Once upon a time when I was a Security TS, there’s an apocryphal story I used to share with customers about Russian bank robbers that weren’t just stealing money from bank branches, they were taking the servers from the branch, which they would then take back to their secret hideout and crack at their leisure, accessing the database of user account and credit card information. Of course, I say the story is apocryphal now because I can’t find a reference to it online, but I’m pretty sure I heard it first from Scott Charney, and I’d like to think he’s a credible source of security information.
Anyway, if they were deploying Domain Controllers to their branches, it would be relatively easy for someone unscrupulous to extract the password hashes from the AD, and use those to discover passwords, granting them access to the bank network. The Windows team has come up with a workable solution for placing Domain Controllers in places where their physical security is hard to manage: introducing the Read-Only Domain Controller.
Just like the name suggests, a Read Only Domain Controller (RODC) hosts read-only partitions of the AD database. For those situations where you really want a domain controller for local authentication, but have limited physical security, it offers a nice compromise. It’s also a nice alternative in other scenarios where local storage of domain passwords is a threat, like an extranet or application server role.
The functionality enabled with RODCs includes:
· Read-only AD DS database – holds everything but account passwords, only supports changes via replication from a writeable DC. Additionally, an admin can specify that particular AD attributes not be replicated.
· Unidirectional replication – no changes originate at the RODC, and if the AD DS is manipulated, those changes won’t be replicated to other DC’s.
· Credential caching – an admin can choose to enable or disable this feature, which caches credentials of users authenticated to the RODC. This speeds up the authentication process while limited exposure of credentials to just those authenticated locally.
· Administrator role separation – local admin rights can be granted just to the RODC without granting admin permissions anywhere else in the domain or on other DC’s.
· Read-only Domain Name System (DNS) – full DNS functionality and replication, but no client updates.
RODC is a feature of Windows Server 2008. Before you can deploy any RODC’s, you need at least one writeable Server 2008 DC. The domain and forest functional level must be Windows Server 2003 or higher – RODC’s have a dependency on Kerberos constrained delegation.
The Step-by-Step Guide for RODCs