Module

M d l 77:
Read-Only Domain
Controllers
Overview

Describe the Read

Read-Only
Only Domain Controllers role
Use Read-Only Domain Controllers
Lesson 1: Read-Only Domain Controller

Describe the role of Read

Read-Only
Only Domain Controllers
Describe Windows Server 2008 domain upgrade
requirements
q and prerequisites
p q
List the prerequisites for RODC deployment
Describe scenarios in which RODC usage is
recommended
Describe Read
Read-Only
Only Domain Controller Replication
Read-Only Domain Controller

Read-Only
Domain Controller

Branch Office Guide Recommendations

Windows Server 2008 Domain Upgrade
Requirements and Prerequisites

In place upgrade from Windows 2000 Server is

In-place
not supported
In-place
p upgrade
pg from Windows Server 2003
domain controller to Windows Server 2008
RODC or Windows Server 2008 Server Core is
not supported
Prepare your Active Directory environment with
Windows Server 2008 updates
Extend the domain schema
RODC Deployment Prerequisites

1. Works in existing environments

2. Windows Server® 2003 Forest Functional Mode
One Windows Server® 2008 DC
3. No p
patching
g to down-level DCs or clients is needed
4. Multiple Windows Server 2008 DCs per Domain
One RODC p
per Domain per
p Site
Read-Only Active Directory Database

Directory Service “Cloud”

Data Center or
Trusted Network

Edge sites or edge\

boundary of network
Read-Only Domain Controller Replication

R li ti is
Replication i Unidirectional
U idi ti l

Cannot Perform Outbound Replication

Domain Partition replication must be sourced

f
from Windows
Wi d Server
S 2008

Requires writeable 2008 domain controller in

nearest site in the topology
Lesson 2: Read-Only Domain Controller Operation

Describe how credential caching is controlled on an

RODC
Describe how to configure
g Administrator Role
Separation
Configure read-only DNS servers
Describe how to recover from a compromised RODC
Credential Caching

Credential Caching is storing user passwords

on RODC

Must be explicitly allowed

Configured via Password Replication Policy on

RODC’ writeable
RODC’s it bl replication
li ti partner
t
Administrator Role Separation

Problem Solution
Too many domain administrators Provides a new “local
administrator” level of access
per RODC
Prevents accidental Active
Directory modifications by
computer administrators
Does not prevent “local
administrator” from maliciously
modifying the local database
This is a true security feature for
Read-Only Read-Only Domain Controller
Domain
D i Controller
C t ll
Read-Only Domain Name System

D
Does nott supportt client
li t updates
d t directly
di tl

Refers clients to a writeable authoritative DNS

Replicates updated records from writeable

DNS
Recovering from RODC Compromise

D l t th
Delete the RODC ffrom th
the ddomain
i

Change passwords of accounts that are

cached on compromised RODC

Manually remove the server object for the

d l t d RODC
deleted