RODC : Frequently Asked Questions

   In our office branches, it is often not easy to provide sufficient physical security for servers. It is not a big deal to manipulate a Windows system if you can get physical access to it. Since Domain controllers store security sensitive data, they are particularly endangered. RODCs can help with this problem in four ways:

RODC essentials

• Read-only feature: An intruder on the RODC can’t manipulate the Active Directory database.
• DNS protection: If the RODC server hosts a DNS server, the intruder won’t be able to tamper with the DNS data.
• Password protection: A malicious user won’t be able to access passwords using a brute-force-attack. This applies only if password caching is disabled on the RODC.
• Administrator Role Separation: You can delegate a local Administrator role to a domain user.

Read-only Domain Controller

• An RODC holds all Active Directory objects and attributes.
• RODCs only support unidirectional replication of Active Directory changes (i.e., from the forest to the RODC).
• If an application needs write access to Active Directory objects, the RODC will send an LDAP referral response that redirects the application to a writable domain controller.

DNS Protection

• A DNS server running on an RODC doesn’t support dynamic updates.
• If a client wants to update its DNS record, the RODC will send a referral for a writeable DNS server.
• The client can then update against this DNS server.
• This single record will then be replicated from the writable DNS server to the RODC DNS server.

Password Protection

• By default, an RODC doesn’t store user or computer credentials. (The only exception is the computer account of the RODC itself and a special krbtgt account.)
• However, an RODC can cache passwords.
• If a password isn’t cached, the RODC will forward the authentication request to a writeable DC.
• The Password Replication Policy determines the user groups for which passwords caching will be allowed (more about this in my next post).

Administrator Role Separation:

• A domain user having the Administrator role on an RODC doesn’t have to be a domain admin.
• A domain user having the Administrator role can do maintenance work on the RODC such as installing software.
• If an intruder gains access to the credentials of this local administrator account, he will not be able to make changes on other domain controllers.

Prerequisites for Deploying an RODC

• Ensure that the forest functional level is Windows Server 2003 or higher, so that linked-value replication (LVR) is available. This provides a higher level of replication consistency. The domain functional level must be Windows Server 2003 or higher, so that Kerberos constrained delegation is available. If the forest functional level is Windows Server 2003, the domain functional level of all domains in the forest is Windows Server 2003 or higher.
• Run Adprep.exe commands to prepare your existing forest and domains for domain controllers that run Windows Server 2008 or Windows Server 2008 R2. The adprep commands extend the Active Directory schema and update security descriptors so that you can add the new domain controllers.
• Deploy at least one writable domain controller running Windows Server 2008 or Windows Server 2008 R2 in the same domain as the RODC and ensure that the writable domain controller is also a DNS server that has registered a name server (NS) resource record for the relevant DNS zone. An RODC must replicate domain updates from a writable domain controller running Windows Server 2008 or Windows Server 2008 R2.

FAQ Answers: http://technet.microsoft.com/en-us/library/cc754956%28WS.10%29.aspx

RODC Frequently Asked Questions:

1. What new attributes support the RODC Password Replication Policy?
2. How can you clear a password that is cached on an RODC?
3. Can an RODC replicate to other RODCs?
4. What operations fail if the WAN is offline, but the RODC is online in the branch office?
5. What operations succeed if the WAN is offline, but the RODC is online in the branch office?
6. Will RODC support my Active Directory–integrated application?
7. Does an RODC contain all of the objects and attributes that a writable domain controller contains?
8. Why does the RODC not have a relative ID (RID) pool?
9. Can I list the krbtgt account that is used by each RODC in the domain?
10. How does the client DNS update referral mechanism work?
11. Why doesn't the KCC on writable domain controllers try to build connections from an RODC?
12. How does the KCC build inbound connections locally on an RODC when the RODC is supposed to be read-only?
13. Why does an RODC have two inbound connection objects?
14. How does RODC connection failover work?
15. How can an administrator delete a connection object locally on an RODC?
16. How can an administrator trigger replication to an RODC?
17. How are writable directory partitions differentiated from read-only directory partitions?
18. Why can an RODC only replicate the domain directory partition from a domain controller running Windows Server 2008 in the same domain?
19. How does the KCC differentiate between domain controllers running Windows Server 2003 and domain controllers running Windows Server 2008?
20. Why are built-in groups such as Account Operators and Server Operators specified separately in the Denied List attribute, but not in the Denied RODC Password Replication Group?
21. What actually happens when you add a user to an Administrator Role Separation role?
22. How can an administrator determine the closest site for any given site?
23. Why does %logonserver% have the name of a domain controller in my hub site rather than the RODC in my site?
24. What relevant RODC event log entries are there?
25. Password changes are not always "chained" by an RODC. Why?
26. How does a hub domain controller recognize that a request to replicate a password is coming from an RODC?
27. Why does an RODC replicate in a cached password both by RSO (Replicate Single Object) operation and normal replication?
28. Does an RODC perform password validation forwarding even when it has a password for a user?
29. Can you remove the last domain controller in a domain if there are unoccupied (or disabled) RODC accounts in the domain?

FAQ Answers: http://technet.microsoft.com/en-us/library/cc754956%28WS.10%29.aspx