none
Can anyone confirm? RRS feed

  • Question

  • Windows Server 2008 R2 forest functional level

    We have several Windows 2008 R2 writable domain controllers and one windows 2008 R2 RDOC located in DMZ.
    We set up two-way forest trusts with other forests.  trusts can be validated on Windows 
    2008 R2 writable domain controllers. But, if I try to validate forest trusts on this one windows 2008 R2 RDOC,
    trust can not be verified.  Is this by design which forest trusts can not be validated on a windows 2008 R2 RDOC?  since RODCs are located in DMZ and it could due to that ports are not open.

    I am not talking about creating trusts, only validating trusts on RODCs.  such as nltest /sc_query: xyz.local

    Can anyone confirm?

    Thank you!

    Thursday, October 29, 2015 2:09 PM

Answers

  • I believe the answer is No, RODC's can not validate a forest trust. The reason is there is no trust password stored on the RODC. RODC's don't have access to the trust secrets by themselves. RODCs need access to a full DC(RWDC) even after the trust has been established. RODCs can’t perform cross-domain authentication without issuing a referral to a RWDC at both ends (RODCs doesn't have the knowledge of the trust password). Please see:

    How the cross-domain authentication process works with RODCs:

    • Proposed as answer by Florent Duret Thursday, October 29, 2015 4:00 PM
    • Marked as answer by John JY Thursday, October 29, 2015 8:36 PM
    Thursday, October 29, 2015 2:28 PM
  • Hello John

    Sorry but as Jedi stated the RODC just cannot do that.
    To validate the trust some properties and some credentials must be used that the RODC simply cannot access.

    Florent

    • Marked as answer by John JY Thursday, October 29, 2015 8:36 PM
    Thursday, October 29, 2015 4:00 PM
  • Hi Rob,

    I am not talking about creating a trust.  The trust has been created already.  I am talking about validating a trust on a RODC.


    As Jedi, Florent and I mentioned, it is not possible to create and maintain (that includes trust validations) trusts due to the nature of Read-Only DC. These operations should be performed on writable DCs. Jedi has explained it in a good way.

    My LinkedIn profile

    • Marked as answer by John JY Thursday, October 29, 2015 8:36 PM
    Thursday, October 29, 2015 4:24 PM
  • The following statement below still applies. The RODC does not store the trust password nor access to the secrets themselves. Setting up a trust is one thing (requires a writable DC) but authentication, queries, etc... The RODC can still do that and that is a network design aspect.

    I believe the answer is No, RODC's can not validate a forest trust. The reason is there is no trust password stored on the RODC. RODC's don't have access to the trust secrets by themselves. RODCs need access to a full DC(RWDC) even after the trust has been established. RODCs can’t perform cross-domain authentication without issuing a referral to a RWDC at both ends (RODCs doesn't have the knowledge of the trust password).

    • Marked as answer by John JY Monday, November 9, 2015 2:54 PM
    Friday, November 6, 2015 7:54 PM

All replies

  • Hello,

    You cannot setup trust using RODC even if it has access to writable domain controller. You should use writable DC to create and maintain trust relationship.


    My LinkedIn profile

    Thursday, October 29, 2015 2:27 PM
  • I believe the answer is No, RODC's can not validate a forest trust. The reason is there is no trust password stored on the RODC. RODC's don't have access to the trust secrets by themselves. RODCs need access to a full DC(RWDC) even after the trust has been established. RODCs can’t perform cross-domain authentication without issuing a referral to a RWDC at both ends (RODCs doesn't have the knowledge of the trust password). Please see:

    How the cross-domain authentication process works with RODCs:

    • Proposed as answer by Florent Duret Thursday, October 29, 2015 4:00 PM
    • Marked as answer by John JY Thursday, October 29, 2015 8:36 PM
    Thursday, October 29, 2015 2:28 PM
  • Hi Rob,

    I am not talking about creating a trust.  The trust has been created already.  I am talking about validating a trust on a RODC.

    Thursday, October 29, 2015 3:13 PM
  • Hello John

    Sorry but as Jedi stated the RODC just cannot do that.
    To validate the trust some properties and some credentials must be used that the RODC simply cannot access.

    Florent

    • Marked as answer by John JY Thursday, October 29, 2015 8:36 PM
    Thursday, October 29, 2015 4:00 PM
  • Hi Rob,

    I am not talking about creating a trust.  The trust has been created already.  I am talking about validating a trust on a RODC.


    As Jedi, Florent and I mentioned, it is not possible to create and maintain (that includes trust validations) trusts due to the nature of Read-Only DC. These operations should be performed on writable DCs. Jedi has explained it in a good way.

    My LinkedIn profile

    • Marked as answer by John JY Thursday, October 29, 2015 8:36 PM
    Thursday, October 29, 2015 4:24 PM
  • did anyone test it on your environment?  We can not test as we need to get firewall team to involve as these RODCs are in DMZ.  Thanks!
    Friday, November 6, 2015 2:50 PM
  • If you need to setup a two-way trust with another forest you would need to use a writeable DC, as long as your firewall team has the required AD ports open then it should not be a problem with setting up the trust also there are other security settings you can implement in AD to ensure a lower attack surface such as Restricting Anonymous Access.
    Friday, November 6, 2015 3:16 PM
  • Thanks Jedi.  Sorry for confusion.  I mean to test on validating a trust on a RODC.  I was told by top engineer at my company that it should be OK to validate a trust on a RODC. 
    Friday, November 6, 2015 6:54 PM
  • The following statement below still applies. The RODC does not store the trust password nor access to the secrets themselves. Setting up a trust is one thing (requires a writable DC) but authentication, queries, etc... The RODC can still do that and that is a network design aspect.

    I believe the answer is No, RODC's can not validate a forest trust. The reason is there is no trust password stored on the RODC. RODC's don't have access to the trust secrets by themselves. RODCs need access to a full DC(RWDC) even after the trust has been established. RODCs can’t perform cross-domain authentication without issuing a referral to a RWDC at both ends (RODCs doesn't have the knowledge of the trust password).

    • Marked as answer by John JY Monday, November 9, 2015 2:54 PM
    Friday, November 6, 2015 7:54 PM