Wednesday, April 22, 2009

Features OF Read-Only Domain Controller (RODC)

A Read-Only Domain Controller (RODC) is a new type of domain controller in Windows Server 2008. Its main purpose is to improve security in office branches. In this post, I summarize the functionality of RODC.

In office branches, it is often not easy to provide sufficient physical security for servers. It is not a big deal to manipulate a Windows system if you can get physical access to it. Since Domain controllers store security sensitive data, they are particularly endangered. RODCs can help with this problem in four ways:

RODC essentials
Read-only feature: An intruder on the RODC can’t manipulate the Active Directory database.
DNS protection: If the RODC server hosts a DNS server, the intruder won’t be able to tamper with the DNS data.

Password protection: A malicious user won’t be able to access passwords using a brute-force-attack. This applies only if password caching is disabled on the RODC.

Administrator Role Separation: You can delegate a local Administrator role to a domain user.

Read-only Domain Controller
An RODC holds all Active Directory objects and attributes.
RODCs only support unidirectional replication of Active Directory changes (i.e., from the forest to the RODC). If an application needs write access to Active Directory objects, the RODC will send an LDAP referral response that redirects the application to a writable domain controller.

DNS Protection
A DNS server running on an RODC doesn’t support dynamic updates.
If a client wants to update its DNS record, the RODC will send a referral for a writeable DNS server. The client can then update against this DNS server.
This single record will then be replicated from the writable DNS server to the RODC DNS server.
Password Protection
By default, an RODC doesn’t store user or computer credentials. (The only exception is the computer account of the RODC itself and a special krbtgt account.)
However, an RODC can cache passwords. If a password isn’t cached, the RODC will forward the authentication request to a writeable DC. The Password Replication Policy determines the user groups for which passwords caching will be allowed (more about this in my next post).

Administrator Role Separation:
A domain user having the Administrator role on an RODC doesn’t have to be a domain admin.
A domain user having the Administrator role can do maintenance work on the RODC such as installing software. If an intruder gains access to the credentials of this local administrator account, he will not be able to make changes on other domain controllers.

No comments: