A
new concept in Windows Server 2008 R2 is the Read-Only Domain
Controller (RODC) Server role. RODCs, as their name implies, hold
read-only copies of forest objects in their directory partitions. This
role was created to fill the need of branch office or remote site
locations, where physical security might not be optimal, and storing a
read/write copy of directory information is ill-advised.
Understanding the Need for RODCs
Before
Windows Server 2008 R2, domain controllers could only be deployed with
full read/write replicas of domain objects. Any change initiated at a
domain controller would eventually replicate to all DCs in the forest.
This would occur even if the change was undesirable, such as in the case
of accidental deletion of OUs.
In remote sites, physical
security was an issue for these DCs. Although organizations didn’t want
to deploy DCs to these sites for security reasons, in many cases slow
WAN links would dictate that the remote office would need a local DC, or
run the risk of diminished performance in those sites.
In response to these
issues, Microsoft built the concept of RODCs into Windows Server 2008
R2. They also built functionality in RODCs that allowed only specific
passwords to be replicated to these RODCs. This greatly reduces the
security risk of deploying domain controllers to remote sites.
Outlining the Features of RODCs
Several key features of
RODCs must be understood before they are deployed in an organization.
These features and functionality are listed as follows:
RODCs can be
installed on a server with Server Core, to further reduce the security
risk by reducing the number of services running on the server.
RODCs can be configured as global catalog servers, which effectively makes them ROGCs.
Domain and forest functional levels must be set to Windows Server 2003 or higher levels to install RODCs.
Replication to RODCs is unidirectional, as there is nothing to replicate back from the RODCs.
RODCs
that run the DNS service will maintain a read-only copy of DNS
partitions as well. Clients who need to write their records into DNS
will be issued a referral to a writable DNS server. The record that they
write will be quickly replicated back to the RODC.
An
existing Windows Server 2008 R2 forest must be prepared to use RODCs by
running dcpromo /rodcprep from the Windows Server 2008 R2 media. This
allows for the proper permissions to be set for the Read-only DNS Server
partitions. This can be run manually, but is run automatically during
the dcpromo process for an RODC.
Deploying an RODC
The
process for deploying an RODC is similar to the process of deploying a
regular domain controller. In both scenarios, the dcpromo command is
used to initiate the wizard. The wizard is greatly improved over Windows
Server 2003, however, and includes the ability to make that server an
RODC. To configure a server as an RODC, do the following:
1. | From the domain controller, choose Start, Run.
|
2. | Type dcpromo to initiate the wizard.
|
3. | From the wizard welcome screen, check the Use Advanced Mode Installation check box, and click Next to continue.
|
4. | Read the warning about Operating System Compatibility and click Next to continue.
|
5. | Choose
Existing Forest and Existing Domain because RODCs can only be installed
in domains with existing domain controllers. Click Next to continue.
|
6. | Enter
the name of the domain the RODC will be installed into and enter Domain
Admin credentials into the Alternate Credentials field, as shown in Figure 1. Click Next to continue.
|
7. | Select the domain again from the list, and click Next to continue.
|
8. | Select a site to install the DC into from the list, and click Next to continue.
|
9. | On the Additional Domain Controller Options page, check the box for RODC, as shown in Figure 2; you can also define if the RODC is a global catalog server and/or a DNS server. Click Next to continue.
|
10. | On
the Password Replication Policy page, specify if the passwords of any
specific accounts will be replicated to the RODC. Often, local users and
passwords in the remote
location could be added here to allow for them to be replicated and to
improve logon times. After adding groups and/or users, click Next to
continue.
|
11. | On the Delegation of RODC Installation and Administration page, shown in Figure 3,
specify any accounts or groups that will be local administrators on the
box. Windows Server 2008 R2 removes the requirement that local
administrators of RODCs be domain-level built-in administrators, which
gives greater flexibility for remote administration of the server. Enter
a group (preferred) or user account into the Group or User field, and
click Next to continue.
|
12. | On
the Install from Media page, choose to replicate either from an
existing domain controller or from local media. By storing the DC
information on a burnt CD or other media and shipping it to the remote
location, replication time can be greatly reduced. In this case, we are
replicating from an existing DC, so click Next to continue.
|
13. | On
the Source Domain Controller page, choose to either let the wizard pick
a DC, or specify one yourself. Click Next to continue.
|
14. | The next dialog box on database location, set the location for the SYSVOL, logs file, and database, and click Next to continue.
|
15. | Set a Directory Services Restore Mode password on the next page, and click Next to continue.
|
16. | On the summary page, review the options chosen, and click Next to continue.
|
17. | Because new domain controllers require a reboot, it can be convenient to check the Reboot on Completion check box, as shown in Figure 4, which is displayed when the DC is being provisioned. By doing so, the RODC will automatically reboot when complete.
|
