Since Windows 2000, Active Directory has been the standard in Windows networking for managing the logon process, authentication, DNS, and other domain-based features. Moving networks around the world to the concept of multi-master domain controllers and replication was a big step.
Active Directory got a few improvements in Windows Server 2008, and Read Only Domain Controllers was certainly one of them. The concept is to make Active Directory information available in remote offices, providing faster access to resources and authentication while keeping the server as secure as possible in case of lessened physical security in the remote location. This is accomplished by replicating a read-only copy of most of the Active Directory data from another Windows Server 2008 domain controller to the RODC in the remote location.
Better security for login credentials
User authentication information, such as account names and passwords, are not replicated to RODC servers. This limits the damage should the server become compromised by not making the entire Active Directory database of user objects and passwords available. Instead of replicating the credentials, when a user authenticates, the information is checked against the local RODC. When it is not found in the local copy of the Active Directory database, a request is submitted to another domain controller in the environment to ensure the user can log in. Once received, the information is cached locally, and the user is authenticated. Next time this user logs on, the cached copy of the credentials is used, speeding up the login process.
When the credentials change — for example, when the user's password expires — the RODC will evaluate the logon, and the password will not match the cached password, requiring the request be forwarded on to another domain controller. This will help lessen the number of user objects that can be compromised in the event the server itself is compromised.
DNS also more secure
Another benefit of an RODC is that its copy of DNS is also read-only. All the DNS information stored in Active Directory is replicated to the RODC, but the copy of DNS that is stored there cannot be updated. Registrations must be added or updated on another domain controller in the environment. The changes are then replicated back to the RODC. Lookups and name resolutions work just as they normally would, improving the user experience by running a copy of DNS locally. Items that are then cached by DNS normally will be replicated to the RODC.
This configuration can improve the overall security and performance of Active Directory in remote offices; however, there are some things to note when considering this configuration:
- The first Windows Server 2008 Domain Controller in an existing Active Directory environment cannot be an RODC. A full-featured Windows Server 2008 Domain Controller must be installed first to allow replication to work for the RODC.
- Prior to the installation of the first RODC, adprep /rodcprep must be run to prepare the schema to allow Read Only Domain Controllers.
- RODCs also cannot host a Global Catalog Server or maintain any Operations Master Roles within the Directory environment.
The primary reason to introduce RODCs is to allow a Domain Controller to exist in a remote office that may have fewer users or less physical security requirements while not sacrificing performance for the remote location. When included in the planning for the introduction of Windows Server 2008, RODCs can be a great addition to any dispersed environment.
Need help configuring, administering, supporting, and optimizing network infrastructure? Then turn to our free Network Administration NetNote. Automatically sign up today!
Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.