Networking

Prohibit users from authenticating exclusively on read-only domain controllers

The read-only domain controller feature is a good way to protect remote sites with Windows Server 2008. But for security reasons, you should learn how to prohibit authentication against this feature.

In my Windows Server 2008 tip on permitting read-only domain controller authentication, I showed some of the additional configuration steps that may be required to use the feature as expected. For security reasons, you may also want to explicitly prohibit accessing read-only domain controllers.

The default Windows Server 2008 Active Directory domain configuration delivers the Allowed RODC Password Replication Group (which I explained in my previous Windows Server 2008 tip) and the Denied RODC Password Replication Group; the latter group puts all of the higher-permission groups in this container to keep those credentials off of the read-only domain controller.

Figure A shows the default groups that are prohibited from authenticating exclusively against the read-only domain controller. Figure A

Users can still authenticate to that site or against the read-only domain controller — just not exclusively. Take the example where the read-only domain controller is unable to contact a writeable domain controller. This situation requires all authentication activities to be handled directly by the read-only domain controller. The group membership (or any computers if present) enumerated in this group will be prohibited from logging on to the domain.

You can add or subtract from this group as you see fit, but it may be worth determining if it is really necessary for the higher-privileged groups to log on in the event that the writable domain controller is not available. An acceptable practice may be to create a security group of administrative aliases that are local administrators on all computer accounts on sites that are serviced by read-only domain controllers.

The higher-permission accounts can still log on to the read-only domain controller if a writeable domain controller is directly accessible. You can view the history of this by looking at the domain controller in Active Directory Users And Computers; to do so, follow these steps:

  1. Right-click and select Properties for each read-only domain controller.
  2. Click the Password Replication tab.
  3. Double-click the Allowed RODC Password Replication Group entry.
This will show you what is stored locally and what accounts (computer and user) have authenticated through the read-only domain controller (Figure B). Figure B

In the example, Administrator has authenticated on the read-only domain controller; however, the user is not listed on the other option (Accounts Whose Passwords Are Stored On This Domain Controller).

How have read-only domain controllers affected your administrative access permission assignment? Let us know in the discussion.

Stay on top of the latest Windows Server 2003 and Windows Server 2008 tips and tricks with our free Windows Server newsletter, delivered each Wednesday.

Automatically sign up today!

About Rick Vanover

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

Editor's Picks

Free Newsletters, In your Inbox