Last week I presented my Top 10 things you need to know when it comes to Windows Server 2008 at the monthly SWIG meeting. SWIG stands for Sydney Windows Infrastructure Group. Derrick Buckley who runs the group was sick with the flu so I had to cover things for him which made for a challenging evening. I have to say it was a comedy of errors from the beginning in that I couldn’t get my laptop connected to the projector and when I ordered the Pizza I got a second day trainee who was having trouble understanding what I wanted to order. Then the best part happened. I couldn’t connect back to my office demo server to run all my demo’s. So I had to just rely on my slides and myself to talk through the top ten. I think it went well and there was lots of discussion and questions on many of the new features in Windows Server 2008. There were about 30 people there so it was an awesome turnout which was great. Although at the end some guys asked if they were going to see the Exchange Server 2007 session. Well Derrick was sick so that was a no goer.
Anyway onto to the questions. Most of the questions revolved around the new RODC feature in Windows Server 2008 or Read Only Domain Controller. So first up what is an RODC?
A Read Only Domain Controller is an additional DC that holds a read-only copy of the Active Directory database and we see it being used heavily in Branch Office environments where security is often an issue. Now and RODC address’s a number of issues experienced in a branch office. The include:
- Read-Only Active Directory Database – Except for account passwords an RODC holds all objects that a writable domain controller holds. However changes cannot be made on the RODC itself. Changes must be made on a writable domain controller then replicate back to the RODC. The biggest problem this solves is changes cannot be made in the branch office that could potentially pollute the entire forest.
- Unidirectional Replication – Because no changes are made on the RODC itself no changes can ordinate there. This means that a writable domain controller is do not pull changes from the RODC which in turn reduces the workload on bridgehead servers.
- Credential Caching – Now this is one of the areas where I got some questions that I’ll attempt to answer here. Also check out Keith Combs Post on this subject which includes a screencast as well. Caching of credentials is essentially storage of user and computer credentials. Now when people hear the word “cache” they sometimes get confused about what we mean here. Passwords themselves are “cached” in the local database until they are changed; and of course that change has to occur on a writable domain controller. By default an RODC does not store user and computer credentials. If you look at the screenshot below of my RODC we now have a new tab when a server is promoted to an RODC for Password Replication Policy. This is where you can explicitly allow or deny credential caching.
- Administrator Role Separation – The cool thing about this is you can delegate the local administrator role on an RODC to any domain user without granting that user any rights on the domain or other domain controllers. This is great for allowing a local user at a branch office to perform maintenance work on the server such as upgrading a driver but prevents them from doing anyhing else.
- Read-Only Domain Name System – An RODC can in fact be a DNS server which means it can replicate all application directory partitions that DNS uses such as ForestDNSZones and DomainDNSZones. Clients are able to query a DNS server installed on an RODC for name resolution just like they would query any other DNS server. However the DNS server installed on the RODC does not support client updates directly; instead when a client attempts to update a DNS record against an RODC the server returns a referral. Updates are then made on the DNS server that is writable or attempted to make the update.
So when you look at the RODC functionality in Windows Server 2008 you might be thinking this is a throwback to the old BDC days of Windows NT 4.0. Well it’s a lot more than that and really a critical piece in our overall branch office story.
So even though I didn’t get to demo the other night at the meeting I thought the session went well and hopefully I’ve answered some of the questions raised in this post. If not send me an email or drop a comment on my blog!