Friday, 14 March 2014

Windows Read Only Domain Controller (RODC)


Read Only Domain Controller (RODC)
Topics Covered
Introduction
What is RODC?
Installation of RODC
Password Replication Policy
Recovery of stolen RODC

Introduction
In a large enterprise network which consists of a Central Hub location and multiple branches,
designing of active directory domain and placement of DC is critical issue for an administrator.
If a administrator place all the DC’s in hub location then authentication requires from all the
branches will flow over WAN links to Hub location. IT can create unnecessary WAN bandwidth
utilization of each branch. Moreover, all service ticket activities will also flows over WAN links.
Service tickets are components of Kerberos which allow users to access resources like file
server, print server, etc.
Other solution to the above scenario is to place each DC at branch location, so that authentication
can be done at local level in each branch and all service tickets are process at local level. This
will not create any bandwidth and performance issue. But there is risk involved in placing DC at
each branch location. They are
1) What happens if the DC is get stolen?
2) What happens if the local administrator at branch office does an malicious activities on
DC?
3) What happens if the DC database is corrupted?
The solution to above scenario is RODC. Read only Domain Controller (RODC) is newly
introduced feature in Windows 2008 to help administration of multiple branches and DC easily
and safely.
Read Only Domain Controller (RODC)
Read-Only Domain Controller (RODC) is a newly added feature to Windows 2008 active
directory domain service. RODC is a domain controller which is typically placed at branch
location. It maintains a copy of all objects in a particular domain and all attributes except
passwords. RODC is a read only copy of DC. Any changes or modification are not allowed to be
done. There is only one way replication between writable DC to RODC and vice-versa is not
allowed.
When RODC is installed at branch location, the user login request at branch office is accepted by
RODC and then the RODC forwards the request to hub site domain controller for authentication.
The RODC here act as forwarder of authentication request. He does not authenticate the user
directly. But you can configure a Password Replication Policy (PRP) for the RODC to cache
specific users that logs on the RODC. If a users or group is specified in PRP then RODC caches
the user login and password, so that next time authentication requested is handled by RODC
locally. We have to manually configure the RODC to cache specific users or group passwords.
Now, if the RODC is stolen or compromised the security risk is limited as only certain users
passwords are cached on RODC can and we can immediately change the passwords of those

users. Moreover when you deleted the RODC computer account from Active directory, you are
given an option to reset the password of all cache users.
Installation of RODC
Pre-requisites for RODC installation
1) The forest function level must be Windows 2003 or higher
2) There must be atleast one writable Windows 2008 Domain controller.
3) If you are running Windows 2003 Domain controller then Scheme of Windows 2003
must be upgraded using the command adprep/rodcprep.
After completion of the pre-requisites the next step is to install the RODC at branch location. An
RODC can be full GUI or Server core installation of Windows 2008 Server. In our case we will
use the GUI mode of Windows 2008 server.
There are two methods to install RODC.
1) Use dcpromo to manually add the RODC to existing domain
2) Pre-create RODC account in active directory and then add the RODC to existing
domain.

Method – I (Pre-Create RODC in active directory)
Pre-create RODC is method of deploying RODC without need of administrator at branch
location. Using this method a administrator can create an computer account for RODC in active
directory and then according deploy the RODC at branch location. When deploying RODC at
branch location you do not need to have administrator login to install RODC. You can install
RODC with the user you have delegated rights while pre-creating RODC.
This method of deployment is a two step method.
1) Pre-Create a RODC account in active directory
2) Start installation of RODC at branch location using dcpromo
Now let start deployment of RODC.
Step – I (Pre-create a RODC account in active directory)
1) Start Active directory users and computers snap-in.
2) Go to domain controllers containers
3) Right-click on Domain Controllers container and then select “Pre-create Read-only
domain controller account..”.
4) The wizard for creation of RODC accounts begins.

5) Click Next to continue.
6) Next specify the network credentials for installation of RODC.
7) Next specify the computer name that will act as RODC.

8) Next select the active directory site where you want to place the RODC.
9) Next specify the additional roles you want to install with RODC like DNS and Global
Catalog. In our case we will select both the roles.

10) Next specify the user name whom you want to delegates the installation and
administration of RODC.
11) Next you will see the summary of details which you have specify for pre-creation of
RODC. Verify the same and click Next to finish the process.
12) After completing the process of pre-create RODC you will see the RODC account
appears in active directory users and computer snap-in.

Step – II (Installation of RODC at branch office using dcpromo.exe)
Before we can begin the installation of RODC please check the following pre-requisites.
1) Windows 2008 server operating system
2) TCP/IP address and DNS server address
1) After checking the pre-requisites we can start the RODC installation
2) Go to Start – Run
3) Type dcpromo /useExistingAccount:attach and and click OK to continue.
4) The window for RODC installation begins.
5) Next select the name of the domain and type the credential of user who has permission to
add the RODC to domain. In our case we can use administrator account or the user
ganesh who we have delegated RODC rights.

6) Next Windows 2008 server will search for the RODC account in active directory and will
show the available pre-created RODC account. Select the VRODC server we have
created earlier.

7) Next specify the Sysvol and NTDS location
8) Then select the Directory service restore mode administrator password and the click next
to continue and complete the installation of RODC.
9) Now your RODC is ready to use.
Method – II (Adding RODC manually using DCPROMO.EXE)
Pre-create RODC is the method of create an RODC account in active directory and then add the
RODC using dcpromo.exe. But using other method we can manually add RODC to active
directory domain without creating RODC account is active directory. Using the second method
we do not have to create RODC account in active directory, it is created automatically using
dcpromo.exe. This method of RODC installation is similar to adding a additional domain
controller to an existing domain.
The difference between both the methods are
1) Using the first method we do not require administrator password to add the RODC to
domain as we have already created the RODC account is active directory.
2) But with the second method we require administrator password to add the RODC to
domain.
Now let start the installation of RODC manually using dcpromo.exe
1) Go to start - RUN.
2) Type dcpromo.exe to begin the active directory installation wizard.
3) Next select the option to add the additional domain controller to existing domain.
4) Next specify the administrative password
5) Next select the roles like DNS, GC and RDOC
6) Next specify the active directory database and sysvol path
7) Next specify the DSRM password.
8) Now your installation of RODC begins
Password Replication Policy
Now we have seen both the method of adding RODC to an existing domain. The next part of
RODC is to create a Password Replication Policy (PRP) to cache the user account at RODC
level. The PRP is necessary to be created for caching of local user at branch for local
authentication. Windows 2008 creates two built-in groups called as “Allow RODC password
replication group” and “Deny RODC password replication group”. If we want specific user or
group password to be cache, then we can add the users or group to “Allow RODC password
replication group” and if we do not want to explicitly cache user password then add the users to
“Deny RODC password replication group”. If a user or group is added the both these built in
group then “Deny RODC password replication group” takes priority and the user password pass
is not cache by RODC.

We can also manually add the user or group to PRP instead of adding the user to any of the
above built in groups. The procedure to add the user to PRP is given below
1) Start Active directory users and computer snap-in from administrative templates.
2) Go to Domain controllers container and the right click on RODC we have created and
then select properties.
3) In the property Windows of RODC go to Password Replication Policy tab.

4) Here you will see all the users and groups who are allowed or denied for password
caching.
5) Now click on Add button and then select the user who’s account you want to cache or do
not cache.
6) After adding the users you will see the user or group to the PRP list.
7) Click OK to Finish the setting up of PRP.
We can see the list of users who’s account are cache by RODC using the Advance button of PRP
tab.

In our case we have set the policy to cache user Ganesh Raul password.
Recovery from a stolen RODC
When an RODC is stolen or compromised, any user password that had been cache on the RODC
should be considered suspect and should be reset. Therefore, you must identify the credentials
that had been cache on the ROD and reset the passwords of each account. There are two ways to
perform this action
1) Open active directory users and computer snap-in and then goto Domain Controller
container. Select the RODC and press Delete key and then click Yes. Windows 2008
server now prompt you the option to automatically reset user and computer passwords of
cache users.
2) You can manually reset the password of the cache users

No comments:

Post a Comment