Session 3 RODC : Read Only Domain Controllers

Prepared by: KParbhudoyal

Objectives
Explain briefly on a Read-Only Domain Controller State pre-Installation Tasks to Install an RODC Identify Password Replication Policies

Trainer: KParbhudoyal

Read Only Domain Controller

An RODC is an additional domain controller for a domain that hosts read-only partitions of the Active Directory database. An RODC is designed primarily to be deployed in a branch office environment. Branch offices typically have relatively few users, poor physical security, relatively poor network bandwidth to a hub site, and little local IT knowledge. Read-only domain controllers (RODCs) address some of the problems that might be caused by branch office locations that either have no domain controller or that have a writable domain controller but not the physical security, network bandwidth, and local expertise to support it.
Trainer: KParbhudoyal 3

Trainer: KParbhudoyal

Six Features of RODC

Read Only Active Directory Database RODC Filtered Attribute Set Unidirectional replication Credential Caching Administrator role Separation Read Only Domain Name System

Trainer: KParbhudoyal

Read-only Active Directory database

Except for account passwords and other filtered attributes, an RODC holds the same user accounts and attributes that a writable domain controller holds. Clients, however, are not able to write changes directly to the RODC. Local applications that request Read access to the directory obtain access, whereas Lightweight Directory Access Protocol (LDAP) applications that perform a Write operation are referred to a writable domain controller in a hub site.
Trainer: KParbhudoyal 6

RODC Filtered Attribute Set

Some applications that use AD DS as a data store may have credential-like data (such as passwords, credentials, or encryption keys) that you do not want to be stored on an RODC in case the RODC is stolen or compromised. For this type of application, you can take the following steps to help prevent unnecessary exposure of such attributes:

Add the attribute to the RODC filtered attribute set to prevent it from replicating to RODCs in the forest.
Mark the attribute as confidential, which removes the ability to read the data for members of the Authenticated Users group (including any RODCs).

Trainer: KParbhudoyal

Unidirectional Replication
Because no changes are written directly to the RODC and therefore do not originate locally, writable domain controllers that are replication partners do not have to pull changes from the RODC. This means that any changes or corruption that a malicious user might make at branch locations cannot replicate from the RODC to the rest of the forest. This also reduces the workload of bridgehead servers in the hub site and the effort required to monitor replication.

RODC unidirectional replication applies to both AD DS and Distributed File System (DFS) Replication of SYSVOL. The RODC performs normal inbound replication for AD DS and SYSVOL changes.
Trainer: KParbhudoyal 8

Credential Caching
Credential caching is the storage of user account or computer account credentials. Account credentials consist of a small set of attributes that are associated with security principals. By default, an RODC does not store account credentials, except for its own computer account and a special krbtgt account for that RODC. You must explicitly allow any other credentials to be cached on that RODC, including the appropriate user, computer, and service accounts, to allow the RODC to satisfy authentication and service ticket requests locally.
Trainer: KParbhudoyal 9

Administrator Role Separation

Administrator role separation specifies that any domain user or security group can be delegated to be the local administrator of an RODC without granting that user or group any rights for the domain or other domain controllers. Accordingly, a delegated administrator can log on to an RODC to perform maintenance work, such as upgrading a driver, on the server. But the delegated administrator is not able to log on to any other domain controller or perform any other administrative task in the domain. In this way, a security group that comprises branch users, rather than members of the Domain Admins group, can be delegated the ability to effectively manage the RODC in the branch office, without compromising the security of the rest of the domain.

Trainer: KParbhudoyal

10

Read Only Domain Name System

You can install the Domain Name System (DNS) Server service on an RODC. An RODC is able to replicate all the application directory partitions that DNS uses, including Forest DNSZones and Domain DNSZones. If a DNS server is installed on an RODC, clients can query it for name resolution as they might query any other DNS server.

However, the DNS server on an RODC does not support client updates directly. When a client attempts to update its DNS records against an RODC, the server returns a referral. The client then attempts the update against the DNS server that is provided in the referral. In the background, the DNS server on the RODC attempts to replicate the updated record from the DNS server that made the update. This replication request is only for a single object (the DNS record). The entire list of changed zone or domain data is not replicated during this special, replicate-single-object request.
Trainer: KParbhudoyal 11

RODC cannot act as:

An operations master role holder (also known as flexible single master operations (FSMO).
Operations master role holders must be able to write some information to the Active Directory database. For example, the schema master must be able to write definitions for new object classes and attributes. The relative ID (RID) master must be able to write the values of RID pools that are allocated to other domain controllers. Because of the read-only nature of the Active Directory database on an RODC, it cannot act as an operations master role holder.

A bridgehead server.
Bridgehead servers are servers that are designated to replicate changes from other sites. Because RODCs perform only inbound replication, they cannot act as a bridgehead server for a site.

Trainer: KParbhudoyal

12

Advantages of RODC
Great for Low Physical Security Locations with few users Local Administrator functionality still allows for onsite administration Can be installed on a server core for less overhead. Bitlocker Drive Encryption for extra protection

Trainer: KParbhudoyal

13

Great for Low Physical Security Locations with few users

Poor physical security is typically the most common rationale for deploying an RODC at a branch office. A readonly copy of the domain controller provides fast and reliable authentication, while simultaneously protecting against data loss in the event the server is compromised or stolen. Because no changes can originate from an RODC, a malicious hacker or IT support personnel with little knowledge of Active Directory administration cannot make changes at the branch level. On a writable domain controller, not only can changes be made, but these changes would propagate to all other domain controllers, eventually damaging or polluting the Active Directory domain and forest.

Trainer: KParbhudoyal

14

Local Administrator functionality still allows for onsite administration

Organizations are encouraged to use RODCs when there is a need to satisfy unique administrative requirements and to maintain administrator role separation and isolation. With RODC, however, you can delegate permissions to local administrators, granting them rights to a particular server, roles applications without ever granting them access to Active Directory or domain resources beyond the scope of the branch. As a result, the local administrator at the branch can perform his or her administrator work activities effectively without compromising the entire Active Directory environment.
Trainer: KParbhudoyal 15

What is needed to install RODC?

A full working Windows Server 2008 Domain Controller already in place. At least Windows Server 2003 Functional Level A user account that is part of the Domain Administrators group

Trainer: KParbhudoyal

16

Steps to install RODC

Install Windows Server 2008, join to the domain and rename the machine. Add the Active Directory Domain Services Role. When running the Dcpromo Wizard, select use Advanced Mode Installation. Select Existing Forest and Add a Domain Controller to an existing Domain. Hit Next THREE times and then make sure you select Read Only Domain Controller. Specify Groups for Password replication. Set up Local Administrators Group or Accounts. Prepopulate the RODC with a user account to avoid delays at firs login.
Trainer: KParbhudoyal 17

Trainer: KParbhudoyal

18

Trainer: KParbhudoyal

19

Trainer: KParbhudoyal

20

Password Replication Policies

When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domain controller that will be its replication partner. The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be permitted to cache a password. After the RODC receives an authenticated user or computer logon request, it refers to the Password Replication Policy to determine if the password for the account should be cached. The same account can then perform subsequent logons more efficiently. The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that are explicitly denied from being cached. The list of user and computer accounts that are permitted to be cached does not imply that the RODC has necessarily cached the passwords for those accounts. An administrator can, for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticate those accounts, even if the WAN link to the hub site is offline.
Trainer: KParbhudoyal 21

The following table summarizes the three possible administrative models for the Password Replication Policy.

Trainer: KParbhudoyal

22

No Accounts Cached
This model provides the most secure option. No passwords are replicated to the RODC, except for the RODC computer account and its special krbtgt account. However, transparent user and computer authentication relies on WAN availability. This model has the advantage of requiring little or no additional administrative configuration from the default settings. Customers might choose to add their own security-sensitive user groups to the default list of denied users. This can protect those user groups against accidental inclusion in the list of allowed users and subsequent caching of their passwords on the RODC.

Trainer: KParbhudoyal

23

Most Account Cached

This model provides the simplest administrative mode and permits offline operation. The Allowed List for all RODCs is populated with groups that represent a significant portion of the user population. The Denied List does not allow securitysensitive user groups, such as Domain Admins. Most other users, however, can have their passwords cached on demand. This configuration is most appropriate in environments where the physical security of the RODC will not be at risk.
Trainer: KParbhudoyal 24

Few Accounts Cached

This model restricts the accounts that can be cached. Typically, administrators define this distinctly for each RODC each RODC has a different set of users and computer accounts that it is permitted to cache. Typically, this is based on a set of users who work at a particular physical location. The advantage to this model is that a set of users will benefit from offline authentication, should WAN failure occur. At the same time, the scope of exposure for passwords is limited by the reduced number of users whose passwords can be cached.

Trainer: KParbhudoyal

25

The following flowchart shows how the RODC operation proceeds:

Trainer: KParbhudoyal

26

Thank you for your attention

Trainer: KParbhudoyal

27