RODC Read Only Domain Controller.
An RODC is a domain controller, typically placed in the branch office, that maintains a copy of all objects in the domain and all attributes except secrets such as password-related properties. When a user in the branch office logs on, the RODC receives the request and forwards it to a writable domain controller in the main office for authentication.
You are able to configure a password replication policy (PRP) for the RODC that specifies user accounts the RODC is allowed to cache. If the user logging on is included in the PRP, the RODC caches that user’s credentials, so the next time authentication is requested, the RODC can allow logon locally.
Because the RODC maintains only a subset of user credentials, if the RODC is compromised or stolen, only the user accounts that had been cached on the RODC must have their passwords changed.
RODCs, unlike writable DCs, have a local Administrators group. You can give one or more local support personnel the ability to maintain an RODC fully, without granting them the equivalence of domain administrators.
Password Replication Policy
The Password Replication Policy is used to define which user's credentials can cached on specific RODC. A PRP of an RODC is determined by two multivalued attributes of the RODC computer known as the Allowed List and the Denied List. If a user’s account is on the Allowed List, the user’s credentials are cached.
If the user is on both the Allowed List and the Denied List, the user’s credentials will not be cached becuse Denied List takes precedence. For the password to be cached, it must not be in the Deny list and must be in the Allow list.
Default RODC built-in Groups.
1- Denied RODC Password Replication.
Group Accounts and groups added to this domain local group are automatically denied the ability to cache their passwords on any RODC.
2- Allowed RODC Password Replication.
This group does not have any members. However, if you want to ensure a specific group of users have their
passwords cached on each RODC in your enterprise, you can add them to this group.
To configure an RODC PRP, open the properties of the RODC computer account(under domain controllers). On the Password Replication Policy tab, you can view the current PRP settings and add or remove users or groups from the PRP.
Prerequisites for RODCs.
To support RODCs, the following prerequisites must be met:
1- The domain functional level must be Windows Server 2003 or higher.
2- The forest functional level must be Windows Server 2003 or higher.
3- Run adprep /rodcprep. This must be run once in the forest.
4- The Password Replication Policy must be set on a writable domain controller.
Exercise1: Install an RODC.
In this exercise, you will configure the BRANCHSERVER server as an RODC in the dixitmicro.com domain.
1. Log on to BRANCHSERVER as Administrator.
2. Click Start and click Run.
3. Type dcpromo and click OK.
(Active Directory Domain Services Installation Wizard appears).
4. Click Next.
5. (On the Operating System Compatibility page), click Next.
6. Select the Existing Forest option, and then select Add A Domain Controller To An Existing Domain. (as shown in figure), Click Next.
7. On the Network Credentials page, type dixitmicroit.com. (Primary Domain name )
8. Click the Set button.
9. In the User Name box, type Administrator and password for the domain’s Administrator account. Click OK.
10. Click Next.
11. On the Select A Domain page, select dixitmicroit.com and click Next.
12. On the Select A Site page, select Default-First-Site-Name and click Next.
(Sites are discussion is coming soon on my blog).
13. On the Additional Domain Controller Options page, select Read-Only Domain Controller
(RODC). Also ensure that DNS Server and Global Catalog are selected. Then click Next.
14. On the Delegation Of RODC Installation And Administration page, click Next.
(if you want to delegate any user or gorup for RODC Select those, otherwise you select later).
16. On the Location For Database, Log Files, And SYSVOL page, click Next.
17. On the Directory Services Restore Mode Administrator Password page, type a password
in the Password and Confirm Password boxes, and then click Next.
18. On the Summary page, click Next.
19. Select the Reboot On Completion check box.
Ofter rebooting your system will be promote as a RODC.
No comments:
Post a Comment