Planning and deploying read-only Domain Controllers

Source: Internet
Author: User
What is an rodc?

Read-Only domain controllers (rodcs) are anew feature of Active Directory domain services (ad ds) in windowsserver 2008. rodcs are additional domain controllers for a domain thathost complete, read-only copies of the partitions of the active directorydatabase
And a read-only copy of the sysvol folder contents. by selectivelycaching credentials, rodcs address some of the challenges that have ISES canencounter in branch offices and perimeter networks (also known as dmzs) thatmay lack the physical security that
Is commonly found in datacenters and hubsites. rodcs also offer a number of manageability improvements that aredescribed in this Guide. this section describes how rodcs Work with the rest ofthe Active Directory environment, the main differences between rodcs
Andwritable domain controllers, and the rodc features that can help resolve a numberof security or manageability issues.

·
Read-Only active directorydatabase, sysvol, and unidirectional Replication

·
Rodc filtered attribute set, credential caching, and the authentication process with an rodc

·
Administrator role Separation

·
Differences between an rodc and awritable Domain Controller

·
Advantages that an rodc canprovide to an existing deployment

Differences between an rodc and awritable Domain Controller

Characteristic

Rodc

Writable Domain Controller

Active Directory Database Access

The database on an rodc is read only. applications can only read data from the directory when they target an rodc; they cannot write data in the directory. however, rodcs automatically forward certain write operations to writable domain controllers, and
They can send referrals to writable domain controllers when necessary.

All read and write operations are possible on a writable domain controller.

Data replication between Domain Controllers

An rodc only replicates data from a writable domain controller, and it never replicates data to another domain controller in the domain. This is true for both the Active Directory data and the sysvol data.

Writable domain controllers replicate any changes that occur elsewhere in the domain from other writable domain controllers, and they replicate data that was written to their database to other domain controllers.

Data that is stored in the database

Rodcs contain a complete copy of the database, with the exception of credentials and other credential-like attributes that are part of the rodc filtered attributes set (FAS ).

However, you can select which credentials can be cached on the rodc to provide better authentication performance for users who are located in a site that an rodc services.

Writable Domain Controllers contain a complete copy of the directory database, including credentials for all accounts.

Administration

Rodcs can be administered by delegated users that do not have any domain privileges beyond standard domain users. Administration operations include applying hotfixes and software updates, parameter Ming offline defragmentation and backups, and so on.

Only Domain administrators can manage writable domain controllers.

Prerequisites for deploying anrodc

Complete the following prerequisites beforeyou deploy a read-only domain controller (rodc ):

· Ensure that the forest functional level iswindows Server 2003 or higher, so thatlinked-value replication (lvr) is available. this provides a higher level ofreplication consistency. the domain functional level must be Windows Server 2003or higher, so
That Kerberos constrained delegation is available. If the forestfunctional level is Windows Server 2003, the domain functional levelof all domains in the forest is Windows Server 2003 or higher.

Includelegation supports securitycils that must be impersonated under the context of the caller. Wait it possible for applications and services to authenticate to a remoteresource on behalf of a user. Because it provipowerful provided by, typically
Only domain controllers are enabled for delegation. for rodcs, applications and services must be able to delegate, but only constraineddelegation is allowed because it prevents the target from impersonating againand making another hop. the user or computer
Must be cacheable at the rodc forconstrained delegation to work. This restriction places limits on how a roguerodc may be able to abuse cached credentials.

· Run adprep.exe commands to prepare your existing forest and domains for domaincontrollers that run Windows Server 2008. The adprepcommands extend the Active Directory schema and update securitydescriptors so that you can add Windows Server 2008 domain
Controllers.

A. Prepare the forest anddomains. There are three adprep commands to complete and havethe changes replicate throughout the forest. Run the three commands as follows:

· Prepare the forest by running adprep/forestprepon the server that holds the schema master operations master (also known asflexible single master operations or FSMO) role to update the schema. For moreinformation, see

Prepare a Windows 2000 or windowsserver 2003 forest schema for a domain controller that runs Windows Server 2008.

· Prepare the domain by running adprep/domainprep/gpprepon the server that holds the infrastructure operations master role. For moreinformation, see

Prepare a Windows 2000 or windowsserver 2003 domain for a domain controller that runs Windows Server 2008.

· If you are installing an rodc in an existingwindows Server 2003 domain, you must also run adprep/rodcprep. For more information, see

Prepare a forest for a read-onlydomain controller. For moreinformation about how to resolve possible errors when you run adprep/rodcprep, see

Adprep/rodcprep can have an error if the infrastructure master for an applicationdirectory partition is not available.

B. installactive Directory domain services (ad ds ). you can install ad dsby using a wizard, the command line, or an answer file. for more information, see installing an additional Windows Server 2008 Domain Controller (http://go.microsoft.com/fwlink? Linkid = 93254 ).

· Deploy at least one writable domaincontroller running Windows Server 2008 inthe same domain as the rodc. an rodc must replicate domain updates from awritable domain controller running Windows Server 2008. for faulttolerance, you shoshould deploy at least
Two writable domain controllers runningwindows Server 2008. An rodc can use the second Domain Controller forfailover if the first domain controller is not available.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.