Upload
virginia-hopkins
View
245
Download
3
Tags:
Embed Size (px)
Citation preview
Module 11:Read-Only Domain
Controllers
Overview
Describe the Read-Only Domain Controllers role
Use Read-Only Domain Controllers
Lesson 1: Read-Only Domain Controller
Describe the role of Read-Only Domain Controllers
Describe Windows Server 2008 domain upgrade requirements and prerequisites
List the prerequisites for RODC deployment
Describe scenarios in which RODC usage is recommended
Describe Read-Only Domain Controller Replication
Read-Only Domain Controller
Read-Only Domain Controller
Branch Office Guide Recommendations
Windows Server 2008 Domain Upgrade Requirements and Prerequisites
In-place upgrade from Windows 2000 Server is not supported
In-place upgrade from Windows Server 2003 domain controller to Windows Server 2008 RODC or Windows Server 2008 Server Core is not supported
Prepare your Active Directory environment with Windows Server 2008 updates
Extend the domain schema
RODC Deployment Prerequisites
1. Works in existing environments
2. Windows Server® 2003 Forest Functional Mode
One Windows Server® 2008 DC
3. No patching to down-level DCs or clients is needed
4. Multiple Windows Server 2008 DCs per Domain
One RODC per Domain per Site
1. Works in existing environments
2. Windows Server® 2003 Forest Functional Mode
One Windows Server® 2008 DC
3. No patching to down-level DCs or clients is needed
4. Multiple Windows Server 2008 DCs per Domain
One RODC per Domain per Site
Read-Only Active Directory Database
Directory Service “Cloud”
Data Center or Trusted Network
Edge sites or edge\boundary of network
Directory Service “Cloud”
Data Center or Trusted Network
Edge sites or edge\boundary of network
Read-Only
Read-Only
Read-Only
Read-Only
Read-Only
“Writeables”
Read-Only Domain Controller Replication
Replication is Unidirectional
Cannot Perform Outbound Replication
Domain Partition replication must be sourced from Windows Server 2008
Requires writeable 2008 domain controller in nearest site in the topology
Placing RODCs with site link bridging
2008 writable DC can be placed in Site A rather than Site B
Physical connectivity between Site A and C available implicitly
If WAN links are available for a time that is sufficient tocomplete replication, RODC in Site C can replicate from the writable domain controller running Windows Server 2008 in Site A
Placing RODCs without site link bridging
Bridge all site links option is disabled
Writable DC running 2008 for the same domain should be placed in Site B to replicate the domain partition to the RODC
Otherwise, the RODC in Site C can replicate the schema, configuration, and application directory partitions, but not the domain partition
RODCs in Spoke Sites
In this scenario do any of the following to accommodate the need for direct replication between RODC and writable DC
Additional site link between A and C and between site A and site D
Create a site link bridge that includes site link A-B, site link B-C, and site link B-D
Add a writable 2008 DC in the intermediary site (site B).
Lesson 2: Read-Only Domain Controller Operation
Describe how credential caching is controlled on an RODC
Describe how to configure Administrator Role Separation
Configure read-only DNS servers
Describe how to recover from a compromised RODC
Credential Caching
Credential Caching is storing user passwords on RODC
Must be explicitly allowed
Configured via Password Replication Policy on RODC’s writeable replication partner
Administrator Role Separation
ProblemToo many domain administrators
ProblemToo many domain administrators
SolutionProvides a new “local administrator” level of access per RODC
Prevents accidental Active Directory modifications by computer administrators
Does not prevent “local administrator” from maliciously modifying the local database
This is a true security feature for Read-Only Domain Controller
SolutionProvides a new “local administrator” level of access per RODC
Prevents accidental Active Directory modifications by computer administrators
Does not prevent “local administrator” from maliciously modifying the local database
This is a true security feature for Read-Only Domain ControllerRead-Only
Domain Controller
Read-Only Domain Name System
Does not support client updates directly
Refers clients to a writeable authoritative DNS
Replicates updated records from writeable DNS
Recovering from RODC Compromise
Delete the RODC from the domain
Change passwords of accounts that are cached on compromised RODC
Manually remove the server object for the deleted RODC