Controllers Step-by-Step Guide.

Advertisements

No comments yet... Be the first to leave a reply!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s