none
Why we need to create Tree Root Domain and Read only Domain Controller

Answers

  • From a AD domain perspective i guess you need to understand the basics of Domain structure.

    Have a look at: http://technet.microsoft.com/en-us/library/cc977994.aspx

    to Understand the role of RODC, have a look at:

    http://technet.microsoft.com/en-us/library/cc732801(v=ws.10).aspx

    and how to set it up at:

    http://technet.microsoft.com/en-us/library/cc772234(v=ws.10).aspx

    Hope that help

    --Pranav

    Sunday, September 29, 2013 2:19 AM
  • If you are creating a new domain from scratch, the first time you are running the promotion process will create a brand new domain, which is the tree root domain, in a brand new forest. That is now the forest root domain.

    Good discussion on the basics when installing a new DC in a new domain in a new forest:
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/a6e4b44b-0d24-4825-860f-6193ed3ced41/

    -

    An RODC is a Read Only Domain Controller, and is not related to creating a tree root domain when creating a new domain from scratch. RODCs are good for remote locations with low security. With an RODC, we can specify which user accounts can log on, such as only the users at the remote location. More info on RODCs, read the RODC link Pranav posted.

    For a full lecture explanation, here are my notes that I use to teach my AD class what an RODC is:

    ==================================================================
    RODC notes

    Branch offices present a unique challenge to an enterprise’s information technology (IT) staff: If a branch office is separated from the hub site by a wide area network (WAN) link, should you place a domain controller in the branch office? In the previous versions of Windows, the answer to this question was not simple. Windows Server 2008, however, introduces a new type of domain controller—the RODC—that makes the question easier to answer.

    One concern with placing a read/write domain controller in a branch office ,
    is if a domain controller is placed in the branch office, authentication is much more efficient but there are several potentially significant risks. A domain controller maintains a copy of all attributes of all objects in its domain, including secrets such as information related to user passwords. If a domain controller is accessed or stolen, it becomes possible for a determined expert to identify valid user names and
    passwords, at which point the entire domain is compromised. You must at least reset the passwords of every user account in the domain. Because the security of servers at branch offices is often less than ideal, a branch office domain controller poses a considerable security risk.

    A second concern is that changes to the Active Directory database on a branch office domain controller replicate to the hub site and to all other DCs in the environment. Therefore, corruption to the branch office domain controller poses a risk to the integrity of the enterprise directory service. For example, if a branch office administrator performs a restore of the domain controller from an outdated backup, there can be significant repercussions for the entire domain.

    The third concern relates to administration. A branch office domain controller may require maintenance such as a new device driver. To perform maintenance on a standard domain controller, you must log on as a member of the Administrators group on the domain controller, which means you are effectively an administrator of the domain. It may not be appropriate to grant that level of capability to a support team at a branch office.

    The RODC feature in Windows 2008 and newer, was designed specifically for this reason to address the branch office scenario. An RODC is a domain controller, typically placed in the branch office, which maintains a copy of all objects in the domain and all attributes except for secrets such as password-related properties. If you do not configure caching, when a user in the branch office logs on, the RODC receives the request and forwards it to a domain controller in the hub site for authentication.

    You can configure a password replication policy for the RODC that specifies user accounts the RODC is allowed to cache. If the user logging on is included in the password replication policy, the RODC caches that user’s credentials, so the next time authentication is requested, the RODC can perform the task locally. As users who are included in the password replication policy log on, the RODC builds its cache of credentials so that it can perform authentication locally for those users. Usually, you will add users located in the same physical site as an RODC to the password replication policy.

    Because the RODC maintains only a subset of user credentials, if the RODC is compromised or stolen, the effect of the security exposure is limited. Only the user accounts that had been cached on the RODC must have their passwords changed. The RODC replicates changes to Active Directory from domain controllers in the hub site. Replication is one way. No changes to the RODC are replicated to any other domain controller. This eliminates the exposure of the directory service to corruption due to changes made to a compromised branch office domain controller. Finally, RODCs have the equivalent of a local Administrators group. You can give one or more local support personnel the ability to fully maintain an RODC without granting them the equivalent rights of Domain Admins.
    =================================


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    Sunday, September 29, 2013 3:54 AM
  • Why we need to create Tree Root Domain and Read only Domain Controller

    electrifying

    Tree/root domain model is earlier recommendation not any more. The basis of the tree/root model is to segregate the department, control the replication, different password & account lockout policy(single password/account lockout policy in windows 2003 DFL), different resource and account forest, control the access by separating the services such as exchange/lync with dedicated domains etc. Even though article tites and aimed at windows 2000, mentioned points are also very much applicable to the later OSes

    http://technet.microsoft.com/en-us/library/bb742583.aspx

    RODC is basically used for the site where security is not as tight as expected along with denying changes from the not so expert admin sitting in the RODC site. RODC can also enhance the local authentication & can authenticate users/computer during WAN failure, but the account/system has to be configured into PRP.

    All About (RODC)Read Only Domain Controllers  


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, September 30, 2013 1:04 AM

All replies

  • From a AD domain perspective i guess you need to understand the basics of Domain structure.

    Have a look at: http://technet.microsoft.com/en-us/library/cc977994.aspx

    to Understand the role of RODC, have a look at:

    http://technet.microsoft.com/en-us/library/cc732801(v=ws.10).aspx

    and how to set it up at:

    http://technet.microsoft.com/en-us/library/cc772234(v=ws.10).aspx

    Hope that help

    --Pranav

    Sunday, September 29, 2013 2:19 AM
  • If you are creating a new domain from scratch, the first time you are running the promotion process will create a brand new domain, which is the tree root domain, in a brand new forest. That is now the forest root domain.

    Good discussion on the basics when installing a new DC in a new domain in a new forest:
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/a6e4b44b-0d24-4825-860f-6193ed3ced41/

    -

    An RODC is a Read Only Domain Controller, and is not related to creating a tree root domain when creating a new domain from scratch. RODCs are good for remote locations with low security. With an RODC, we can specify which user accounts can log on, such as only the users at the remote location. More info on RODCs, read the RODC link Pranav posted.

    For a full lecture explanation, here are my notes that I use to teach my AD class what an RODC is:

    ==================================================================
    RODC notes

    Branch offices present a unique challenge to an enterprise’s information technology (IT) staff: If a branch office is separated from the hub site by a wide area network (WAN) link, should you place a domain controller in the branch office? In the previous versions of Windows, the answer to this question was not simple. Windows Server 2008, however, introduces a new type of domain controller—the RODC—that makes the question easier to answer.

    One concern with placing a read/write domain controller in a branch office ,
    is if a domain controller is placed in the branch office, authentication is much more efficient but there are several potentially significant risks. A domain controller maintains a copy of all attributes of all objects in its domain, including secrets such as information related to user passwords. If a domain controller is accessed or stolen, it becomes possible for a determined expert to identify valid user names and
    passwords, at which point the entire domain is compromised. You must at least reset the passwords of every user account in the domain. Because the security of servers at branch offices is often less than ideal, a branch office domain controller poses a considerable security risk.

    A second concern is that changes to the Active Directory database on a branch office domain controller replicate to the hub site and to all other DCs in the environment. Therefore, corruption to the branch office domain controller poses a risk to the integrity of the enterprise directory service. For example, if a branch office administrator performs a restore of the domain controller from an outdated backup, there can be significant repercussions for the entire domain.

    The third concern relates to administration. A branch office domain controller may require maintenance such as a new device driver. To perform maintenance on a standard domain controller, you must log on as a member of the Administrators group on the domain controller, which means you are effectively an administrator of the domain. It may not be appropriate to grant that level of capability to a support team at a branch office.

    The RODC feature in Windows 2008 and newer, was designed specifically for this reason to address the branch office scenario. An RODC is a domain controller, typically placed in the branch office, which maintains a copy of all objects in the domain and all attributes except for secrets such as password-related properties. If you do not configure caching, when a user in the branch office logs on, the RODC receives the request and forwards it to a domain controller in the hub site for authentication.

    You can configure a password replication policy for the RODC that specifies user accounts the RODC is allowed to cache. If the user logging on is included in the password replication policy, the RODC caches that user’s credentials, so the next time authentication is requested, the RODC can perform the task locally. As users who are included in the password replication policy log on, the RODC builds its cache of credentials so that it can perform authentication locally for those users. Usually, you will add users located in the same physical site as an RODC to the password replication policy.

    Because the RODC maintains only a subset of user credentials, if the RODC is compromised or stolen, the effect of the security exposure is limited. Only the user accounts that had been cached on the RODC must have their passwords changed. The RODC replicates changes to Active Directory from domain controllers in the hub site. Replication is one way. No changes to the RODC are replicated to any other domain controller. This eliminates the exposure of the directory service to corruption due to changes made to a compromised branch office domain controller. Finally, RODCs have the equivalent of a local Administrators group. You can give one or more local support personnel the ability to fully maintain an RODC without granting them the equivalent rights of Domain Admins.
    =================================


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    Sunday, September 29, 2013 3:54 AM
  • Why we need to create Tree Root Domain and Read only Domain Controller

    electrifying

    Tree/root domain model is earlier recommendation not any more. The basis of the tree/root model is to segregate the department, control the replication, different password & account lockout policy(single password/account lockout policy in windows 2003 DFL), different resource and account forest, control the access by separating the services such as exchange/lync with dedicated domains etc. Even though article tites and aimed at windows 2000, mentioned points are also very much applicable to the later OSes

    http://technet.microsoft.com/en-us/library/bb742583.aspx

    RODC is basically used for the site where security is not as tight as expected along with denying changes from the not so expert admin sitting in the RODC site. RODC can also enhance the local authentication & can authenticate users/computer during WAN failure, but the account/system has to be configured into PRP.

    All About (RODC)Read Only Domain Controllers  


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, September 30, 2013 1:04 AM