Read-Only Domain Controller (RODC) is a new type of domain controller in Windows Server 2008. Its main purpose is to improve security in office branches. In this post, I summarize the functionality of RODC.
In office branches, it is often not easy to provide sufficient physical security for servers. It is not a big deal to manipulate a Windows system if you can get physical access to it. Since Domain controllers store security sensitive data, they are particularly endangered. RODCs can help with this problem in four ways:
RODC essentials
· Read-only feature: An intruder on the RODC can’t manipulate the Active Directory database.
· DNS protection: If the RODC server hosts a DNS server, the intruder won’t be able to tamper with the DNS data.
· Password protection: A malicious user won’t be able to access passwords using a brute-force-attack. This applies only if password caching is disabled on the RODC.
· Administrator Role Separation: You can delegate a local Administrator role to a domain user.
Read-only Domain Controller
· An RODC holds all Active Directory objects and attributes.
· RODCs only support unidirectional replication of Active Directory changes (i.e., from the forest to the RODC).
· If an application needs write access to Active Directory objects, the RODC will send an LDAP referral response that redirects the application to a writable domain controller.
DNS Protection
· A DNS server running on an RODC doesn’t support dynamic updates.
· If a client wants to update its DNS record, the RODC will send a referral for a writeable DNS server.
· The client can then update against this DNS server.
· This single record will then be replicated from the writable DNS server to the RODC DNS server.
Password Protection
· By default, an RODC doesn’t store user or computer credentials. (The only exception is the computer account of the RODC itself and a special krbtgt account.)
· However, an RODC can cache passwords.
· If a password isn’t cached, the RODC will forward the authentication request to a writeable DC.
· The Password Replication Policy determines the user groups for which passwords caching will be allowed (more about this in my next post).
Administrator Role Separation:
· A domain user having the Administrator role on an RODC doesn’t have to be a domain admin.
· A domain user having the Administrator role can do maintenance work on the RODC such as installing software.
· If an intruder gains access to the credentials of this local administrator account, he will not be able to make changes on other domain controllers.
