Configuring Active Directory Roles and Services - Read-only domain controllers
Read-only domain controllers
Another exciting new feature of Windows Server 2008 is the Read-Only Domain Controller (RODC). The RODC can greatly improve the security of a domain controller that's deployed in a branch office or another hard-to-secure location.
In Windows 2000 and Windows Server 2003, all domain controllers participated in Active Directory's multimaster replication scheme, which meant that an administrator could make a change on any domain controller and it would be replicated throughout the rest of Active Directory. This created issues for businesses that needed to deploy domain controllers in offices that had limited physical security, such as a remote branch office with only a few employees. As the name suggests, Read-Only Domain Controllers now allow you to deploy a domain controller that will host a read-only copy of the Active Directory database. This means that an administrator will need to connect to a writeable domain controller to make any changes to Active Directory.
One of the key features of RODCs is that they do not perform any outbound replication whatsoever. They only accept inbound replication connections from writeable domain controllers. To deploy an RODC, you need to have at least one writeable Windows Server 2008 domain controller deployed in your environment, and you need to be at the Windows Server 2003 domain and forest functional levels.
Another key feature of an RODC is that each RODC can be configured with its own Password Replication Policy. On writeable domain controllers, information about every Active Directory password is stored locally within the ntds.dit file. If a writeable domain controller is compromised or stolen, all username and password information in your environment is at risk. By contrast, you can specify a particular list of user or group accounts whose password information should be stored (or cached) on a particular RODC. For example, if you deploy an RODC in Acme's Tokyo branch, you can configure the RODC so that it will only cache password information for members of the Tokyo Users security group. Conversely, you can also configure specific users or groups whose password information should not be cached on an RODC. For example, high-level administrative accounts, such as Domain Admins and Enterprise Admins, are configured by default so that their password information cannot be cached on any RODCs within an environment. Microsoft recommends that you do not change these settings. To allow enterprise-wide configuration of the RODC Password Replication Policy, Windows Server 2008 creates the following security groups:
- Denied RODC Password Replication Group. Members of this group will be placed in the Deny list of the Password Replication Policies of all RODCs by default. This group contains the following members when Windows Server 2008 is first installed: Cert Publishers, Domain Admins, Domain Controllers, Enterprise Admins, Group Policy Creator Owners, Read-Only Domain Controllers, Schema Admins, and kerbtgt.
- Allowed RODC Password Replication Group. Members of this group will be placed in the Allow list of the Password Replication Policies of all RODCs by default. This group has no members when Windows Server 2008 is first installed.