The release of Windows Server 2008 has introduced many new features; one of the most interesting features from a security perspective is the ability to promote a Domain Controller as a Read Only Domain Controller RODC.
The whole idea behind Read Only Domain Controller is to have the ability to deploy into branch offices DCs (RODC) that are read only (i.e. they cannot be used to modify objects and their attributes in your domain) which greatly improves the security of your domain and forest. In addition to providing increased security for your domain, there are additional benefits such as faster logon times and more efficient access to network resources.
To deploy a Read Only Domain Controller you need to already have at least one writable domain controller that is running Windows Server 2008, and the forest functional level of your forest must be at least Windows Sever 2003.
Figure 1 below shows a Dcpromo and the option that needs to be checked to promote the domain controller as a Read Only Domain Controller, after this is checked you will be presented with two additional windows (that you don’t see in a traditional dcpromo), the first one Figure 2 asking which User account passwords to replicate to this RODC and then a window Figure 3 asking which User or Group to be delegated as the local administrator of the RODC and be able to attach a server to the RODC account, and is used to complete the RODC installation.
Figure 1 "Windows Server 2008 Read Only Domain Controller Install Option"
Figure 2 "Windows Server 2008 Read Only Domain Controller RODC Password Replication Policy"
Figure 3 "Windows Server 2008 Read Only Domain Controller RODC Delegation of RODC account"
The new Read Only Domain Controller role provides the following features:
· Read only Ad Database
· Unidirectional replication
· Credential Caching
· Administrator Role Separation
· Read only domain name system (DNS)
In my opinion the four most interesting features of a Read Only Domain Controller are:
Read Only AD Database
The read only database holds all AD Objects and attributes except for passwords, and as the name suggests a DC setup as an RODC’s cannot have its AD Database modified, if a change needs to be made it need to be done on a writable DC then replicated back to the RODC.
Unidirectional Replication
Being a Read Only Domain Controller changes are replicated from a writable domain controller only and never from a RODC to a writable Domain Controller, which prevents corrupt or malicious changes from being replicated from a less secure branch office to your forest.
Administrator Role Separation
This allows a local/regular domain user to be delegated local administrator privileges on a RODC, for the execution of regular maintenance work such as the install of software, updating drivers, troubleshooting connectivity issues, etc
Read Only DNS
For clients registering/updating their DNS record/s, a client will first query the Read Only DNS after which the RODNS will forward the client to a writable DNS; the client record will then be replicated with a special replicate single object request from the writable DC to the RODC.
The Read Only Domain Controller role is an exciting and welcomed addition to windows server 2008 that will give organizations with more than one site an addition option to secure their domain.
In the coming weeks and months The Windows Information Store will detail the new features in Windows Server 2008 and just how these features apply to your environment, so drop past in the future or even better subscribe to our RSS feed to get our latest articles as they are released.