Windows Server 2008 R2 Domain Controllers: Plan Carefully for RODCs
When physical security is lacking, it becomes essential to increase the focus on data security. Windows Server 2008 and R2 provide some new ways to do so that seem uniquely tailored for environments like remote offices where physical security may not be as tight. Read-only domain controllers (RODCs) are a new feature of the Active Directory Domain Services (AD DS) in the Windows Server systems. They represent a fundamental change to how you’d typically use domain controllers (DCs).
Because many of RODCs’ new capabilities impact key aspects of the design and deployment process, it’s important to understand how you can leverage them in your enterprise. There are also critical design and planning considerations you must take into account before introducing them into your environment. RODCs are DCs that host complete, read-only copies of Active Directory database partitions, a read-only copy of SYSVOL, and a Filtered Attribute Set (FAS) that restricts the inbound replication of certain application data from writable DCs.
By default, RODCs do not selectively store user and computer account credentials, but you can configure them to do so. That alone typically warrants using RODCs in remote branch offices or perimeter networks lacking the physical security commonly found in datacenter intranets. RODCs also provide other less-well-known security features, such as a special Kerberos ticket-granting account that addresses ticket-based attacks associated with the RODC itself becoming compromised.
Although security concerns are the most common reasons to deploy RODCs, they also provide a number of other advantages, like enterprise manageability and scalability. Generally speaking, RODCs are meant for environments that require local authentication and authorization, but lack the physical security to safely use writable DCs. Therefore, RODCs are most common in datacenter perimeter networks or branch office locations.
One example of a good use of RODCs is a datacenter that requires AD DS, but because of security constraints can’t leverage the corporate AD DS forest in the perimeter network. In this case, RODCs might meet relevant security requirements, therefore changing the infrastructure scope of the corporate AD DS implementation. This type scenario will likely become more frequent. It also reflects current best practice AD DS models for perimeter networks, such as the extended corporate forest model.
Branching Out with RODCs
The most common environments for RODCs using AD DS are still branch offices. These types of environments are typically end points in a hub-and-spoke network topology. They are widely distributed geographically, in large numbers, and they individually host small user populations, connect to hub sites by slow, unreliable network links, and often lack local, experienced administrators.
For branch offices already hosting writable DCs, it’s probably unnecessary to deploy RODCs. In this scenario, however, RODCs may not only meet existing AD DS-related requirements, but also exceed them with regard to tighter security, enhanced management, simplified architecture and lower total cost of ownership (TCO). For locations where security or manageability requirements prohibit using DCs, RODCs can help you introduce DCs into the environment and provide a number of beneficial, localized services.
Although the new features and benefits make evaluating RODCs compelling, there are additional factors to consider, like application compatibility issues and service impact conditions. These could render RODC deployments unacceptable for certain environments.
For example, because many directory-enabled applications and services read data from AD DS, they should continue to function and work with an RODC. However, if certain applications require writable access at all times, an RODC may not be acceptable. RODCs also depend on network connectivity to a writable DC for write operations. Although failed write operations may be the cause of most well-known application-related issues, there are other issues to consider, such as inefficient or failed read operations, failed write-read-back operations, and general application failures associated with the RODC itself.
Besides application issues, fundamental user and computer operations can be affected when connectivity to a writable DC is disrupted or lost. For example, basic authentication services may fail if account passwords are not both cacheable and cached locally on the RODC. You can easily mitigate this issue by making accounts cacheable through an RODC’s Password Replication Policy (PRP), and then caching the passwords through pre-population. Performing these steps also requires connectivity to a writable DC.
Along with other authentication issues, password expirations and account lockouts are significantly impacted when connectivity to a writable DC is unavailable. Password change requests and any attempts to manually unlock a locked account will continue to fail until connectivity to a writable DC is restored. Understanding these dependencies and subsequent changes in operational behavior is critical to ensuring your requirements and any service level agreements (SLAs).
There are several general scenarios in which you can deploy RODCs. They’re useful in locations that don’t have existing DCs, or in locations that currently host DCs that will either be replaced or upgraded to a newer version of Windows. Although there are comprehensive planning considerations specific to each scenario, we’ll focus here on non-specific approaches. They are, however, distinct to RODCs, rather than to traditional writable DCs.
Before you start any formal RODC planning, you should conduct an appropriate level of due diligence and fundamental AD DS preplanning. This should include key tasks like validating the existing AD DS logical structure, and ensuring the administration model and the AD DS physical structure supports existing business and technical requirements. You’ll also have to consider hardware requirements, software upgrade strategies, and applicable operating system known issues, and to evaluate RODC AD DS prerequisites. This information will be critical to the planning and deployment processes. You’ll find it’s well-documented in detailed deployment check lists.
Installation and Management
There’s a substantial manageability feature in RODCs called Administrator Role Separation (ARS). This delegates to non-service administrators the ability to install and administer RODC servers, without granting Active Directory rights. This is a significant change to the traditional considerations with respect to DC server design, delegation of administration, and deployment procedures. This role separation becomes increasingly important with critical applications requiring direct installation on a DC, or for locations that host single, multi-purpose servers.
Additional Server Roles
As a general rule, you should eliminate from the server all roles not required for the RODC to function. Therefore, the only roles you should add to RODCs are the DNS and global catalog server roles. You should install the DNS server role on each RODC so local DNS clients can perform DNS resolution when network connectivity to a writable DC is unavailable. However, if the DNS server role is not installed through Dcpromo.exe, you’ll have to install it afterward. You have to use Dnscmd.exe to enlist the RODC in the DNS application directory partitions that host the Active Directory integrated zones. You should also configure RODCs as global catalog servers so they can perform authentication and global catalog queries using just the RODC. From an authentication standpoint, if the global catalog role is not an option, you can use universal group caching. Successful authentication to an RODC may ultimately be dependent on the RODC’s PRP configuration.
DC placement has changed considerably since the introduction of the RODC PRP. RODCs must be able to replicate the domain partition from a writable DC running Windows Server 2008 or Windows Server 2008 R2 in the same domain, because only these DCs can enforce the PRPs for RODCs. To ensure proper replication, the writable DC should be placed in the AD DS site that has the lowest cost site link to the site containing the RODC.
If you can’t establish this configuration, the RODC replication will need to depend on the Bridge all site links option (meaning site link transitivity) or site link bridges between whichever site links contain the RODC site and the site of the writable DC. If site transitivity or site link bridges aren’t an option, you can create new site links to directly connect the RODC site and the site of the writable DC.
As a general best practice, you shouldn’t place other DCs in the same AD DS site as the RODC, because client operations may become inconsistent, making client behavior unpredictable. Basic operations like authentication, LDAP reads and writes, and password changes can all behave differently depending on disparate RODC configurations, the Windows version of a writable DC, and whether or not network connectivity to other writeable DCs is available. You should also keep all users and resources from a single domain in an RODC site. RODCs don’t store trust passwords and they require cross-domain authorization to forward authentication requests to different writable DCs in each domain. Assuming writable DCs reside in separate sites, all cross-domain authentication requests would be dependent on network connectivity and wouldn’t work in the event of a network connectivity failure.
Scalability and Replication
RODCs also provide scalability benefits that are helpful for larger or more complex AD DS implementations. For example, RODCs provide unidirectional replication. Therefore, deploying RODCs in branch offices reduces the performance load on hub site bridgehead servers that normally process inbound replication for branch office DCs. From a TCO perspective, this reduces the number of connection objects you need to create and manage. It may also reduce the required number of hub site DCs.
RODCs also provide load-balancing improvements that help automatically distribute outbound connection objects evenly across hub-site bridgehead servers. With previous versions of Windows, this required routine manual intervention. Now, when the knowledge consistency checker (KCC) on an RODC detects that a bridgehead server is added or removed in a hub site, it determines whether to switch replication partners to a new bridgehead. It does this by running an algorithm and probabilistic load-balancing. If RODCs are added in branch office locations, the KCC will also balance inbound connections across existing hub-site bridgehead servers.
An RODC’s PRP determines whether accounts are cacheable on that particular RODC. By default, the “allow” list in the PRP specifies that you can’t cache any account passwords. Also, it explicitly denies certain accounts from being cached. This takes precedence over manually configured “allow” configurations. As mentioned earlier, you may need to configure the PRPs on each RODC to allow the passwords for accounts to be cacheable.
Take this step cautiously, as PRP modifications have both security and service availability impacts. For example, the default scenario of no accounts cacheable results in high security, but no offline access in the event network connectivity to a writable DC becomes unavailable. Conversely, when a large percentage of accounts are cacheable (e.g., the domain users group), security is much lower if the RODC is compromised, but there’s a higher level of service availability for the cacheable accounts. Due to the unique business and technical requirements across various infrastructure environments, PRP designs will differ from organization to organization.
Once you’ve established a PRP model, you’ll have to configure the PRP on each RODC so you may cache the appropriate accounts. As a best practice, configure the PRPs with explicit allows and don’t modify the default deny list. The deny list is critical, because it prevents critical account credentials (such as AD DS service administrators) from ever being cached on RODCs.
Another key aspect of PRP design is determining whether cacheable accounts will be pre-populated with passwords. By default, the credentials of cacheable accounts aren’t actually cached until after the initial logon to an RODC when the authentication request is forwarded to a Windows Server 2008 or Windows Server 2008 R2 writable DC and the credentials are replicated to the RODC. This means that if network connectivity to a writable DC becomes unavailable before cacheable accounts are authenticated against an RODC, successful logon will fail even though the accounts have been configured as cacheable.
To address this issue, you can manually pre-populate the password cache as soon as the PRP is configured and accounts are marked cacheable. This operation also requires network connectivity between a Windows Server 2008 or Windows Server 2008 R2 writable DC and the RODC. You can do this ahead of time during the deployment process, well before cacheable users log in for the first time.
You can use this fundamental architectural design guidance as a foundation for your RODC planning. By covering key design considerations, this article provides an effective starting point for designing a detailed and comprehensive RODC solution. This is not a simple process and requires substantial time to reconcile new features and design considerations against your organization’s unique environment and requirements.
Paul Yu ( Paul.Yu@microsoft.com ) is a senior consultant within Microsoft Consulting Services and has worked for Microsoft for ten years, providing enterprise infrastructure solutions to commercial corporations and public sector organizations.