Windows Server 2016-Deploying an RODC read-only domain controller

Source: Internet
Author: User
Tags builtin

A read-only domain controller, read-only, is an RODC for short. An RODC is an Active Directory feature introduced after Windows Server 2008, which contains the ad database as the other domain controllers, but the RODC does not save the domain user account password by default, and the database contained in the RODC is read-only, and can only be requested from other read-write domain controllers in one direction. However, the change information cannot be synchronized to other writable domain controls. The RODC is generally used for enterprise branches (offices, branches, overseas sites, etc.), taking into account the number of personnel and bandwidth operating costs, read-only domain controllers can simplify the area without technical personnel maintenance work and personnel input costs, easy to manage, improve local office efficiency, while improving the security of the local network environment.

Architecture diagram:

Advantages of the RODC:

1. Read-only Active Directory database to reduce network security threats caused by physical security factors;

2. Reduce the replication load between networks, and more efficient access to network resources;

3. Credential caching. It can speed up the user logon verification, reduce the scope of the affected user when the system is compromised, etc. (the credential cache is a storage for user or computer credentials.) Credentials are composed of a set of approximately 10 passwords that are associated with a security principal. By default, the RODC does not store user or computer credentials. The exception is in the case of the RODC's own computer account and all special krbtgt accounts for each RODC. You must display the Allow any other credential cache on the RODC.

);

4. Separation of Administrator role permissions. Can reduce the threat to the entire Active Directory due to excessive branch administrator privileges;

5. Read-only DNS. Optionally, the DNS service is installed and the DNS information is installed and synchronized to speed up the response time of the branch office to the Internet, but does not do dynamic updates, and all updates are read-write domain controller DNS one-way synchronization to the RODC DNS server.

RODC disadvantage:

1. The default RODC does not store user passwords, such as a problem with read-write domain control, and user authentication can cause an unexpected error.

2.RODC is too dependent on read-write domain control, such as synchronous read-write domain control problems will directly affect the use of the RODC.

Prerequisites for deploying an RODC:

1. At least one Windows Server 2008 domain controller is required in the environment;

2. The forest functional level needs to be at the Windows Server 2003 or above level;

The 3.PDC (PDC Emulator) role must be allowed on Windows Server 2008;

4. There is a need for a normal readable and writable domain controller in the entire environment;

Span style= "FONT-SIZE:10PT;" > role

host name

IP address

primary domain control

major.azureyun.local

192.168.156.1

Read-only domain control (RODC)

BRODC.azureyun.local

192.168.156.3

One: Deploy a read-only domain controller:

1. Set the host name and static IP address, and specify the primary domain control address as the preferred DNS server address:

2. Use the command line to add the domain and restart the server:

netdom join%computername%/d:azureyun.local/userd:azureyun.local\administrator/passwordd:abc.123!

3. If necessary, remember to turn off the firewall:

4. The Add Domain Service role procedure is omitted, the body is directly started, select "Add domain controller to existing domain" and the next step continues:

5. Tick "Domain Name System (DNS) Server" global Catalog (GC) "read- only domain controller (RODC)" and enter the directory Restore Mode password, click Next to continue:

6. Choose whether to copy the password to the RODC's account, we recommend that you do not synchronize the Domain Admins group, System, service architecture, such as group password replication, which can be set by itself, choose Next to continue:

7. Select where to synchronize replication:

8. Specify the location for the AD DS database, log files, and SYSVOL log storage:

9. Confirm the configured information and click Next to continue:

Here we can also install the RODC via PowerShell commands, as follows:

#安装azureyun. Local read-only domain-controlled RODC script Import-module Addsdeploymentinstall-addsdomaincontroller '- Allowpasswordreplicationaccountname @ ("azureyun\allowed RODC Password Replication Group") '-noglobalcatalog: $false '- Criticalreplicationonly: $false '-databasepath "C:\Windows\NTDS" '-denypasswordreplicationaccountname @ ("builtin\ Administrators "," Builtin\server Operators "," Builtin\backup Operators "," Builtin\account Operators "," azureyun\ Denied RODC Password Replication Group ") '-domainname" azureyun.local "'-installdns: $true '-logpath ' C:\Windows\NTDS '- Norebootoncompletion: $false '-readonlyreplica: $true '-sitename "default-first-site-name" '-sysvolpath "C:\Windows\ SYSVOL "'-force: $true


10. When there is no problem with the prerequisite check, click "Install" to continue:

11.RODC domain controller configuration successful, click Close to complete the configuration:

12. Follow the prompts to restart the server to complete the configuration:

Second, verify the RODC:

1. View Active Directory Users and Computers under domain controllers for brodc with a DC type of "read Only, GC":

2. View Active Directory Users and Computers for domain controller related information:

2.1. Right-click "Change Domain Controller" under Active Directory Users and Computers:

2.2. Select Change directory server, at which point this domain controller or AD LDS instance is selected for the RODC:

2.3. Reminder to select a read-only domain controller, where "OK" is selected by default to continue:

3. At this point we find that the shortcut menu bar is gray for new users, new groups, new organizational units, and so on:

4. At this point we find that the right-click property includes all the taskbar buttons that do not have new users, organizational units, and so on:

5. At this point we want to right-click to delegate permissions:

Will prompt us for security information that does not have permission to write to this object:

6. At this point when we want to raise the domain functional level, we find that we do not have permission elevation:

7. The "Change" button cannot be clicked on the operations master RID, PDC, infrastructure options and cannot be changed.

7. View the site information through the dsquery server command as follows:

The RODC domain controller deployment is complete.


Windows Server 2016-Deploying an RODC read-only domain controller

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.