{"id":274,"date":"2014-09-19T15:17:11","date_gmt":"2014-09-19T19:17:11","guid":{"rendered":"http:\/\/adsecurity.org\/?p=274"},"modified":"2016-04-06T07:50:17","modified_gmt":"2016-04-06T11:50:17","slug":"read-only-domain-controller-rodc-information","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=274","title":{"rendered":"Read-Only Domain Controller (RODC) Information"},"content":{"rendered":"<p>The RODC is one of the most interesting new features of Windows Server 2008.<\/p>\n<p>RODCs provide the following:<\/p>\n<ul>\n<li><strong>Read-only Active Directory\u00a0Database<\/strong> \u2013 Read-only copy of Active Directory provides a more secure option for distant locations such as a branch office. Changes attempted against the RODC are referred to the next upstream DC.<\/li>\n<li><strong>Read-only DNS Server<\/strong> \u2013 DNS on the RODC can be configured as a DNS Secondary of the Active Directory Integrated DNS zone file or of a Primary standard DNS zone.<\/li>\n<li><strong>Credential Caching<\/strong> \u2013 By default, no passwords are stored on a RODC (including computer passwords), though specific groups can be configured for password caching.\u00a0 Physical attacks on Active Directory stored domain credentials on RODCs are not possible when password caching is disabled.<\/li>\n<li><strong>Administrator Role Separation<\/strong> \u2013 Administration of a RODC can be delegated to a domain user account without providing \u201ckeys to the kingdom\u201d access or significantly decreasing the security posture of Active Directory.<\/li>\n<li><strong>Reduced Exposure<\/strong> \u2013 Filtering specific object attributes to ensure they don\u2019t exist on RODCs.\u00a0 For example, there may be attributes that were added after the instantiation of Active Directory such as specific attributes that are confidential (SSNs, clearance, etc).<\/li>\n<li><strong>Unidirectional Replication<\/strong> \u2013 The only replication that occurs on a RODC is inbound replication from a fully writable 2008 DC.\u00a0 This reduces the amount of replication traffic that occurs in the environment as well as the number of connections and connection objects at the primary site.\u00a0 This also protects the rest of the directory from memory corruption of the database due to hardware failure or improper shutdown.<\/li>\n<li><strong>SYSVOL Modification Isolation<\/strong> \u2013 If SYSVOL is modified on a RODC in the field, the change stays on the RODC and is not replicated out.\u00a0 This includes added, deleted, and modified SYSVOL files.<\/li>\n<\/ul>\n<p>There are several key differences between a writable DC and a RODC.<br \/>\nThese differences include the following:<\/p>\n<ul>\n<li><strong>Active Directory Database<\/strong> \u2013 DCs host the only writable copies of the Active Directory database and therefore can perform read and write operations against the directory database. RODCs host read-only copies of the AD database which do not include security principal secrets (passwords).\u00a0 Since RODCs are unable to perform write operations on the RODC hosted AD database, some write operations are forwarded to full DCs and other times the RODC provides referrals to clients\u00a0 in order for the client to locate a writable DC.<\/li>\n<li><strong>Active Directory Replication<\/strong> \u2013 Writable DCs replicate among themselves frequently and as needed to ensure directory consistency. RODCs never replicate to or from another RODC. RODCs also never send replication data to other DCs. RODCs can only receive replication from a 2008 writable DC.\u00a0 This replication method is the same for replicating SYSVOL.<\/li>\n<li><strong>Local AD database storage<\/strong> \u2013 Writable DCs host a full copy of the Active Directory database including security principal credentials.\u00a0 RODCS host a copy of the database except for attributes that are part of the RODC Filtered Attribute Set (FAS) and security principal credentials. Specific credentials can be identified and selected for password replication to the RODC.<\/li>\n<li><strong>Administration <\/strong>\u2013 Writable DC are administered by the domain Administrators and Domain Admins groups; however, membership in these groups also grants enhanced Active Directory rights. RODCs provide the capability to delegate a standard user account and\/or user group full administrative rights to the RODC without providing elevated Active Directory permissions.<\/li>\n<\/ul>\n<p>When placing a RODC at a site, there are several important considerations:<\/p>\n<ol>\n<li>Think twice about placing a RODC in the same site as a DC.\u00a0 RODCs are meant to be used where there are security and\/or other concerns (delegation, replication, etc).\u00a0 If a writable DC is in the site, it makes more sense to place another DC there instead of a RODC.<\/li>\n<li>If a location requires a DC that hosts additional services (roles), the DC placed at the site should be a RODC.\u00a0 DCs should not host services beyond core Active Directory services.<\/li>\n<li>There must be a 2008 (or newer) DC upstream from the RODC to enable proper replication. It is best to have two 2008 (or newer) DCs nearby to enable efficient replication.<\/li>\n<li>All of the users located at the site serviced by a RODC should be members of a site group which is added to the password policy for the RODC. \u00a0This will ensure the user passwords are cached for logon in the event the network connection to a nearby writable DC is down.<\/li>\n<li>All of the computers (workstations &amp; servers) located at the site serviced by a RODC should be members of a site group which is added to the password policy for the RODC.\u00a0 This will ensure the computer passwords are cached ensuring proper computer operation in the event the network connection to a nearby writable DC is down.<\/li>\n<li>RODCs never communicate with other RODCs.\u00a0 This means if there are multiple RODCs in the same site, they may have different accounts cached and possibly different password policies. This scenario is why it may not make sense to place two RODCs in a site.<\/li>\n<\/ol>\n<p>Note: If items 3 &amp; 4 are not configured to enable password caching, a writable DC must be available to service authentication (Kerberos) requests; both the computer &amp; user passwords must be cached in order for a Kerberos ticket to be granted.<\/p>\n<p>Here are some excellent RODC resources:<\/p>\n<ul>\n<li><a title=\"RODC Overview\" href=\"http:\/\/technet.microsoft.com\/en-us\/library\/cc732801%28WS.10%29.aspx\">RODC Overview<\/a><\/li>\n<li><a title=\"Read-Only Domain Controller Planning and Deployment Guide\" href=\"http:\/\/technet.microsoft.com\/en-us\/library\/cc771744%28WS.10%29.aspx\">Read-Only Domain Controller Planning and Deployment Guide<\/a><\/li>\n<li><a title=\"RODC Technical References\" href=\"http:\/\/technet.microsoft.com\/en-us\/library\/cc754218%28WS.10%29.aspx\">RODC Technical References<\/a><\/li>\n<li><a title=\"Understanding RODC Authentication\" href=\"http:\/\/blogs.technet.com\/b\/askds\/archive\/2008\/01\/18\/understanding-read-only-domain-controller-authentication.aspx\">RODC Authentication Details<\/a> (with packet captures)<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>The RODC is one of the most interesting new features of Windows Server 2008. RODCs provide the following: Read-only Active Directory\u00a0Database \u2013 Read-only copy of Active Directory provides a more secure option for distant locations such as a branch office. Changes attempted against the RODC are referred to the next upstream DC. Read-only DNS Server &hellip; <\/p>\n<p><a class=\"more-link btn\" href=\"https:\/\/adsecurity.org\/?p=274\">Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[20,88,101,102,103,104,46],"class_list":["post-274","post","type-post","status-publish","format-standard","hentry","category-technical-reference","tag-activedirectory","tag-adsite","tag-domaincontroller","tag-microsoftwindows","tag-readonlydomaincontroller","tag-rodc","tag-windowsserver2008r2","item-wrap"],"_links":{"self":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/274","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=274"}],"version-history":[{"count":2,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/274\/revisions"}],"predecessor-version":[{"id":2802,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/274\/revisions\/2802"}],"wp:attachment":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=274"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=274"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=274"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}