What Are Read-Only Domain Controllers (RODC)?
Read-Only Domain Controllers Overview
An RODC, simply put, is a domain controller that hosts a read-only replica of the AD DS database. Before we can fully appreciate why a RODC is such a significant advancement let's look at three hypothetical situations that can occur:
-The domain controller is placed in a location where physical security cannot be enforced. The domain controller cannot be placed in a location where there is a high degree of confidence that unauthorized individuals will not be able to access it.
-An application requires installation onto a domain controller because it needs direct access to the AD DS database. The application must be maintained by an individual who does not have the skills or trust necessary to have access to the AD DS.
-Network bandwidth is at a premium between a remote site and the parent site. Increases in replication traffic might impact performance negatively and/or cause failures.
All of the above scenarios are not uncommon and generally were experienced in situations where remote or branch offices were present. In situations where remote offices were present Domain or Enterprise administrators had to find creative solutions to address these scenarios which might require unsupported configurations, creative design or expensive third party solutions.
The biggest difference between an RODC and a DC is how the copy of the directory database is handled. As the name implies a Read-Only DC holds a non-writeable copy of the directory database. On a traditional domain controller changes to the configuration of the domain can be made on any domain controller and then these changes are replicated out to each other DC on the domain. With RODC the process of change is different, with an RODC changes are made to a writeable domain controller then the changes are replicated back to the RODC. By using this method of making changes a location that has an RODC will have the latest copy of the directory database, but due to the fact that changes cannot be made locally someone at a remote office cannot cause changes that might compromise the forest.
Read Only Domain Controller Features
Let's look a little closer at the features and such that make up a RODC in order to better understand how it may be deployed later on in an enterprise.
-The database hosted on a Read-only Domain Controller is non-writeable and therefore cannot be manipulated either inadvertently or maliciously by an untrained admin or an intruder.
-If a DNS server is configured to be an Active Directory Integrated zone records cannot be manipulated when hosted on an RODC.
Passwords can be safeguarded if credential caching is disabled on the server.
-Administration of the server can be delegated to a local Administrator or domain user instead of a domain admin.
-Administrator Role Separation: You can delegate a local Administrator role to a domain user.
-All objects and attributes that are located in Active Directory are still present on an RODC.
-All replication involving a RODC is unidirectional or in other words is replicated to the RODC from other DCs instead of from the RODC to other DCs.
-Applications hosted on an RODC can write to the Active Directory database by sending referrals to other writeable DCs.
Benefits of DNS Integration on RODC.
-Dynamic updates are not supported on a DNS zone that is hosted on an RODC.
-Clients needing to update their DNS records send referrals to writeable DNS zones hosted on traditional DC Security Measures
-Unless otherwise enabled an RODC does not store user or computer credentials.
-An RODC can cache passwords to enhance performance if desired.
Note: Caching of passwords can be controlled via policies configured on the domain controller.
Additional Benefits of using an RODC:
-The RODC does not require a domain administrator to make configuration changes to the server.
-A domain user can be delegated permissions to do standard tasks on the server such as install new software and perform standard tasks.
-If credentials are obtained by an unauthorized party for the purpose of logging into the server they cannot make changes to Active Directory. In fact in these cases a domain administrator can force a reset of passwords that have been compromised in order to reestablish the secure environment.
Read Only Domain Controller Usage Scenarios
In Windows Server 2008 the previously mentioned scenarios (referenced above) can be addressed through the use of RODCs, for example:
-If physical security of the domain controller can be ensured an RODC can be used as changes cannot be made maliciously to the DC. In the event that an intruder gains access not only can records not be changed, but the ability to gain credentials (username and password) is limited as they are not cached by default.
-If an application must be installed on a DC and must be maintained by a non-domain administrator then an RODC can be deployed. In remote or branch office scenarios it is not uncommon for applications specific to a location to be installed so in these situations the ability to install and maintain these locally is vital. Through the use of RODC the ability to delegate the administration of the application can be granted with granting domain admin permissions. In the event that an application needs to modify Active Directory these writes can be referred to another, writeable, domain controller.
-In situations where network performance is an issue an RODC may be deployed to reduce the amount of replications that are sent across the network. Since replications with RODCs are unidirectional, traffic will be reduced across the network. Additionally the caching of credentials can be enabled on an RODC and reduced the amount of time and traffic generated by querying another domain controller for authentication purposes.
In Summary
Read Only Domain Controllers represent a new way to depoy domain controllers into environments where security is an issues.
Published by Sean-Philip
I have over 15 years of experience in the IT field covering topics such as networking and security. View profile
- The Work Characteristics of Pre-Industrial Colonial SocietiesThere were many necessary work characteristics for the people of pre-industrial colonial societies. However, perhaps the most important factor was the choosing of the career itself.
Windows Server 2008: The Most Powerful Operating System YetWindows Server 2008 is scheduled to be the next server operating system released by Microsoft. It is widely regarded as the most crucial enterprise launch in Microsoft's history...- Implementing Password Policies on a Windows Server 2008 DomainAre you ready to impose annoying password changes on your users? Well, it has gotten even easier in Windows Server 2008! Say goodbye to setting the default domain policy and say hello to multiple password and accoun...
- TechTips - How to Install SharePoint 2007 on Windows Server 2008A guide with steps detailing how to install SharePoint 2007 on Windows Server 2008, so that you can avoid the error message of compatibility issues. "You must install Office SharePoint 2007 with the most recent servic...
- What is Windows Server Core?In Windows Server 2008, the new role of Server Core is unlike anything that has been seen in the Windows world before. Server Core can best be described as a new version of Windows that acts as a sort of Windows witho...
- Windows 2000/2003 Active Directory Fundamentals
- Encrypting File System (EFS) in Windows Server 2003 Environment
- 25 Easy Steps to Recover a Downed Domain Controller (Don't Panic)
- Active Directory
- Windows Networking Demystifed
- What Really is the Federal Reserve?
- EBay Auctions: What to Sell and Where to Get It
- Read Only Domain Controllers are a new feature available only in Windows Server 2008