Functionalities Of Read Only Domain Controllers Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Read- only domain controller (RODC) is a very unique feature owned by Window Server 2008. It can deploy a domain controller in locations easily where the physical security of a domain controller cannot be guaranteed. RODC stores a read only copy of domain controller. It prevents accidental happenings from server.

Before Windows Server 2008 has released, a branch office user has to authenticate over a wide area network (WAN) to authenticate with a domain controller, which does not have an adequate physical security. Yet, this solution is not really efficient. If the branch has a read only Active Directory database, the branch users can logon faster and access to authentication resources on the network efficiently. Moreover, physical security to deploy a traditional domain controller would be improved.

Setting up the RODC

Go to Administrative Tools and choose Active Directory Users and Computers.

Right-click the Domain Controllers OU. Click Pre-create Read-only Domain Controller account to launch the wizard and create the account. 

Then, add the new domain controller (read-only) in existing domain.

State the domain's name where we want to install the additional domain controller.

Click on the "Set…" button and specify the account credentials to use to perform the installation.

Next, select a site for the new domain controller.

The Read-only domain controller (RODC) check box will be checked.

Then, state any user or group who would be able to install and manage the RODC later.

After that, a summary of all the options that selected before is shown.

Once the setup of the newly added RODC is complete, you need to reboot and then the system is ready to go with the configured role. Within Active Directory Users And Computers, the RODC type is shown below to designate its difference from other domain controllers.

Functionalities of Read-Only Domain Controller

There are some functionalities of read-only domain controller can be used to overcome some problems that caused by branch offices such as physical security, network bandwidth and local expertise to support the office.

Read-Only AD DS Database

A read-only domain controller is having user accounts and attributes that are same with a writable domain controller, but excluding account passwords. However, the Active Directory Domain Services database on a RODC is a read-only database. Read-only database is a fundamental security feature that prevents the event of compromising a RODC. Attackers are not able to make changes directly to the RODC. This means if a malicious user makes changes at branch locations, it would not corrupt the forest because they are not replicated back. This is also a pivotal in situations where physical security cannot be guaranteed because gaining physical access to a writable domain controller can put entire forest at risk.

The RODC will perform normal inbound replication from the HUB site for Active Directory and DFS changes. Sensitive information, such as Domain Admins, Enterprise Admins and Schema Admins are not included in the Active Directory of the RODC. They are excluded from the replication to RODC by default accounts. Hence, administrator does not have to worry that there is someone gaining access to the entire network if the RODC is compromised. (ROGGEN, 2007)

RODC filtered attribute set

By using Active Directory Domain Services as a data store, some applications may have credential-like data such as passwords, credentials, or encryption keys. Thus, users do not want the data to be stored on a Read-Only Domain Controller. To overcome the issue that RODC is compromised, user can add the attribute to the RODC filtered attribute set to prevent it from replicating to RODCs in the forest. Then, mark the attribute as confidential. (What new functionality does this feature provide?)

Unidirectional Replication

Replication changes would not be initiated by a RODC because the objects would not be changed directly to the read-only database. Active Directory Domain Services in Windows Server 2008 uses unidirectional replication for RODCs. So, RODCs will always receive updates for AD DS objects from a writable domain controller.

Unidirectional replication also applies to both AD DS and SYSVOL replication through the Distributed File System (DFS). This helps to reduce the number of domain controllers that to deploy in the hub site and also the total number of connection objects. This is because inbound connection objects do not have to be created on the hub domain controllers for each branch domain controller. As a result, users do not have to plan as much configuration of hub site Windows Server 2008 domain controllers as compared with the domain controllers in Windows Server 2003. This can reduce the end-to-end synchronization time for an enterprise. Writable domain controllers in the hub can be configured to replicate updates to a higher number of RODCs concurrently. This may also help to implement security changes such as updates for fine-grained password policies or updates to the RODC FAS as more rapidly.

Credential Caching

Credential caching is the storage of computer account or user account credentials. A small set of attributes that are associated with security principals are included in account credentials. Credential caching provides advance security enhancements to improve logon times. When the user or computer authenticates against the RODC successfully, the credential caching would then occur. It reduces the cached credentials stored on RODCs. If there is malicious user trying to access to an RODC, he can only attempt to crack the cached credentials.

Besides, the Password Replication Policy for an RODC in a given branch office can be configured to cache the credentials of all users and computers that reside in that branch office. After the user or computer authenticate successfully, the RODC will request a copy of appropriate credentials by contacting a writable domain controller. If RODC's Password Replication Policy permits the caching of the credentials, RODC will cache the credentials and then directly service that authentication requests until the credentials change.

The benefit of credential caching is for password protection at branch offices and minimizing exposure of credentials, in the case when RODC is compromised. If an RODC is being stolen, the user account and computer account can reset their passwords. Credential Caching can be left disabled and this will limit the eventual exposure. It will also increase WAN traffic while all authentication requests will be forwarded to the writeable domain controller in the main HUB site.

Administrative Role Separation

Any domain users or security can be delegated to be local administrator permission of RODC is specified by the administrator role separation. The user or group does not have any right on the domain or other domain controllers. The delegated user account can log on to the server now and perform maintenance tasks such as upgrading a driver on it. Through this method, a security group comprises branch users rather than members of Domain Admins group. This is because branch users can manage the RODC in branch office more effectively. This way may not compromise the security of other domains.

Read-only Domain Name System

User can install a DNS service on RODC, which is able to replicate unidirectional all DNS application directory partitions including Forest DNS Zones and Domain DNS Zones. Dynamic updates are not supported by a DNS server which running on a RODC. However, clients are able to query for name resolution by using the DNS server.

Clients cannot update records on the DNS. If a client wants to update its own DNS record, the RODC will send a referral forward to a writeable DNS. The single updated record will then be replicated from the writable DNS server to the DNS server on the RODC. This is a special single object (DNS record) replication to keep the RODC DNS servers up-to-date and give the clients in the branch office faster name resolution.

RODC is limited in that. It can only support a subset of the roles and functionality normally supported on window server 2008. For instance, any of these technologies that interface with Active Directory Domain Service can be supported by RODCs- based server.

Active Directory Domain Services (AD DS) can now be stopped and restarted on Windows Server 2008. User can stop the AD DS to perform some tasks and maintenance. Previous versions of Windows Server required a reboot into Directory Services Restore Mode (DSRM). This is an excellent feature for scripting and automating those tasks. The possible states for AD DS are: started, stopped and restore mode.

It is a beneficial task that used to require a reboot to take the AD DS offline. It is now available directly from the console. This gives some flexibility to administrators towards maintaining and performing offline AD DS operations more efficiently and effectively.

A RODC can only replicate data or updates of domain partition from a domain controller running Windows Server 2008 although it can replicate data from domain controllers running Windows Server 2003. Thus, a writable Windows Server 2008 based domain controller should be placed or available in the nearest site (lowest site-link cost) in the RODC topology.

When to use Read-Only Domain Controller

There are few ways to maintain branch offices. There would be some suggestions and the cons of the suggestions shown below.

First option is to keep all servers in the main office and provide connectivity to those servers through a WAN link to branch office users. Yet the users are not able to do things if the link is down. This is because they could not connect to the server resources. WAN links are usually slow and unreliable. Thus, the productivity may also suffer if WAN link is functioning.

Next, placing at least one domain controller in the branch office is one of the ways to deal with branch offices. Domain controller will usually act as a DNS server and a global catalog server. Users in the branch office will at least be able to log into the network way if WAN link goes down. Branch offices may also be located with other servers. It depends on the nature of the branch office user's jobs.

Cost is the con of using this method. For example, organization may have to spend a lot of money for server hardware and some necessary software licenses as well if placing server in branch offices. Support cost is a concern too. An organization needs to consider whether they need to hire full time IT staffs for supporting the branch office or dealing with the amount of time that it takes the IT staff to travel from the main office to the branch office when onsite support is needed.

Now, read-only domain controller plays an important role. Improve security in branch offices is the main objective of RODC. People in branch office cannot make any changes to the Active Directory database as it can only be read. Furthermore, no account information is replicated to RODC. For hacking purpose, the person would not be able to use the information even if he steals it. Since user account information is not written to RODC, it reduces the amount of replication traffic that flows across the WAN link.