Wed, Nov 25 2009 15:29
Branch Office: Creating a Read Only Domain Controller
Branch offices come with a whole set of considerations and not the least of which is they generally are less secure than the main office. This is a critical concern for putting a domain controller in each office. The primary issue in almost every branch office is managing bandwidth across the wide area network. If you lose authentication request because of network outages the office can be rendered unproductive and so having a domain controller in the branch can effectively relieve the need to authenticate back to the main office. RODCs are designed to be deployed in locations that have a critical need for local authentication and authorization services but that also lack the trustworthiness and physical security requirements that are appropriate for a writable domain controller.
The following comes from a number of planning documents released by Microsoft.
What Is an RODC?
Read-only domain controllers (RODCs) are a new feature of Active Directory Domain Services (AD DS) in Windows Server 2008. RODCs are additional domain controllers for a domain that host complete, read-only copies of the partitions of the Active Directory database and a read-only copy of the SYSVOL folder contents. By selectively caching credentials, RODCs address some of the challenges that enterprises can encounter in branch offices and perimeter networks (also known as DMZs) that may lack the physical security that is commonly found in datacenters and hub sites. RODCs also offer a number of manageability improvements that are described in this guide. This section describes how RODCs work with the rest of the Active Directory environment, the main differences between RODCs and writable domain controllers, and the RODC features that can help resolve a number of security or manageability issues.
- Read-Only Active Directory Database, SYSVOL, and Unidirectional Replication
- RODC Filtered Attribute Set, Credential Caching, and the Authentication Process with an RODC
- Administrator Role Separation
- Differences Between an RODC and a Writable Domain Controller
- Advantages That an RODC Can Provide to an Existing Deployment
So what are the prerequisites to install a 2008 Read Only Domain Controller? Here are a few.
Prerequisites for Deploying an RODC
Complete the following prerequisites before you deploy a read-only domain controller (RODC):
- Ensure that the forest functional level is Windows Server 2003 or higher, so that linked-value replication (LVR) is available. This provides a higher level of replication consistency. The domain functional level must be Windows Server 2003 or higher, so that Kerberos constrained delegation is available. If the forest functional level is Windows Server 2003, the domain functional level of all domains in the forest is Windows Server 2003 or higher.
Constrained delegation supports security calls that must be impersonated under the context of the caller. Delegation makes it possible for applications and services to authenticate to a remote resource on behalf of a user. Because it provides powerful capabilities, typically only domain controllers are enabled for delegation. For RODCs, applications and services must be able to delegate, but only constrained delegation is allowed because it prevents the target from impersonating again and making another hop. The user or computer must be cacheable at the RODC for constrained delegation to work. This restriction places limits on how a rogue RODC may be able to abuse cached credentials.
- Run Adprep.exe commands to prepare your existing forest and domains for domain controllers that run Windows Server 2008. The adprep commands extend the Active Directory schema and update security descriptors so that you can add Windows Server 2008 domain controllers.
- Prepare the forest and domains. There are three adprep commands to complete and have the changes replicate throughout the forest. Run the three commands as follows:
- Prepare the forest by running adprep /forestprep on the server that holds the schema master operations master (also known as flexible single master operations or FSMO) role to update the schema. For more information, see Prepare a Windows 2000 or Windows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008.
- Prepare the domain by running adprep /domainprep /gpprep on the server that holds the infrastructure operations master role. For more information, see Prepare a Windows 2000 or Windows Server 2003 Domain for a Domain Controller That Runs Windows Server 2008.
- If you are installing an RODC in an existing Windows Server 2003 domain, you must also run adprep /rodcprep. For more information, see Prepare a Forest for a Read-Only Domain Controller. For more information about how to resolve possible errors when you run adprep /rodcprep, see Adprep /rodcprep can have an error if the infrastructure master for an application directory partition is not available.
- Install Active Directory Domain Services (AD DS). You can install AD DS by using a wizard, the command line, or an answer file. For more information, see Installing an Additional Windows Server 2008 Domain Controller (http://go.microsoft.com/fwlink/?LinkID=93254).
- Deploy at least one writable domain controller running Windows Server 2008 in the same domain as the RODC. An RODC must replicate domain updates from a writable domain controller running Windows Server 2008. For fault tolerance, you should deploy at least two writable domain controllers running Windows Server 2008. An RODC can use the second domain controller for failover if the first domain controller is not available.
All in all Branch offices are complex and it requires some comprehensive planning to manage the environment. Security and Authentication are only one aspect. This is one area where partners earn their living since you need to have a number under your belt before you even begin to feel comfortable.
Filed under: Architecture, Branch Office, Partner Value, RODC
Subscribe in a reader