RODC (Read Only Domain Controller)
An RODC is a new domain controller (DC) mode in
Windows Server 2008 32 bit and higher versions. It lets you store an Active
Directory (AD) domain database read-only copy on the DC, but it has much more
functionality than just a database read-only copy. The main features of an RODC
are as follows:
·
A read-only AD Domain
Services (AD DS) database--Applications that need only database read access can
use the RODC; however, any database changes must be made to a read-writable DC
(RWDC), then replicated back to the RODC.
·
Unidirectional
replication--The RODC can't spread misinformation to the rest of the domain,
even if a change is made on the RODC. This reduces the risk of a system-wide
assault and reduces the complexity of the replication structure.
·
Filtered attribute set
configuration--A filtered attribute set isn't replicated to any RODC in the
forest. If an RODC is compromised and the set modified, a Server 2008 RWDC
won't replicate the values. A Windows Server 2003 DC would. If possible, it’s
best to have your forest function level set as Server 2008 so that Server 2003
servers won't be allowed in the forest in which they could compromise the data.
It’s also important to note that you can't add system-critical attributes to
the RODC filtered attribute set
·
Limited credential
caching--An RODC doesn't store user or computer credentials (except for the
RODC's computer account). When the RODC receives an authentication request, it
forwards it to an RWDC. The RODC then requests a copy of the credential so that
it can service the request itself in the future. If the password-replication
policy allows credential caching, the credential details will be cached and the
RODC can service logon requests (until the credentials change).
·
Separation of
administrator capabilities--An RODC can designate users as server
administrators without granting any domain or other DC permissions.
·
Read-only DNS--An RODC
DNS doesn't allow client updates, nor does it register name-service resource
records.
·
Two-stage RODC
installation--The first installation stage is completed by a credentialed
administrator. He or she creates an AD DS account for the RODC, with all the
RODC's distributed AD database information, such as its DC account name and its
site location. Then, the admin can designate which users or groups can finish
the second installation stage, usually completed at the remote location. Stage
two installs AD DS on the RODC and attaches the server to its AD DS account.
An RODC can replicate only from a Server 2008 RWDC, so no
replication from Windows Server 2003 DCs or other Windows Server 2008 RODCs is
possible.
No comments:
Post a Comment