Ive had a few people interested in the process of introducing this concept of an RODC into a Windows Server 2003 Forest. In this blogcast I’m showing how you can use the Windows Server 2008 installation option of Server Core in combination with RODC to provide a really secure branch appliance.
Firstly let me cover off what each of these are before you watch the blogcast.
This stands for Read Only Domain Controller. Think of it as an Active Directory credential cache. It only replicates and stores the user credentials you set through policy to replicate rather than it replicating an entire copy of the secrets. This has the benefit of minimising risk in branch office locations where physical security is a problem. After all, if the branch domain controller gets stolen today then whats your immediate and proper response? Reset every password in the domain! That includes administrative and service accounts along with all the user accounts and could be quite a problem and very expensive to your business. This way with RODC, if one of these gets stolen then you only reset those passwords that were actually replicated to the RODC which is a small subset of the accounts in comparison and definately no service accounts. The best practise with RODC is to only set policy to replicate low privilege accounts and limited to those people that actually reside in that branch…and yes this can work in a Windows Server 2003 forest!
This is an installation option of Windows Server 2008. Its GUI-less and limited to specific roles. The main ones are Active Directory, DNS, DHCP, DFS, general File and Print Services and IIS without ASP.net. There are some others of course! The main benefit here is a much reduced list of binaries actually installed on the server which makes it lean and mean. In fact my Server Core image only runs on 150MB of RAM and thats even when its running Active Directory, DNS and DFS-R. More info at the Server Core website.
Now imagine these two technologies together and add BitLocker into the mix which will also be supported on Windows Server 2008 and of course Server Core. What exactly is an attacker going to do if he/she steals a BitLockered Branch Server thats running Server Core and RODC? The drive is AES 128 bit encrypted and theres no high privilege creds to steal. Wipe and load!
So anyhow here’s how you do a DCPROMO on a Server Core machine. Ive included my unattend file for your own use. Fill in the blanks with your own domain information, usernames and passwords.
Setting up for an RODC
Promoting the Server Core machine on the command line
Finalising the RODC policies