Start up for some one who is not familiar with Read only domain controller RODC

  • Article

 

 

What

=====

 

RODC is a new feature unleashed with windows server 2008. Read-only Domain Controllers differentiate from Domain Controllers with writable AD replica in three basic aspects:

- Read-only replica of AD database.

- On-demand replication of account passwords.

- Ability to delegate administrative rights independently on other read-only domain controllers or writable domain controllers.

 

Why

====

 

It is designed to minimize risks introduced by running Domain Controller in less-secure locations such as branch offices or extranet networks.

No changes to AD database content are possible on RODC. All objects in RODC AD replica are read-only and can change only by means of AD replication from an upstream domain controller.

The replication partner cannot be: - Pre-Longhorn Domain controller. - Another RODC.

 

 

Features

=========

RODC by default does not replicate passwords of user and computer accounts into its replica of AD database.

By limiting credential caching to only users who have authenticated to the RODC and are allowed by the Password Replication Policy to have credentials cached, the potential exposure of credentials by a compromise of the RODC is limited. This is because, typically, only a small subset of domain accounts has their credentials cached on any given RODC. Therefore, in the event that the RODC is stolen, only those credentials that are cached can become subject to any cracking attempt.

 

Password replication policy is the list of rules that specify which accounts can have passwords replicated to Read-only Domain controller. Every RODC has its own Password Replication policy – it is linked to the computer account of the Domain Controller.

 

Read-Only Domain Controller offers the possibility to delegate a certain level of access on single machine – without affecting any other domain controller in the domain of forest So the user account who has been delegated authority on RODC wont b able to access other domain controllers in domain.

 

Limitations

===========

 

RODC brings additional requirements to forest infrastructure. You cannot run RODC in a forest with Windows 2000 domain controllers.

RODC needs at least one full Longhorn DC in the domain. RODC cannot replicate from Windows 2003 domain controller and cannot bridge client authentication to Windows 2003 domain controller.

RODC cannot satisfy any write operations. All write operations are referred to full DC.

 

When connection to full Longhorn DC is broken, only users with credentials already cached on RODC are able to log on. Only resources having their passwords cached on RODC will be accessible.

               

RODC cannot be a Global Catalog

 

Prerequisites

==============

 

- Domain and Forest functional levels must be Windows 2003 or higher.

- Full Longhorn Domain Controller from the same domain must be a replication partner for RODC.

- PDC emulator FSMO role must be held by Full Longhorn Domain Controller.

- Longhorn Server ADPrep /rodcprep must be run.

RODC cannot be deployed in mixed Windows 2000/Windows 2003 environments.