Professional Documents
Culture Documents
640 06 Read Only Domain Controller
640 06 Read Only Domain Controller
RODC
A read‐only domain controller (RODC) is an additional domain controller for a
domain that hosts read‐only partitions of the Active Directory database. An RODC
is designed primarily to be deployed in a branch office because branch offices
often have relatively few users, poor physical security, relatively poor network
bandwidth to a hub site, and limited local IT resources.
Feature Description
The new administrator role separation (ARS) feature allows
RODCs to provide a secure mechanism for granting non‐
administrative domain users the right to log on to a domain
controller without jeopardizing the security of AD DS. This
allows the domain user to perform local administrative tasks
like installing drivers or security updates.
The domain user will not have any user rights for the
entire domain or any other domain controllers in the
Administrator
domain. This is done to minimize the risk to the security
role separation
of the entire domain and to prevent the domain user
from accidentally modifying the Active Directory.
To initially configure the administrator role separation
feature for an RODC, you must be a member of the
Domain Admins group.
All local, built‐in administrator accounts can also be
configured through administrator role separation,
including backup operators and server operators.
© Sergey Gorokhod
MCT/MCSE/MCITP/MCTS/MCSA/CCSE/CCSA/CCNA/A+®
E‐mail: sergey@infosec.co.il
Mob: (+972) 526848757
6.2. RODC Requirements
The following requirements must be met before RODCs are installed in a domain:
The domain and forest functional level must be at the Windows Server
2003 functional level or higher. The Active Directory functional level must
support:
o Linked‐value replication for reduction of lost updates. This feature
allows you to replicate individual values of a multi‐valued attribute
for a higher level of replication consistency.
o Kerberos constrained delegation. This feature allows you to forward
the computer account credentials or user account credentials to all
or only specific computers in the domain.
The primary domain controller (PDC) emulator must run Windows Server
2008 (and above: 2008 R2, 2012, 2012 R2, etc.) for the following reasons:
o A PDC emulator running Windows Server 2008/2012/2016 creates a
special KRBTGT account for each read‐only domain controller to
ensure its uniqueness. This account cannot be created with earlier
versions of Windows Server.
o Windows 2008/2012/2016 allows the RODC and the PDC emulator
running Windows Server to share a secure channel during
communication when a password is changed against a read‐only
domain controller. This PDC emulator feature in Windows 2003 or
earlier versions will not recognize the request and the password
change action will fail.
The RODC cannot be the first domain controller in a domain. To create a
new domain, install AD DS on a writable domain controller, then install the
RODC.
You can reduce Active Directory replication traffic by using RODCs because
RODCs never replicate any changes.
The Windows Server 2008/2012/2016 writable domain controller with
which the RODC replicates can run either a full installation or a Server Core
installation of Windows Server 2008/2012/2016.
The Windows Server 2008/2012/2016 writable domain controller does not
have to hold the Primary Domain Controller (PDC) emulator operations
master role.
RODCs must replicate the domain partition from writable domain
controllers that runs Windows Server 2008/2012/2016 because only a
writable domain controller that runs Windows Server 2008/2012/2016 can
enforce the Password Replication Policy (PRP) for an RODC.
(Note: The RODC can replicate other partitions, including application
directory partitions and global catalog partitions, from any writable domain
controller that runs either Windows Server 2003 or Windows
Server 2008/2012/2016
Although RODCs are designed to be placed in sites that do not contain any
other domain controllers, an RODC being placed in a site with another
domain controller is still a supported configuration.
RODCs can only replicate updates of the domain partition from a domain
controller running Windows Server 2008/2012/2016 from the same
domain. Data can be prevented from being replicated to an RODC by
setting a filter and marking it as confidential.
If an RODC was unable to satisfy a change directly, it will immediately
attempt inbound replication. This happens in the following situations:
o Password changes that are created using the Security Accounts
Manager (SAM) interface rather than the Lightweight Directory
Access Protocol (LDAP).
o DNS updates in which a client attempted to make a DNS update, but
is then referred to DNS server where the updates are registered and
the RODC attempts to recover the changes.
Consider implementing drive encryption on RODCs to prevent unauthorized
users from breaking Windows file and system protection in the event the
RODC is lost or stolen. Tools such as Windows BitLocker encrypt all user and
system files on an entire volume, including the swap and hibernation files.
Use the Windows SysKey Utility to additionally secure the RODC by moving
its encryption key off the Windows‐based computer. The SysKey utility can
also be used to configure a start‐up password that must be entered to
decrypt the system key so that Windows can access the RODC.
6.3. RODC Installation
Use the following general steps to install a read‐only domain controller (RODC):
1. Ensure that the forest functional level is Windows Server 2003 or higher.
2. Make sure you have the PDC emulator role running on a Windows Server
2008/2012/2016 system. If necessary, take the necessary steps to prepare
for the installation of a Windows Server 2008 domain controller in your
network (prepare the forest and the domain).
3. Copy the contents of the \sources\adprep folder on the Windows
Server 2008/2012/2016 installation DVD to the schema master. Run the
adprep /rodcprep command before you install the first RODC (you must be
a member of the Enterprise Admins group to run this command). This will
enable the RODC to replicate DNS partitions.
4. Create an RODC account in the Domain Controllers OU. Delegate the
necessary permissions to allow non‐administrative users to perform
administrative tasks on the RODC as part of this step.
5. Install the Active Directory role on the RODC server.
6. Log on as a local administrator to the server that will become the RODC and
run dcpromo /UseExistingAccount:Attach. This starts the Active Directory
Domain Services wizard. After you enter your administrative credentials as
a step in the wizard, the wizard automatically detects the name of the
server and try to match it (attach it to) with the RODC account that you pre‐
created for it. Follow the steps in the wizard to complete the configuration.
To install an RODC on a Server Core installation of Windows Server 2008,
perform an unattended installation using the dcpromo /Unattend
<filename> command.
© Sergey Gorokhod
MCT/MCSE/MCITP/MCTS/MCSA/CCSE/CCSA/CCNA/A+®
E‐mail: sergey@infosec.co.il
Mob: (+972) 526848757
6.4. Password Replication Policy
A password replication policy determines whether or not an RODC can cache a
password when the RODC receives an authenticated user or computer logon
request. Password replication policies:
Group Description
This group is added to the Allowed List of each new RODC;
Allowed RODC
however, by default, it does not contain any members. The
Password
result of this is that new RODCs do not cache user
Replication Group
credentials.
This group is added to the Denied List of each new RODC,
and by default, it contains the following members:
With the most accounts cached model, you add users and groups to
the Allowed or Denied RODC Password Replication Groups.
Password caching for all RODCs uses the same configuration.
Most This model poses some security risk because passwords are
accounts replicated to the RODCs, so it is most appropriate when the
cached physical security of the RODCs is not in question.
Password management is facilitated because most users can
have their passwords cached on demand.
Users can have offline access through this model.
© Sergey Gorokhod
MCT/MCSE/MCITP/MCTS/MCSA/CCSE/CCSA/CCNA/A+®
E‐mail: sergey@infosec.co.il
Mob: (+972) 526848757
6.5. Administrative Role Separation
With administrative role separation, you can grant non‐administrative domain
users the right to log on to a RODC, allowing them to perform local administrative
tasks such as installing drivers or security updates.
When you create the RODC account, specify the user or group who can
manage the RODC.
Edit the RODC account and modify the setting on the Managed by tab.
From the command prompt on the RODC,
1. Run the dsmgmt.exe command.
2. Enter local roles. (You can list valid parameters at this point by
entering ?.)
3. Enter add <domain>\<user> <administrative role>.
© Sergey Gorokhod
MCT/MCSE/MCITP/MCTS/MCSA/CCSE/CCSA/CCNA/A+®
E‐mail: sergey@infosec.co.il
Mob: (+972) 526848757
6.6. RODC Removal
If the security of a RODC has been compromised, for example if the system has
been hacked or stolen, it is possible that passwords cached on the RODC could be
retrieved. To protect user passwords in the event of a security breach, delete the
RODC computer account in Active Directory. When you delete the computer
account, you are given the following choices:
Reset user account passwords cached on the RODC. When this option is
chosen, the following process must be followed to re‐allow user logon:
1. An administrator must manually reset the password to a known
value. A common practice is to require the user to change the
password at the next logon.
2. The new password must be given to the user. Following logon, users
change the password to a value they choose.
Reset computer account passwords cached on the RODC. This option
disjoins the computer from the domain. Computers must be rejoined to the
domain.
Export a list of accounts that were cached on the RODC. Using the file, you
can get a list of accounts whose passwords were cached. You would then
need to manually reset the passwords on those accounts or rejoin the
domain for computer accounts.
© Sergey Gorokhod
MCT/MCSE/MCITP/MCTS/MCSA/CCSE/CCSA/CCNA/A+®
E‐mail: sergey@infosec.co.il
Mob: (+972) 526848757