If you took a look at my previous Windows Server 2008 screencasts, you'll recall we left off with a Core server that had been activated and joined to our test domain. Sorry for the delay, end-of-year happened. Now things get interesting. This time, we're going to take that member server and convert it into a Read Only Domain Controller (RODC). Now you might be thinking, why on earth is Microsoft creating such a feature set? Isn't this beast a throwback to the NT read-only BDC days? Nope.
A Read Only Domain Controller (RODC) is an additional domain controller for a domain that hosts read-only partitions of the Active Directory database. An RODC is designed primarily to be deployed in a branch office environment. Branch offices typically have relatively few users, poor physical security, relatively poor network bandwidth to a hub site, and little local IT knowledge.
RODCs address some of the problems that might be caused by branch office locations that either have no domain controller or that have a writable domain controller but not the physical security, network bandwidth, and local expertise to support it. The following characteristics of RODCs help to solve these problems:
- Read-Only Active Directory Database
- Unidirectional Replication
- RODC Filtered Attribute Set
- Credential Caching
- Administrator Role Separation
- Read-Only Domain Name System
In this screencast, we are going to convert a Windows Server 2008 Core virtual machine into a read-only domain controller (also a VM). The VM is currently just a member server in the contoso.com domain. Conversion is pretty easy using a tool that has been around for years and years called DCPROMO.
For our screencast, we are going to focus on credential filtering or more accurately password caching depending on your point of view. We'll get to some of the other features in future screencasts. By filtering, I mean that we can limit the kerberos tickets/passwords that are cached on a RODC. Now why on earth would you want to do that? Well, think about the thieves of the world. If someone breaks into your branch location, would you rather that server disappear with all of your ids and passwords, or a much smaller subset of the overall organization? I think most people would agree a much smaller subset is more prudent.
Running DCPROMO in text mode
DCPROMO is normally a nice GUI wizard that can be executed unless you are staging servers and running the command line version. Running the GUI wizard presents a problem when trying to run it on a Windows Server 2008 Core machine because we don't have much of a GUI at all. To workaround this, we can run DCPROMO via the command line using a file with the details of the implementation we want. You'll notice in the text file we create (indicated below), we want the result of the promotion to be a ReadOnlyReplica. The text file contents below are an incomplete implementation of the details. You'll need to modify them in order to meet your local implementation needs. See the documentation (references at the bottom) for the full details of the parms in this file.
OnDemandAllowed=The name(s) of groups whose members' passwords will be allowed to be cached on the RODC
OnDemandDenied=The name(s) of groups whose members' passwords will NOT be allowed to be cached on the RODC
Password=Domain Admin password
ReplicaDomainDNSName=Full DNS name of the domain
ReplicationSourceDC=Name of a Windows Server 2008 domain controller in the same domain
SafeModeAdminPassword=Choose an appropriate password to use for Directory Services Restore Mode
SiteName=RODC Site Name
UserName=Domain Admin account name
Now that we know what dcpromo expects, we can simply kick it off on the command line as follows:
myfile.txt can be any name you choose. The contents are the important part, not the name. That's always confusing to me when some programs expect a particular filename. Silly programmers. Can't live with em, can't ...
After dcpromo starts running, you'll know pretty quickly if you have the appropriate permissions and network connectivity. It installs the binaries it needs and starts communicating with the source DC rather quickly. After it downloads the schema and objects, you'll be prompted for a reboot. As indicated in the parm file above, you can reboot automatically at the end of the installation. After the reboot is complete, you can start filtering the cached credential list. So how do we filter this list? Easy!
Creating Password Replication Policies
After the member server is converted, you'll see the machine account move to the Domain Controllers container in Active Directory. Using the Users and Computer management console, we can review and modify the properties of our new RODC. While looking at the properties for the RODC, you'll notice a new Password Replication Policy tab page. From that page, we can modify the policies by explicitly allowing or denying password caching, checking the status of cached creds on our server, and checking the status of authentication.
If you are confused by multiple policies, we have a tool that can be executed from the Resultant Policy tab page and will give us the results of all policies that are applied to a particular principle. This is a great way to see who was allowed and therefore has cached creds, who was denied implicitly, and who was denied explicitly.
Now if you are worried about WAN traffic and latency from the branch location to the home office data center, you can always stage and pre-populate the credentials. See the screencast for how to do that.
The screencast covers pretty much everything you see written above and then some. It's just over 11 minutes so it's a concise demo of the concepts and methods. At the end of the screencast is a brief discussion of staging and pre-populating passwords for branch office server deployment.
If you have a podcatcher that supports Windows Media Video, you'll notice I have a link to the video in the attachment section at the bottom of this post. This will create a RSS <enclosure> and allow you to pull it off my server. If you aren't using a podcatcher, then you can right mouse click the link and save it locally for offline viewing and listening.
Additional Resources and References
TechNet RODC Step-by-Step @ http://technet2.microsoft.com/windowsserver2008/en/library/ea8d253e-0646-490c-93d3-b78c5e1d9db71033.mspx?mfr=true.
Windows Server 2008 Technical Library @ http://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=true.
Michael Murphy's webcast on Windows Server 2008 Active Directory @ http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032343629&CountryCode=US.
Maria Green's blog post @ http://blogs.technet.com/mariaj/archive/2007/05/28/windows-server-2008-scenarios-part-iii.aspx.