Planning and Deploying Read-Only Domain Controllers

What Is an RODC?

Read-only domain controllers (RODCs) are anew feature of Active Directory Domain Services (AD DS) in WindowsServer 2008. RODCs are additional domain controllers for a domain thathost complete, read-only copies of the partitions of the Active Directorydatabase and a read-only copy of the SYSVOL folder contents. By selectivelycaching credentials, RODCs address some of the challenges that enterprises canencounter in branch offices and perimeter networks (also known as DMZs) thatmay lack the physical security that is commonly found in datacenters and hubsites. RODCs also offer a number of manageability improvements that aredescribed in this guide. This section describes how RODCs work with the rest ofthe Active Directory environment, the main differences between RODCs andwritable domain controllers, and the RODC features that can help resolve a numberof security or manageability issues.

·      Read-Only Active DirectoryDatabase, SYSVOL, and Unidirectional Replication

·      RODC Filtered Attribute Set,Credential Caching, and the Authentication Process with an RODC

·      Administrator Role Separation

·      Differences Between an RODC and aWritable Domain Controller

·      Advantages That an RODC CanProvide to an Existing Deployment

Differences Between an RODC and aWritable Domain Controller

Characteristic	RODC	Writable domain controller
Active Directory database access	The database on an RODC is read only. Applications can only read data from the directory when they target an RODC; they cannot write data in the directory. However, RODCs automatically forward certain write operations to writable domain controllers, and they can send referrals to writable domain controllers when necessary.	All read and write operations are possible on a writable domain controller.
Data replication between domain controllers	An RODC only replicates data from a writable domain controller, and it never replicates data to another domain controller in the domain. This is true for both the Active Directory data and the SYSVOL data.	Writable domain controllers replicate any changes that occur elsewhere in the domain from other writable domain controllers, and they replicate data that was written to their database to other domain controllers.
Data that is stored in the database	RODCs contain a complete copy of the database, with the exception of credentials and other credential-like attributes that are part of the RODC filtered attributes set (FAS). However, you can select which credentials can be cached on the RODC to provide better authentication performance for users who are located in a site that an RODC services.	Writable domain controllers contain a complete copy of the directory database, including credentials for all accounts.
Administration	RODCs can be administered by delegated users that do not have any domain privileges beyond standard domain users. Administration operations include applying hotfixes and software updates, performing offline defragmentation and backups, and so on.	Only domain administrators can manage writable domain controllers.

Prerequisites for Deploying anRODC

Complete the following prerequisites beforeyou deploy a read-only domain controller (RODC):

·     Ensure that the forest functional level isWindows Server 2003 or higher, so thatlinked-value replication (LVR) is available. This provides a higher level ofreplication consistency. The domain functional level must be Windows Server 2003or higher, so that Kerberos constrained delegation is available. If the forestfunctional level is Windows Server 2003, the domain functional levelof all domains in the forest is Windows Server 2003 or higher.

Constrained delegation supports securitycalls that must be impersonated under the context of the caller. Delegationmakes it possible for applications and services to authenticate to a remoteresource on behalf of a user. Because it provides powerful capabilities,typically only domain controllers are enabled for delegation. For RODCs,applications and services must be able to delegate, but only constraineddelegation is allowed because it prevents the target from impersonating againand making another hop. The user or computer must be cacheable at the RODC forconstrained delegation to work. This restriction places limits on how a rogueRODC may be able to abuse cached credentials.

·      Run Adprep.exe commands to prepare your existing forest and domains for domaincontrollers that run Windows Server 2008. The adprepcommands extend the Active Directory schema and update securitydescriptors so that you can add Windows Server 2008 domain controllers.

a.   Prepare the forest anddomains. There are three adprep commands to complete and havethe changes replicate throughout the forest. Run the three commands as follows:

·      Prepare the forest by running adprep /forestprepon the server that holds the schema master operations master (also known asflexible single master operations or FSMO) role to update the schema. For moreinformation, see Prepare a Windows 2000 or WindowsServer 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008.

·      Prepare the domain by running adprep /domainprep /gpprepon the server that holds the infrastructure operations master role. For moreinformation, see Prepare a Windows 2000 or WindowsServer 2003 Domain for a Domain Controller That Runs Windows Server 2008.

·      If you are installing an RODC in an existingWindows Server 2003 domain, you must also run adprep /rodcprep.For more information, see Prepare a Forest for a Read-OnlyDomain Controller. For moreinformation about how to resolve possible errors when you run adprep/rodcprep, see Adprep/rodcprep can have an error if the infrastructure master for an applicationdirectory partition is not available.

b.   InstallActive Directory Domain Services (AD DS). You can install AD DSby using a wizard, the command line, or an answer file. For more information,see Installing an Additional Windows Server 2008 Domain Controller (http://go.microsoft.com/fwlink/?LinkID=93254).

·      Deploy at least one writable domaincontroller running Windows Server 2008 inthe same domain as the RODC. An RODC must replicate domain updates from awritable domain controller running Windows Server 2008. For faulttolerance, you should deploy at least two writable domain controllers runningWindows Server 2008. An RODC can use the second domain controller forfailover if the first domain controller is not available.