{"id":862,"date":"2007-07-30T16:13:26","date_gmt":"2007-07-30T15:13:26","guid":{"rendered":"http:\/\/www.markwilson.co.uk\/blog\/2007\/07\/windows-server-2008-read-only-domain-controllers.htm"},"modified":"2007-07-30T16:13:26","modified_gmt":"2007-07-30T15:13:26","slug":"windows-server-2008-read-only-domain-controllers","status":"publish","type":"post","link":"https:\/\/www.markwilson.co.uk\/blog\/2007\/07\/windows-server-2008-read-only-domain-controllers.htm","title":{"rendered":"Windows Server 2008 read only domain controllers"},"content":{"rendered":"

This is the last post I’m intending to write based on the content from the recent Windows Server UK User Group<\/a> meeting – this time inspired by Scotty Mc Leod<\/a>‘s presentation on read only domain controllers (RODCs), a new feature in Windows Server 2008.<\/p>\n

In my post from a few weeks back about some of the new features in Windows Server 2008<\/a>, I wrote:<\/p>\n

Backup domain controllers (BDCs) are back! Except that now they are called read-only domain controllers (with unidirectional replication to offer credential caching and whilst increasing the physical security of remote domain controllers, e.g. in branch offices).<\/p><\/blockquote>\n

That statement was slightly tongue-in-cheek and, if taken literally would be inaccurate. RODCs are more complex than Windows NT BDCs were. Active Directory still uses a multiple master replication model, but RODCs are really a means of providing a read-only replica of the directory (with outbound replication disabled) – for example at remote sites where to have a fully-functional domain controller would be a security risk. As far as Active Directory is concerned, an RODC is not a domain controller – it actually has a standard workstation account (with some extra attributes). <\/p>\n

This has a major advantage in that, unlike a domain controller, an RODC has a local account database, with a local Administrators group (of which Domain Admins will be a member). In effect, this means that a user can be made a full administrator of the RODC, without needing to be a Domain Admin.<\/p>\n

In order to create an RODC, the forest and domain need to be at Windows Server 2003 forest functional level with at least one (preferably more) Windows Server 2008 DC present. The forest and domain must also have been prepared for RODCs with adprep \/rodc<\/code>.<\/p>\n

The next stage is to provision the computer account, selecting a site, and whether or not DNS\/Global Catalog services will be enabled). Control over the information stored on an RODC is controlled with password replications policies – allow\/deny lists for replication of passwords based on users, groups or computers. 2 new groups are created – DeniedRODCPassword and AllowsRODCPassword and as for other Windows NT ACLs, deny takes precendence over allow. Next, it’s necessary to define who will manage the RODC – this effectively defines a user account that can administer the server without needing Domain Admins membership (e.g. to apply patches, restart the server, etc.). One gotcha is that this is a user contact (not a group) – many organisations will circumvent this with service accounts, but that’s really not good practice.<\/p>\n

Following this, a new computer account should be visible in the directory. The Windows Server 2003 version of Active Directory Users and Computers (ADUC) will see the account as disabled, whereas the Windows Server 2008 tools will report it as an unoccupied DC account. On joining the domain, the computer will be linked with its account and will become an RODC.<\/p>\n

The RODC concept relies on a principle called constrained Kerberos<\/a> delegation, which in turn needs value linked replication – hence the requirement for a Windows Server 2003 domain and forest dunctional level. In addition the requirement for a Windows Server 2008 DC with which to communicate is created as Windows Server 2003 DC will see the RODC as a “normal” computer – e.g. a workstation. Of course, the Windows Server 2008 DC is potentially a single point of failure, so more than one should be deployed.<\/p>\n

The constrained Kerberos authentication works as follows:<\/p>\n