READ ONLY DOMAIN CONTROLLER (RODC)

Implementing Read Only Domain Controller (RODC)



Implementing Read Only Domain Controller (RODC)

Introduction

The Read Only Domain Controller (RODC) is the domain controller that has a read-only copy of Active Directory database. One of the main reasons for having an RODC is that an organization has one or more remote locations where there are local administrators to manage a Domain Controller or there are server rooms where they can keep safe. The main features of an RODC are: AD database in read-only, unidirectional replication from DC caching credentials of users who have just logged on the RODC remotely. By default the RODC store the passwords of your computer account and password, the account Kerberos that takes care of releasing the Ticket Granting Ticket (TGT) that are used in order to authenticate and access to network resources. Despite the RODC is allowed to install the DNS service, all records are included in the replicated read-only. It 'must be installed on Windows Server 2008 RODC but you can also put them in infrastructure Existing AD and based on Windows Server 2003, provided that the Primary Domain Controller (PDC) Emulator Both Windows Server 2008 and that the functional level of the forest (forest functional level) is at least Windows Server 2003. The RODC can also be Global Catalogs, but can not have any role FSMO (Mclay, 2008, pp. 12).

Password Replication Policies

When we decide to install an RODC must configure password replication policies on a DC our domain. This policy serves to determine whether or not an RODC can do caching of passwords of users. Since the default is not put in any RODC caches passwords, this provides a huge degree of safety in the moment in which we were to lose an RODC because of a theft or due to a cyber attack designed to enumerate the accounts in our AD infrastructure.

Separation of administrative roles

Separating the roles of administrator specifies that the local administrator role of a domain controller read-only bit to be delegated to any domain user or security group without granting them rights on domain controllers or other areas. Thus, a managing director can log on to a domain controller read-only to perform maintenance tasks on the server, such as upgrading a driver. By cons, he could not log on to another domain controller or perform other administrative tasks in the field. Management controller read-only domain of a branch can be effectively delegated to a security group composed of users from the branch, instead of members of the Domain administration group, without compromising the security of the rest of field (Piltzecker, 2008, pp. 41).

New Features

The domain controller is read-only solves some of the problems frequently encountered in the branches. The branches may not be a domain controller. If the branch office domain controller is available for recording, the problem may lie in the lower level of physical security, lack of network capacity, or lack of branch employees the skills necessary to service the domain ...