Read Only Domain Controller Features Computer Science Essay

Published:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Read only domain controller is a new function of the active directory domain service that were introduced in window server 2008 operation system. RODC let you to store the read only copy from active directory domain database on the domain controller. It allows organizations easily to deploy domain controller in location which physical security cannot be guaranteed.

For example, branch office often cannot provide sufficient physical security to satisfy a requirement for a writable domain controller, network bandwidth connecting the center line sites is relatively low, relatively few users and lack the knowledge of IT etc. those can cause increase the log in time and also can hamper access to network resources. So, from the this situation, an ROCD can provides an easy way to deploy a writable domain controller more securely in environment that require stable and dependable authentication services but cannot make sure the adequate physical security for a writable domain controller.

Read-Only Domain Controller Features

Read-only AD DS database

An RODC holds all AD objects and attributes that writable domain controller holds but didn't include account password. Change is not available in database that is stored on the RODC, it only allow to made change on writable domain controller, and then replicated back the changed information to the RODC.

Unidirectional replication

Because change cannot originate at the RODC. So, writable domain controllers that are replication partners no need update the change from RODC. That means that any mistake or uncertain information that user might make at branch office cannot replicate from the RODC to the other of the forest.

This reduces the risk of a making mistake, uncertain information, system-wide assault and help to reduce the complexity of the replication structure.

RODC filtered attribute set

An organization may have some applications that store their credential-like data in the active directory domain service. Those credential-like-data may are encryption data, password or credential etc and you may don't want stored that data into RODC to prevent in case of ROCD is compromised or stolen.

For those applications, you can take 2 steps to prevent unnecessary exposure of credential-like-data.

Add that attribute to the filtered attribute set of RODC to prevent it coping to RODCs in the forest.

Remove the ability of read the data for RODCs, which are marking the attributes as confidential.

Credential caching

Credential caching is the storage that used to store the user or computer credentials. Initial the RODC does not store any account credentials expect its own computer account and krbtgt account for that RODC.

When RODC receive an authentication request, RODC pass it to writable domain controller. So, after the account request is successful authenticated, the RODC then request the copy of credentials from writable domain controller so that it can process the request itself at the next time the user log on.

If the password replicated policy is allowed credentials caching, then the RODC can process the logon request until the account credentials is changed.

Administrator role separation

An RODC can designate users as local administrators without granting any domain or other domain controller permissions. So the delegated user can log on to an RODC to do the maintenance tasks.

but the delegated user cannot perform any other administrator task in the domain or unavailable log on to any other domain controller

Read-only Domain Name System (DNS)

DNS server service installation is available on an RODC. If you install it, the RODC can copy all application directory partitions that DNS uses, including "ForestDNSZones" and "DomainDNSZones" and then clients can query it for name resolution as they query any other DNS server but the DNS server on an RODC is read-only and not allow client to updates directly.

Two Stages of Read Only Domain Controller installation

First stage is Administrator credentials to create Active Directory Domain Controller account for a Read Only Domain Controller and delegates a user or group the ability to perform second stage of installation. This stage usually will be completed at central location by Domain Admin.

In Second stage allowed the delegated Read Only Domain Controller server administrative attaches the server to the Read Only Domain Controller account that the Domain Admin created for it. This stage will be completed by delegated RODC server administrator in branch location where the organization plans to deploy the RODC.

RODC Placement Considerations A Read Only Domain Controller must replicate the domain partition from a Window Server 2008 writable domain controller because only that writable domain controller can enforce the Password Replication Policy for a Read-Only Domain Controller. Generally, we will place the Window Server 2008 writable domain controller in the site that closer to the site that contains the Read-Only Domain Controller to replicate the domain partitions to a Read-Only Domain Controller.

If above situation is not successfully, then you can to enable the Bridge all site links option to establish a site link bridge between the site link that contain Read-Only Domain Controller and Window Server 2008 writable domain controller for Read-Only Domain Replication.

From above illustration, the bridge all site links option is enable. So, the Window Server 2008 writable domain controller no need place in nearest site to a site that contain Read-Only Domain Controller and then it can be place in site A rather than site B. if the site link schedule overlap and WAN are allowed for a sufficient times to complete replication, then Read-Only Domain Controller can copy from Window Server 2008 writable domain controller in site A.

If the Bridge all site links option is disabled, then mean the Window Server 2008 writable domain controller should be place in nearest site to the site that contain Read Only Domain Controller. So, from above illustration, if Read Only Domain Controller placed in site C, then Window Server 2008 writable domain controller for the same domain should be place in site B to replicate the domain partition to the Read Only Domain Controller. Otherwise, the RODC in Site C can replicate the schema, configuration, and application directory partitions, but not the domain partition.

In general, the introduction of a Read Only Domain Controller should require minimal, if any, replication topology changes. So, given above illustration and consider it. From above illustration, the Bridge all site links option is disabled and Read Only domain is place at site C and site D. Window Server 2008 writable domain controller is placed in site A and Window Server 2003 domain controller placed in site B.

If you want to have direct replicate between the Read Only Domain Controller and the Window Server 2008 writable domain controller then you can do any following option.

To create two additional site links between site A and C and between site A and D as shown as above illustration.

Create a site link bridge that includes site link A-B, site link B-C, and site link B-D.

Add a writable domain controller running Windows Server 2008 in the intermediary site (site B).

Prerequisites for Deploying an RODC

Before deploying Read-Only Domain Controller, some requirements should be prepared.

At least one writable domain controller that is running window server 2008 is deployed in the same domain as the Read-Only Domain Controller. This is because a Read-Only Domain Controller must copy the domain update from writable domain controller.

Also, an authentication request by Read-Only Domain Controller would forward to that writable domain controller and then the password replication policy is set on that domain controller if credentials are replicated to the branch location.

The forest functional level must be Window Server 2003, Window Server 2008 or Window Server 2008 R2, and then only the linked-value replication is available. Higher level of replication consistency will be provided by that high forest functional level. Only domain administrator and enterprise administrator are allowed to raise the level.

Activity: To raise the forest functional level

Open the "Active Directory Domains and Trusts".

To right click the forest and then select its "Properties"

To verify that the value is Window server 2003 or 2008.

To right click "Active Directory Domains and Trusts" at console tree and then select "Raise forest functional level".

On the "Select an available forest functional level", select the functional level you want and then click "Raise" button.

Run adprep /rodcprep

The domain functional level must be Window Server 2003, Window Server 2008 or Window Server 2008 R2, and then the Kerberos constrained delegation is allowed. Security call is supported by constrained delegation and then can be impersonated under the context of the caller. If the functional level of a forest is Window Server 2003 and then all the functional level of domain in that forest must be Window Server 2003 or higher.

To run command "adprep /rodcprep" in the forest to update the permissions on all the Domain Name System application directory partitions in the forest. That allows permission to be copied successfully by all Read Only Domain Controllers that are also Domain Name System Servers. Only enterprise administrator is allowed to run this command in command prompt.

Activity: To run command "adprep /rodcprep"

To copy all data in the \sources\adprep folder from window server installation DVD to schema master.

Open common prompt and type the following command: adprep /rodcprep.

Read-Only Domain Installation

There have two types of methods to installing the Read Only Domain Controller. There consists advantage in each type of method.

Direct Installation: The step of direct installation for a Read Only Domain Controller is same with the install writable domain controller in the hub site, that installation is combination of two stage of stage installation into a single step.

In the Active Directory Domain Services Installation Wizard, Mark the check box "Read-only domain controller" on the Additional Domain Controller Options page. Ensure a security group is delegated to administer a Read Only Domain Controller.

Password Replication Policy also is allowed to specify for a Read Only Domain Controller during the installation. However, at least one user from the security group that you delegated to administer the Read Only Domain Controller must be cached the password on Password Replication Policy whether you specify it during or after installation. This ensure the that user always is allowed to log on to the Read Only Domain Controller by using delegated account instead of privileged credentials.

Stages Installation: This is a new type of installation method can make it easier to deploying Read Only Domain Controller. You can delegate the ability to perform installation to any domain user, so, it does not require domain admin membership to complete the installation in the remote location.

Firstly, in the datacenter, an administrator will create a computer account in the domain controller for a Read Only Domain Controller. While creating account, the administrator needs to specify who will administer a Read Only Domain Controller and whose password can be cached on it.

The administrator obtains the Windows Server 2008 server and has it shipped directly to the branch office where it will be used as a Read Only Domain Controller.

A local user who delegate by the administrator, in branch location starts the server and run Dcpromo or installation wizard to installing Active Directory Domain Services and completing the Read Only Domain Controller.

Read Only Domain Controller Administration

Compare with the writable domain controller, RODC only requires less administration. This is important advantage of RODC. It requires only inbound replication, and no incorrect data will be stored to the Active Directory database.

But, the Password Replication Policy for an RODC still requires a bit administrative. An RODC also same with a writable domain controller need maintenance works. That maintenance works include the application of software updates and routine backups of system state data.

Three aspects will discuss in this step for administering an RODC are:

First of RODC administering is Password Replication Policy,

Second of RODC administering is Password Replication in operation,

Third of RODC administering is Administrator Role Separation,

The Password Replication Policy

On the initial stage of deploying an RODC, writable domain controller must be configure Password Replication Policy and then become replicate partner of RODC.

2.1.1 Choosing an administrative model

A Password Replication Policy for an RODC must have an appropriate administrative model. You can choose that administrative model based on the business, organizational and administration requirement.

The PRP is defined by two multi-valued Active Directory attributes that contain security principals such as user, group and computer etc. Each RODC computer account has four attributes that are "Allowed List", "Denied List", "Revealed List" and "Authenticated List". For support RODC operations, the window server 2008 domain had introduced two new build in group that are "Allowed Read Only Domain Controller Password Replication Group" and "Denied Read Only Domain Controller Password Replication Group". These two new groups will respectively add into the "msDS-RevealOnDemandGroup" and "msDS-NeverRevealGroup" Active Directory attributes. There groups can help Password Replication Policy to deploy a default "Allowed List" and "Denied List".

The incorporate of the domain wide "Denied RODC Password Replication Group", "Allowed RODC Password Replication Group" and, "Denied list and Allowed List" attributes would give administrator a great flexibility. The precisely decision of which account will be cached on specified RODC is make by them.

3 possible administrative models

No accounts cached

In this administrative model is no password are allow replicated to the RODC but no include the ROSC computer account and its special krbtgt account. It provided the most secure option and transparent user and computer account authentication relies on WAN availability. Also, the advantages of this model are the default setting only requires little or no additional administrative configuration. The customers can choose to add their own customize security-sensitive user groups to the default denied users list. This can help to prevent that user group inclusion in the allowed user list and caching of their password for an RODC.

Most accounts cached

This mode is the simplest administrative mode that allowed the offline operation. The Allowed List for all RODCs is populated with groups that represent a significant portion of the user population. Security sensitive user group is not allowed in the denied list. But most other users can have their own password cached in RODC on demand. Since more passwords are exposed to RODC and might not security.

Few accounts cached

This model set the limitation for the accounts that can be cached to RODC. Typically, Administrators strictly defined for each RODC. That each RODC has a different set of user and computer accounts that it is allowed to cache. Typically, this is based on a group of users who work at a particular physical location.

This model has the advantage in case of a WAN failure, a group of users to benefit from off-line authentication. Also, password disclosure will be in a limited range, because only a small amount of the user's password can be cached to RODC.

2.2. Password Replication Policy in operation

This step is to describe the progress of "Allowed List", "Denied List", "Authenticated to List", and "Revealed List" attributes.

Yes

No

No

Yes

Is the account in Allowed list?

Is the account in Denied list?

RODC requests to replication of an account password.

Permit the request and cache the credential on the RADC and add the account to the revealed list of account for that RODC.

Reject the request and return an error to an RODC.

Reject the request and return an error to an RODC.

Start

From the above flow chart, a read only domain controller is makes a request to replication a user account password and then the writable domain controller that running window server 2008, will verify the values of the Allowed list and denied list to allow or denies the replication request. For example, if the account whose password is being requested by read only domain controller is in Allowed list rather than the Denied list set for the read only domain controller, the request is allowed.

Read Only Domain Controller Password Replication Policy Configuration.

Only the Domain Admins group members are allowed to configure the Read Only Domain Controller Password Replication Policy.

Activity: To configure password replication policy for a Read Only Domain Controller.

Open "Active Directory Users and Computers".

Click "Domain Controllers" that is running window server 2008.

To point to RODC account in detail panel, to right-click it, and then select "Properties".

Select the "Password Replication Policy" tab and it lists the accounts that are defined in the RODC Allowed List and the Denied List. If you want add other accounts that have the credential cached on RODC then click "Add" button. Otherwise, click "Deny" button.

There accounts which do not have credentials cached on the RODC are still allowed to use the RODC for domain logon. But there will not be subsequent logon by the RODC.

View current credentials that are cached on an read only domain controller

Any domain user is allowed to view whose passwords are stored on a Read Only Domain Controller. This way is useful for you if you want to reset password or make determine whether if you need to cache an account that are haven't be cached. By default, only the computer account of the Read Only Domain Controller itself and a krbtgt account have credentials are cached on a Read Only Domain Controller.

Activity: To view current credential that is cached

Open the "Active Directory Users and Computers".

Select "Domain Controllers" that is running window server 2008.

To point to RODC account in detail panel, to right-click it, and then select "Properties".

Select the "Password Replication Policy" tab in "Properties" page and then click "Advance" button.

Select "Accounts whose passwords are stored on this Read-only Domain Controller" from the drop down list.

Review whose accounts have attempted to authenticate to an Read Only Domain Controller

This section is allowed all domain users to review whose accounts have want to authenticate to a Read Only Domain Controller. So the domain user can add those accounts to the Password Replication Policy Allowed list. After those accounts credentials are cached on the Read Only Domain Controller, the accounts still can be log on by using the Read Only Domain Controller in the branch office to perform the offline operation such as log on to the hub site is offline though WAN.

Activity: To review the accounts that have been authenticated to an Read Only Domain Controller

Open the "Active Directory Users and Computers".

Select "Domain Controllers" that is running window server 2008.

To point to RODC account in detail panel, to right-click it, and then select "Properties".

Select the "Password Replication Policy" tab in "Properties" page and then click "Advance" button.

Select "Accounts that have been authenticated to this Read-only Domain Controller" from drop down list.

Prepopulate the password cache for an Read Only Domain Controller

Only the member of domain admins group has permission to prepopulate the password cache for a Read Only Domain Controller. You can prepopulate the password cache with the password of user and computer account that you plan to be able to authenticate to the Read Only Domain Controller when the WAN is offline. By default, the credentials of the accounts whose passwords are allowed to be cached but are not replicated to the Read Only Domain Controller until the user or computer authenticates against the Read Only Domain Controller. Therefore, if the WAN is not available, these users and computers will not be able to authenticate unless you prepopulate the password cache. If you prepopulate the password cache for a Read Only Domain Controller with those accounts, the Read Only Domain Controller does not rely on WAN availability to authenticate them.

By prepopulating the password cache right after the RODC installation, you can ensure that the passwords for all users and computers in the branch are cached, regardless of when they first attempt to log on.

Activity: To prepopulate the password cache

Open "Active Directory Users and Computers".

Click "Domain Controllers" that are running window server 2008.

To point to RODC account in detail panel, to right-click it, and then select "Properties".

Select the "Password Replication Policy" tab and then click "Advance" button.

Select "Prepopulate Passwords".

Enter the name of the accounts whose passwords you want to prepopulate in the cache for the read only domain controller in the input field, and then click "OK" button.

Click "Yes" button if you want to send the passwords for the accounts to the read only domain controller.

Cached Password Expiration

RODC caches the password for the user, the password will remain in the Active Directory database, until one of the following conditions:

The user to change password. In this case, do not remove the password from the cache, but the password is no longer valid.

Related RODC Password Replication Policy changes, it is no longer cache the user's password. In addition, the user issued the TGT by using the RODC attempts to access non-cached resources are no longer cached user passwords.

Reset cached passwords on a Read Only Domain Controller if it is stolen

Since there is no function is provided by window server 2008 to erase the cached password. But we still can clear a password that is stored on a Read Only Domain Controller by an administrator to reset the password in the hub site. By using this way, the password that is cached in the branch will become unavailable to accessing the resources in the hub site or other branch. If a Read Only Domain Controller is threatened, please reset the password of the current cache and rebuilt the Read Only Domain Controller.

Activity: To reset cached passwords

Open "Active Directory Users and Computers".

Click "Domain Controllers" that are running window server 2008.

To point to RODC account in detail panel, to right-click it, and then click "Delete" button.

Click "Yes" button to confirm the deletion.

In the "Deleting Active Directory Domain Controller" dialog box, mark the "Reset all passwords for user accounts that were cached on this read-only domain controller" check box. As an option, you can also mark the "Export the list of accounts that were cached on this read-only domain controller to this file" check box. If the option check box is marked, it will create a user accounts list about which password must be reset after the read only domain controller account is deleted. That accounts in the list will become not available if the read only domain controller account is deleted.

Administrator Role Separation

Administrator Role Separation is a Read Only Domain Controller feature that can use to delegate the ability to administer a Read Only Domain Controller to a user or a security group. If a user or security group is not assigned the Domain Admins group, you have delegate the ability to log on to a Read Only Domain Controller to that user or group, and therefore does not have additional rights to perform directory service operations. The user or group that have assigned administrator role can perform some tasks that is performed by a member of the Administrators group on a member server such as install hardware devices, install software updates and drives and view logs in Event Viewer etc.

However, SYSVOL contents updates cannot make by delegate Read Only Domain Controller administrator. The change that make in content of SYSVOL will not replicated to other domain controller because Read Only Domain Controller does not support ontbound replication.

Activity: To Add the Administrator Role.

Click Start and then type "dsmgmt.exe" in search field and then press Enter.

Type command "local roles"at the DSMGMT command prompt and then press"ENTER".

Enter "?" for a list of valid parameters and then press "ENTER".

By default, after active directory domain service installation, there would no local administrator role is defined on the read only domain controller. So, you can use "Add" parameter to add the local administrator role.

In command prompt, enter command: "add <domain name>\<user> <administrative role>".

E.g. enter "add CONTOSO\testuser1 administrators".

Writing Services

Essay Writing
Service

Find out how the very best essay writing service can help you accomplish more and achieve higher marks today.

Assignment Writing Service

From complicated assignments to tricky tasks, our experts can tackle virtually any question thrown at them.

Dissertation Writing Service

A dissertation (also known as a thesis or research project) is probably the most important piece of work for any student! From full dissertations to individual chapters, we’re on hand to support you.

Coursework Writing Service

Our expert qualified writers can help you get your coursework right first time, every time.

Dissertation Proposal Service

The first step to completing a dissertation is to create a proposal that talks about what you wish to do. Our experts can design suitable methodologies - perfect to help you get started with a dissertation.

Report Writing
Service

Reports for any audience. Perfectly structured, professionally written, and tailored to suit your exact requirements.

Essay Skeleton Answer Service

If you’re just looking for some help to get started on an essay, our outline service provides you with a perfect essay plan.

Marking & Proofreading Service

Not sure if your work is hitting the mark? Struggling to get feedback from your lecturer? Our premium marking service was created just for you - get the feedback you deserve now.

Exam Revision
Service

Exams can be one of the most stressful experiences you’ll ever have! Revision is key, and we’re here to help. With custom created revision notes and exam answers, you’ll never feel underprepared again.