A Read-Only Domain Controller (RODC) is a new type of domain controller in Windows Server 2008. Its main purpose is to improve security in office branches. In this post, I summarize the functionality of RODC.
In office branches, it is often not easy to provide sufficient physical security for servers. It is not a big deal to manipulate a Windows system if you can get physical access to it. Since Domain controllers store security sensitive data, they are particularly endangered. RODCs can help with this problem in four ways:
- Read-only feature: An intruder on the RODC can’t manipulate the Active Directory database.
- DNS protection: If the RODC server hosts a DNS server, the intruder won’t be able to tamper with the DNS data.
- Password protection: A malicious user won’t be able to access passwords using a brute-force-attack. This applies only if password caching is disabled on the RODC.
- Administrator Role Separation: You can delegate a local Administrator role to a domain user.
Read-only Domain Controller
- An RODC holds all Active Directory objects and attributes.
- RODCs only support unidirectional replication of Active Directory changes (i.e., from the forest to the RODC).
- If an application needs write access to Active Directory objects, the RODC will send an LDAP referral response that redirects the application to a writable domain controller.
- A DNS server running on an RODC doesn’t support dynamic updates.
- If a client wants to update its DNS record, the RODC will send a referral for a writeable DNS server.
- The client can then update against this DNS server.
- This single record will then be replicated from the writable DNS server to the RODC DNS server.
- By default, an RODC doesn’t store user or computer credentials. (The only exception is the computer account of the RODC itself and a special krbtgt account.)
- However, an RODC can cache passwords.
- If a password isn’t cached, the RODC will forward the authentication request to a writeable DC.
- The Password Replication Policy determines the user groups for which passwords caching will be allowed (more about this in my next post).
Administrator Role Separation:
- A domain user having the Administrator role on an RODC doesn’t have to be a domain admin.
- A domain user having the Administrator role can do maintenance work on the RODC such as installing software.
- If an intruder gains access to the credentials of this local administrator account, he will not be able to make changes on other domain controllers.
In my next post, I will explain how to install and configure an RODC.