Windows

Improve security and performance with Read Only Domain Controllers

Improve security in remote offices and make network services more available with a new feature of Windows Server 2008. Derek Schauland discusses Read Only Domain Controllers (RODC).

Since Windows 2000, Active Directory has been the standard in Windows networking for managing the logon process, authentication, DNS, and other domain-based features. Moving networks around the world to the concept of multi-master domain controllers and replication was a big step.

Active Directory got a few improvements in Windows Server 2008, and Read Only Domain Controllers was certainly one of them. The concept is to make Active Directory information available in remote offices, providing faster access to resources and authentication while keeping the server as secure as possible in case of lessened physical security in the remote location. This is accomplished by replicating a read-only copy of most of the Active Directory data from another Windows Server 2008 domain controller to the RODC in the remote location.

Better security for login credentials

User authentication information, such as account names and passwords, are not replicated to RODC servers. This limits the damage should the server become compromised by not making the entire Active Directory database of user objects and passwords available. Instead of replicating the credentials, when a user authenticates, the information is checked against the local RODC. When it is not found in the local copy of the Active Directory database, a request is submitted to another domain controller in the environment to ensure the user can log in. Once received, the information is cached locally, and the user is authenticated. Next time this user logs on, the cached copy of the credentials is used, speeding up the login process.

When the credentials change -- for example, when the user's password expires -- the RODC will evaluate the logon, and the password will not match the cached password, requiring the request be forwarded on to another domain controller. This will help lessen the number of user objects that can be compromised in the event the server itself is compromised.

DNS also more secure

Another benefit of an RODC is that its copy of DNS is also read-only. All the DNS information stored in Active Directory is replicated to the RODC, but the copy of DNS that is stored there cannot be updated. Registrations must be added or updated on another domain controller in the environment. The changes are then replicated back to the RODC. Lookups and name resolutions work just as they normally would, improving the user experience by running a copy of DNS locally. Items that are then cached by DNS normally will be replicated to the RODC.

This configuration can improve the overall security and performance of Active Directory in remote offices; however, there are some things to note when considering this configuration:

  • The first Windows Server 2008 Domain Controller in an existing Active Directory environment cannot be an RODC. A full-featured Windows Server 2008 Domain Controller must be installed first to allow replication to work for the RODC.
  • Prior to the installation of the first RODC, adprep /rodcprep must be run to prepare the schema to allow Read Only Domain Controllers.
  • RODCs also cannot host a Global Catalog Server or maintain any Operations Master Roles within the Directory environment.

The primary reason to introduce RODCs is to allow a Domain Controller to exist in a remote office that may have fewer users or less physical security requirements while not sacrificing performance for the remote location. When included in the planning for the introduction of Windows Server 2008, RODCs can be a great addition to any dispersed environment.

Need help configuring, administering, supporting, and optimizing network infrastructure? Then turn to our free Network Administration NetNote. Automatically sign up today!

About

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

8 comments
cbasham
cbasham

Would this work well for logins to our AD from Africa where connectivity is a real problem? Their internet speed is terrible, and they want a server to log into instead of using Outlook Anywhere.

erisk
erisk

You wrote: "When the credentials change ? for example, when the user?s password expires ? the RODC will evaluate the logon, and the password will not match the cached password, requiring the request be forwarded on to another domain controller." then I think: "...and the user can login FOREVER using the OLD password until someone clear the cache..."

nhillbish
nhillbish

This sounds a lot like a BDC.

bandman
bandman

When a user logs on within 14 days of the expiration, they receive notification. If they opt to change their password, they can't (I would guess) change it with the RODC, right? So how do they decide which DC gets to change it?

Derek Schauland
Derek Schauland

When passwords are cached at the RODC, they are stored in the local copy of Active Directory. Changing a password on another Domain controller will allow the cached password to authenticate the user, but only until the next AD Replication cycle which will change the password cached on the RODC.

Derek Schauland
Derek Schauland

Once the user account has an expired password and the user has been forwarded to another Domain Controller, the new password will be cached. I will do a bit more digging on this to be sure, but I do not see it as a huge issue as resources on other servers would not be able to match the authentication.

Derek Schauland
Derek Schauland

The BDC would allow replacement of a PDC if the PDC failed. The Read Only DC is used for physical security by putting a domain controller in remote locations that only takes a replica and can never replicate data out to other computers. RODCs cannot replace domain controllers they require the sync to come from full featured Windows 2008 DCs Similar I suppose, but quite different in features

kmdennis
kmdennis

Whatever they name it, the functionality is the same PDC and BDC! In this case when the user makes the change, the RODC will not be able to make the change, so it sends a request for change to the First DC where the changes are made and then replicated back to the RODC and it is then cached locally.