What
are RODCs? What are advantages?
A
read-only domain controller (RODC) is a new type of domain controller in the
Windows Server® 2008 operating system. With an RODC, organizations
can easily deploy a domain controller in locations where physical security
cannot be guaranteed. An RODC hosts read-only partitions of the
Active Directory Domain Services (AD DS) database.
Before
the release of Windows Server 2008, if users had to authenticate with a
domain controller over a wide area network (WAN), there was no real
alternative. In many cases, this was not an efficient solution. Branch offices
often cannot provide the adequate physical security that is required for a
writable domain controller. Furthermore, branch offices often have poor network
bandwidth when they are connected to a hub site. This can increase the amount
of time that is required to log on. It can also hamper access to network
resources.
Beginning
with Windows Server 2008, an organization can deploy an RODC to address
these problems. As a result, users in this situation can receive the following
benefits:
§ Improved security
§ Faster logon times
§ More efficient access to resources on the network
What
does an RODC do?
Inadequate
physical security is the most common reason to consider deploying an RODC. An
RODC provides a way to deploy a domain controller more securely in locations
that require fast and reliable authentication services but cannot ensure
physical security for a writable domain controller.
However,
your organization may also choose to deploy an RODC for special administrative
requirements. For example, a line-of-business (LOB) application may run
successfully only if it is installed on a domain controller. Or, the domain
controller might be the only server in the branch office, and it may have to
host server applications.
In
such cases, the LOB application owner must often log on to the domain
controller interactively or use Terminal Services to configure and manage the
application. This situation creates a security risk that may be unacceptable on
a writable domain controller.
An
RODC provides a more secure mechanism for deploying a domain controller in this
scenario. You can grant a non administrative domain user the right to log on to
an RODC while minimizing the security risk to the Active Directory forest.
You
might also deploy an RODC in other scenarios where local storage of all domain
user passwords is a primary threat, for example, in an extranet or
application-facing role.
How
do you install an RODC?
1
Make sure you are a member of Domain Admin group
2.
Ensure that the forest functional level is Windows Server 2003 or higher
3.
Run adprep /rodcprep
3.
Install a writable domain controller that runs Windows Server 2008 – An
RODC must replicate domain updates from a writable domain controller that runs
Windows Server 2008. Before you install an RODC, be sure to install a
writable domain controller that runs Windows Server 2008 in the same
domain. The domain controller can run either a full installation or a Server
Core installation of Windows Server 2008. In Windows Server 2008, the
writable domain controller does not have to hold the primary domain controller
(PDC) emulator operations master role.
4. You can install an RODC on either
a full installation of Windows Server 2008 or on a Server Core
installation of Windows Server 2008. Follow the below steps:
§ Click Start, type dcpromo, and then press ENTER to start the Active Directory
Domain Services Installation Wizard.
§ On the Choose
a Deployment Configuration page,
click Existing
forest, click Add a domain controller to
an existing domain
§ On the Network
Credentials page, type the name of a domain in
the forest where you plan to install the RODC. If necessary, also type a user
name and password for a member of the Domain Admins group, and then clickNext.
§ Select the domain for the RODC, and then click Next.
§ Click the Active Directory site for the RODC and click
next
§ Select the Read-only
domain controller check box, as
shown in the following illustration. By default, the DNS server check box is also selected. To run the DNS server on the
RODC, another domain controller running Windows Server 2008 must be
running in the domain and hosting the DNS domain zone. An
Active Directory–integrated zone on an RODC is always a read-only copy of
the zone file. Updates are sent to a DNS server in a hub site instead of being
made locally on the RODC.
§ To use the default folders that are specified for the
Active Directory database, the log files, and SYSVOL, clickNext.
§ Type and then confirm a Directory Services Restore Mode
password, and then click Next.
§ Confirm the information that appears on the Summary page,
and then click Next to start the AD DS installation. You can select the Reboot on completion check box to make the rest of the installation complete automatically
No comments:
Post a Comment