locked
RODC RRS feed

  • Question

  • I have 120-150 Users at my branch office.

    Is it wise to deploy two RODCs on the site for high availability?

    Is RODC recommended for these number of users?

    What is the drawback of RODC on this site?

     

    Regards,

    Maqsood

     


    Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
    Monday, December 26, 2011 8:42 AM

Answers

  • I concur with everyone's assessment. To add, DNS on an RODC actually acts like a Secondary zone when it comes to DNS registration updates. Here's more:

    DNS on a Read Only Domain Controller (RODC)
    http://msmvps.com/blogs/acefekay/archive/2011/12/07/dns-on-a-read-only-domain-controller-rodc.aspx 

     

     

    With a site for 120-150 users considering the administrative overhead Marcin indicated (you'll have to create a PRP for all the users), and as Awinish said, if you have Exchange, and the additional DNS traffic, it may be better to simply put one RWDC at that location.

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Monday, December 26, 2011 4:40 PM
  • Hi,

     

    Is there any update? If you need further assistance, please let us know.

     

    Have a nice day!

    Wednesday, December 28, 2011 9:50 AM
  • That's one way to do it, but are you sure you want to allow all users? Do all of your users actually visit the branch site? Why not just create a group of the users that do, and use that group?

     

    Late edit: See this forum topic, too:

    PRP in Server 2008 R2 RODC:
    http://social.technet.microsoft.com/Forums/ar/winserverDS/thread/3802900f-da3d-4813-a746-18a093908f41


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Monday, January 2, 2012 4:52 PM
  • > Basically i just want to make sure that whenever any user visits the branch office where there is an RODC installed this user should b able to login to without any hurdles.

    > In this case can a laptop user who visits this branch may login to domain?

    I don't see a problem as long as you've added the Domain Users group.

     

    > What happens if i just leave the default settings during RODC installation?

    If I remember the initial setup, you still have to add a group or account.

     

    > I am bit confused over RODC vs Writable DC.

    > All of our branch offices are located within the city and there is enough physical security available do i still need to consider RODC for these sites.

    RODCs are designed for less than secure remote locations and/or locations that do not have an admin to administer a DC. You can't add, modify or delete anything on a RODC, since it's a Read Only DC. That can only be done on a RWDC, since it's a Read/Write DC. Also, you must specify what accounts can logon using that DC at that location. That's the security in it.

    Here's more specifics:

     

    RODC notes

    Branch offices present a unique challenge to an enterprise’s information technology (IT) staff: If a branch
    office is separated from the hub site by a wide area network (WAN) link, should you place a domain
    controller in the branch office? In the previous versions of Windows, the answer to this question was not
    simple. Windows Server 2008, however, introduces a new type of domain controller—the RODC—that
    makes the question easier to answer.

    On concern with placing a read/write domain controller in a branch office ,
    is if a domain controller is placed in the branch office, authentication is much more efficient but there are
    several potentially significant risks. A domain controller maintains a copy of all attributes of all objects in
    its domain, including secrets such as information related to user passwords. If a domain controller is
    accessed or stolen, it becomes possible for a determined expert to identify valid user names and
    passwords, at which point the entire domain is compromised. You must at least reset the passwords of
    every user account in the domain. Because the security of servers at branch offices is often less than ideal,
    a branch office domain controller poses a considerable security risk.

    A second concern is that changes to the Active Directory database on a branch office domain controller
    replicate to the hub site and to all other DCs in the environment. Therefore, corruption to the branch
    office domain controller poses a risk to the integrity of the enterprise directory service. For example, if a
    branch office administrator performs a restore of the domain controller from an outdated backup, there
    can be significant repercussions for the entire domain.

    The third concern relates to administration. A branch office domain controller may require maintenance
    such as a new device driver. To perform maintenance on a standard domain controller, you must log on
    as a member of the Administrators group on the domain controller, which means you are effectively an
    administrator of the domain. It may not be appropriate to grant that level of capability to a support team
    at a branch office.

    The RODC feature in Windows 2008 and newer, was designed specifically for this reason to address the
    branch office scenario. An RODC is a domain controller, typically placed in the branch office, which
    maintains a copy of all objects in the domain and all attributes except for secrets such as password-related
    properties. If you do not configure caching, when a user in the branch office logs on, the RODC receives
    the request and forwards it to a domain controller in the hub site for authentication.

    You can configure a password replication policy for the RODC that specifies user accounts the RODC is
    allowed to cache. If the user logging on is included in the password replication policy, the RODC caches
    that user’s credentials, so the next time authentication is requested, the RODC can perform the task
    locally. As users who are included in the password replication policy log on, the RODC builds its cache of
    credentials so that it can perform authentication locally for those users. Usually, you will add users located
    in the same physical site as an RODC to the password replication policy.

    Because the RODC maintains only a subset of user credentials, if the RODC is compromised or stolen, the
    effect of the security exposure is limited. Only the user accounts that had been cached on the RODC must
    have their passwords changed. The RODC replicates changes to Active Directory from domain controllers
    in the hub site. Replication is one way. No changes to the RODC are replicated to any other domain
    controller. This eliminates the exposure of the directory service to corruption due to changes made to a
    compromised branch office domain controller. Finally, RODCs have the equivalent of a local
    Administrators group. You can give one or more local support personnel the ability to fully maintain an
    RODC without granting them the equivalent rights of Domain Admins.

     

    I hope that helps to better understand what RODCs are.

    Cheers!

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Tuesday, January 3, 2012 4:36 PM
  • Alright. I got the point.

    If i want to have two DCs for fault tolerance and load balancing then i should go for two writable DCs on the sites where we have some kind of physical security.

    Regards,

    Maqsood

     


    Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
    Wednesday, January 4, 2012 1:04 PM
  • Alright. I got the point.

    If i want to have two DCs for fault tolerance and load balancing then i should go for two writable DCs on the sites where we have some king of physical security.

    Regards,

    Maqsood

     


    Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified

     

    Yes, you are correct here.

    May i know the reason for marking your own comment as an answer instead of selecting the post which helped or answered your query?

     

    Regards  


    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com 


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Wednesday, January 4, 2012 1:09 PM

All replies

  • Maqsood,

    does the office have properly secured data center and a local IT staff? If so, you might consider deploying RWDC. Otherwise, having RODC sounds like a good idea - since it will facilitate local authentication and name resolution (assuming you will also deploy DNS).

    The primary drawback of RODC (vs. not having a DC at all) is additional maintenance overhead (e.g. an extra infrastructure server and management of replication policies). To minimize the former (primarily the need for patching), you might want to consider installing RODC on server core. Regarding the latter, refer to http://technet.microsoft.com/en-us/library/cc730883(WS.10).aspx 

    Obviously you will have an extra replication traffic - but this will likely minimize the authentication/DNS/other traffic that would be generated in absence of a local DC

    hth
    Marcin

    Monday, December 26, 2011 8:56 AM
  • RODC can be used for any number of users like normal DC but it has certain limitations with few applications like RODC doesn't support Exchange. Apart from what Marcin stated, you need to evaluate your requirements. RODC needs to contact RWDC for any changes been made and even 120-150 users are not large count, if you have exchange server in that site than keeping RODC will not work. RODC can provide safety mechanism where you don't have admin but in order to take benefit of users authenticating when WAN is down, you need to cache machine account too to authenticate with RODC.

    All About (RODC)Read Only Domain Controllers

    http://awinish.wordpress.com/2011/10/04/rodc-read-only-domain-controller/ 

     

    Regards


    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Monday, December 26, 2011 10:01 AM
  • Hello,

    I agree with others.

    I would start by recommending to have at least two RWDC / DNS / GC servers for your domain so that you minimize the risk of losing your AD domain.

    For the RODCs, you can use them and benefit from:

    • One way replication which reduces consumption of network bandwidth for AD replication
    • Enhanced security
    • ...

    As you are planning to add two RODCs for the branch office, I would recommend reading this Microsoft article: http://technet.microsoft.com/en-us/library/ee522995(WS.10).aspx

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

     

    Monday, December 26, 2011 12:40 PM
  • I concur with everyone's assessment. To add, DNS on an RODC actually acts like a Secondary zone when it comes to DNS registration updates. Here's more:

    DNS on a Read Only Domain Controller (RODC)
    http://msmvps.com/blogs/acefekay/archive/2011/12/07/dns-on-a-read-only-domain-controller-rodc.aspx 

     

     

    With a site for 120-150 users considering the administrative overhead Marcin indicated (you'll have to create a PRP for all the users), and as Awinish said, if you have Exchange, and the additional DNS traffic, it may be better to simply put one RWDC at that location.

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Monday, December 26, 2011 4:40 PM
  • Hi,

     

    Is there any update? If you need further assistance, please let us know.

     

    Have a nice day!

    Wednesday, December 28, 2011 9:50 AM
  • Thanks for your response.
    Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
    Thursday, December 29, 2011 11:20 AM
  • Thanks for your response.

    Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
    Thursday, December 29, 2011 11:21 AM
  • Thanks for your response.

    Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
    Thursday, December 29, 2011 11:21 AM
  • Thanks for your response, i will ping you if there is any update.

    Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
    Thursday, December 29, 2011 11:22 AM
  • Hi,

    While installing RODC it gives an option Specify the "Password Replication Policy" if i want to enable all the Domain Users to be able to login on this branch office where this RODC is installed do i need to add Domain Users group and allow replication?


    Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
    Monday, January 2, 2012 11:23 AM
  • That's one way to do it, but are you sure you want to allow all users? Do all of your users actually visit the branch site? Why not just create a group of the users that do, and use that group?

     

    Late edit: See this forum topic, too:

    PRP in Server 2008 R2 RODC:
    http://social.technet.microsoft.com/Forums/ar/winserverDS/thread/3802900f-da3d-4813-a746-18a093908f41


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Monday, January 2, 2012 4:52 PM
  • Basically i just want to make sure that whenever any user visits the branch office where there is an RODC installed this user should b able to login to without any hurdles.

    What happens if i just leave the default settings during RODC installation?

    In this case can a laptop user who visits this branch may login to domain?

     

    I am bit confused over RODC vs Writable DC.

    All of our branch offices are located within the city and there is enough physical security available do i still need to consider RODC for these sites.

    Awaiting your valuable response.

    Thanks,

    Maqsood


    Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
    Tuesday, January 3, 2012 6:48 AM
  • > Basically i just want to make sure that whenever any user visits the branch office where there is an RODC installed this user should b able to login to without any hurdles.

    > In this case can a laptop user who visits this branch may login to domain?

    I don't see a problem as long as you've added the Domain Users group.

     

    > What happens if i just leave the default settings during RODC installation?

    If I remember the initial setup, you still have to add a group or account.

     

    > I am bit confused over RODC vs Writable DC.

    > All of our branch offices are located within the city and there is enough physical security available do i still need to consider RODC for these sites.

    RODCs are designed for less than secure remote locations and/or locations that do not have an admin to administer a DC. You can't add, modify or delete anything on a RODC, since it's a Read Only DC. That can only be done on a RWDC, since it's a Read/Write DC. Also, you must specify what accounts can logon using that DC at that location. That's the security in it.

    Here's more specifics:

     

    RODC notes

    Branch offices present a unique challenge to an enterprise’s information technology (IT) staff: If a branch
    office is separated from the hub site by a wide area network (WAN) link, should you place a domain
    controller in the branch office? In the previous versions of Windows, the answer to this question was not
    simple. Windows Server 2008, however, introduces a new type of domain controller—the RODC—that
    makes the question easier to answer.

    On concern with placing a read/write domain controller in a branch office ,
    is if a domain controller is placed in the branch office, authentication is much more efficient but there are
    several potentially significant risks. A domain controller maintains a copy of all attributes of all objects in
    its domain, including secrets such as information related to user passwords. If a domain controller is
    accessed or stolen, it becomes possible for a determined expert to identify valid user names and
    passwords, at which point the entire domain is compromised. You must at least reset the passwords of
    every user account in the domain. Because the security of servers at branch offices is often less than ideal,
    a branch office domain controller poses a considerable security risk.

    A second concern is that changes to the Active Directory database on a branch office domain controller
    replicate to the hub site and to all other DCs in the environment. Therefore, corruption to the branch
    office domain controller poses a risk to the integrity of the enterprise directory service. For example, if a
    branch office administrator performs a restore of the domain controller from an outdated backup, there
    can be significant repercussions for the entire domain.

    The third concern relates to administration. A branch office domain controller may require maintenance
    such as a new device driver. To perform maintenance on a standard domain controller, you must log on
    as a member of the Administrators group on the domain controller, which means you are effectively an
    administrator of the domain. It may not be appropriate to grant that level of capability to a support team
    at a branch office.

    The RODC feature in Windows 2008 and newer, was designed specifically for this reason to address the
    branch office scenario. An RODC is a domain controller, typically placed in the branch office, which
    maintains a copy of all objects in the domain and all attributes except for secrets such as password-related
    properties. If you do not configure caching, when a user in the branch office logs on, the RODC receives
    the request and forwards it to a domain controller in the hub site for authentication.

    You can configure a password replication policy for the RODC that specifies user accounts the RODC is
    allowed to cache. If the user logging on is included in the password replication policy, the RODC caches
    that user’s credentials, so the next time authentication is requested, the RODC can perform the task
    locally. As users who are included in the password replication policy log on, the RODC builds its cache of
    credentials so that it can perform authentication locally for those users. Usually, you will add users located
    in the same physical site as an RODC to the password replication policy.

    Because the RODC maintains only a subset of user credentials, if the RODC is compromised or stolen, the
    effect of the security exposure is limited. Only the user accounts that had been cached on the RODC must
    have their passwords changed. The RODC replicates changes to Active Directory from domain controllers
    in the hub site. Replication is one way. No changes to the RODC are replicated to any other domain
    controller. This eliminates the exposure of the directory service to corruption due to changes made to a
    compromised branch office domain controller. Finally, RODCs have the equivalent of a local
    Administrators group. You can give one or more local support personnel the ability to fully maintain an
    RODC without granting them the equivalent rights of Domain Admins.

     

    I hope that helps to better understand what RODCs are.

    Cheers!

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Tuesday, January 3, 2012 4:36 PM
  • Thanks a lot Ace,

     

    I really appreciate the details you have mentioned in the email.

     

    Just want to understand another point i am planning to have two RODCs for each site which will have around 150 users each.

    Does this make any sense?

    Regards,

    Maqsood


    Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
    Wednesday, January 4, 2012 11:25 AM
  • RODC doesn't replicate with each other, so additional traffic and you might face below issue too.

    Can an RODC replicate to other RODCs?

    No, an RODC can only replicate from a writable Windows Server 2008 domain controller. In addition, two RODCs for the same domain in the same site do not share cached credentials. You can deploy multiple RODCs for the same domain in the same site, but it can lead to inconsistent logon experiences for users if the WAN to the writeable domain controller in a hub site is offline. This is because the credentials for a user might be cached on one RODC but not the other. If the WAN to a writable domain controller is offline and the user tries to authenticate with an RODC that does not have the user’s credentials cached, then the logon attempt will fail.

    http://technet.microsoft.com/en-us/library/cc754956%28WS.10%29.aspx

     

    Regards  


    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Wednesday, January 4, 2012 11:30 AM
  • Alright. I got the point.

    If i want to have two DCs for fault tolerance and load balancing then i should go for two writable DCs on the sites where we have some kind of physical security.

    Regards,

    Maqsood

     


    Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
    Wednesday, January 4, 2012 1:04 PM
  • Alright. I got the point.

    If i want to have two DCs for fault tolerance and load balancing then i should go for two writable DCs on the sites where we have some king of physical security.

    Regards,

    Maqsood

     


    Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified

     

    Yes, you are correct here.

    May i know the reason for marking your own comment as an answer instead of selecting the post which helped or answered your query?

     

    Regards  


    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com 


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Wednesday, January 4, 2012 1:09 PM
  • Alright. I got the point.

    If i want to have two DCs for fault tolerance and load balancing then i should go for two writable DCs on the sites where we have some kind of physical security.

    Regards,

    Maqsood

     


    Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified


    I'm glad we were able to help. I believe we should give Awinish credit for his answer. :-)

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Wednesday, January 4, 2012 3:13 PM
  • Sorry Awinish i didn't realize that i was marking my comments as answers that is my mistake.

    Thanks,

    Maqsood


    Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
    Thursday, January 5, 2012 7:55 AM
  • NP.

     

    Regards  


    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Thursday, January 5, 2012 8:36 AM
  • Yes – You can do it either when you’re installing the RODC or any of the two ways, I suggest the first option.
     
    1. Right click the RODC account in the Domain Controllers OU (Make sure you are connected to a writable Windows Server 2008/2008 R2 DC when you are performing this step) Click the Password Replication Policy Tab, and you can now add the Domain Users group to the Allow List.
     
    2. Add the Domain Users Group to the Allowed Password Policy Replication Group, However this will grant all users in the domain to being able to cache their credentials/secrets on any RODC in the domain.
     
    ----------------------------------------------------------
    Regards
    Christoffer Andersson – Principal Advisor
    Enfo Zipper

    "Maqsood Mohammed" wrote in message news:597ca175-a0ba-4b60-9d3a-d5cf96d566c6...

    Hi,

    While installing RODC it gives an option Specify the "Password Replication Policy" if i want to enable all the Domain Users to be able to login on this branch office where this RODC is installed do i need to add Domain Users group and allow replication?


    Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified

    Enfo Zipper Christoffer Andersson – Principal Advisor
    Thursday, January 19, 2012 12:19 AM