Tuesday, 24 December 2013

What Is RODC Read Only Domain Controller And How To Configure It:

An RODC is a new domain controller (DC) mode in Windows Server 2008. It lets you store an Active Directory (AD) domain database read-only copy on the DC, but it has much more functionality than just a database read-only copy. The main features of an RODC are as follows:
  • A read-only AD Domain Services (AD DS) database--Applications that need only database read access can use the RODC; however, any database changes must be made to a read-writable DC (RWDC), then replicated back to the RODC.
  • Unidirectional replication--The RODC can't spread misinformation to the rest of the domain, even if a change is made on the RODC. This reduces the risk of a system-wide assault and reduces the complexity of the replication structure.
  • Filtered attribute set configuration--A filtered attribute set isn't replicated to any RODC in the forest. If an RODC is compromised and the set modified, a Server 2008 RWDC won't replicate the values. A Windows Server 2003 DC would. If possible, it’s best to have your forest function level set as Server 2008 so that Server 2003 servers won't be allowed in the forest in which they could compromise the data. It’s also important to note that you can't add system-critical attributes to the RODC filtered attribute set
  • Limited credential caching--An RODC doesn't store user or computer credentials (except for the RODC's computer account). When the RODC receives an authentication request, it forwards it to an RWDC. The RODC then requests a copy of the credential so that it can service the request itself in the future. If the password-replication policy allows credential caching, the credential details will be cached and the RODC can service logon requests (until the credentials change).
  • Separation of administrator capabilities--An RODC can designate users as server administrators without granting any domain or other DC permissions.
  • Read-only DNS--An RODC DNS doesn't allow client updates, nor does it register name-service resource records.
  • Two-stage RODC installation--The first installation stage is completed by a credentialed administrator. He or she creates an AD DS account for the RODC, with all the RODC's distributed AD database information, such as its DC account name and its site location. Then, the admin can designate which users or groups can finish the second installation stage, usually completed at the remote location. Stage two installs AD DS on the RODC and attaches the server to its AD DS account.

  • How To Deploy RODC
  • Now we have a Active Directory Domain with three Domain Controllers - two Domain Controllers in the Forest Root Domain and one Domain Controller in a sub domain. We have configured three Active Directory Sites as in Configure the Site Structure article.
    In this article we'll install a Read-Only Domain Controller (RODC) in a remote site. We'll pre-create the RODC account and delegate permission to an user at the remote site for the RODC installation. If you are using a domain administrator account, you can use Active Directory Installation Wizard directly to install RODC as mentioned in Installing a Read-Only Domain Controller (RODC) using a domain administrator account. We assume that you have already installed Windows Server 2008 R2 on the server and completed the initial configuration. For more information about RODCs, please check our Knowledgebase article Read-Only Domain Controllers (RODC).
    Before proceeding to the installation make sure you have bellow information.
    • Computer name of the server which you'll configure as a RODC
    • IP Address and subnet mask of the server, gateway IP address
    • DNS Server IP address(es)
    • Fully Qualified Domain Name (FQDN)  of the Active Directory domain
    • Current Domain Functional level of the domain which you are going to install the Read-Only Domain Controller (RODC). If it is lower than the Windows Server 2003 level make sure that you can raise it without affecting the services depend on the Active Directory Domain Services (AD DS)
    • Active Directory Site where this Domain Controller willl be placed
    • User account with Enterprise Admins and Domain Admins previleages
    • Additional services to be configure on this server - DNS Server, Global Catalog Server
    • Locations of AD DS database, log files and SYSVOL folder (if you wish to separate from system drive)


Installation Process

  • This process involves two stages. Initially you have to pre-create the Read-Only Domain Controller (RODC) account using the Active Directory Users and Computers console from a available Domain Controller. By using a delegate user account user can install the RODC at a remote site.

Stage 1: From a available Domain Controller

    1. Login to a Domain Controller using a user account with Domain Admins previleages. Go to Administrative Tools in the Start Menu and openActive Directory Domains and Trusts console. Right click Active Directory Domains and Trusts at the root of the console and click Raise Forest Functional Level.



      Verify the Forest Functional Level is set to atleast Windows Server 2003.



      (Click here to learn all available Forest and Domain Functional Levels of Windows Server 2008 R2 Active Directory)
    2. First step of the RODC installation is to run adprep /rodcprep command on all domains you plan to install RODC. To run adprep /rodcprep, you must be a member of the Enterprise Admins group. Location of the adprep executable file is different for Windows Server Operating System versions. For Windows Server 2008 R2 it is located at the <DVD Drive>:\support\adprep.

      Open the command prompt and navigate to <DVD Drive>:\support\adprep.



      Type adprep /rodcprep and press Enter.



      Note: You do not have to perform this step if all of the domain controllers are running Windows Server 2008 or Windows Server 2008 R2.
    3. Go to Administrative Tools in the Start Menu and open Active Directory Users and Computers console. Select Domain ControllersOrginizational Unit. Right-click an empty space on right pane (alternatively you can right-click the Domain Controllers Orginizational Unit) and click Pre-create Read-only Domain Controller account...


    4. Select Use advanced mode installation and click Next on the Welcome to the Active Directory Domain Services Installation wizardpage.


    5. Next page will provide you the Operating System compalibility information about previous Windows versions. Read it carefully and clickNext to continue.


    6. As we logged in as a domain administrator we do not need to set alternate credentials. Click Next to continue.


    7. Type the name of the server which will be configured as a RODC. Verify the Full DNS computer name: and click Next to continue.


      You should configure this name as the computer name when you install operating system on the server which will become the RODC. This server should not be joined to the Active Directory domain before you run dcpromo /UseExistingAccount:Attach command as mentioned later on this article.
    8. Wizard will check whether the computer name is already in use within the network.


    9. Select the site if you have more than one site configured and click Next. We will install this RODC at Kandy site (Subnet: 192.168.2.0/24).


    10. Wizard will check the DNS configuration.


    11. Select whether you want to configure this Domain Controller as a DNS Server and/or Global Catalog Server. Click Next to continue.


    12. If you selected Use advanced mode installation on the first page of the wizard, you can change the default password replication policy from this page. Add or remove any Groups, Users or Computers as you required and click Next.


    13. Set the Group or User account that you delegate permission to install Read-only Domain Controller (RODC). We have created a group named Kandy Admins to delegated permission of servers at Kandy site. Click Next to continue.


    14. Next page will provide you the summary of settings you configured. Review all settings and click Export settings to create an Answer File with settings configured in previous steps.



      Click OK for the informational message and click Next to continue.



      Sample answer file:


      You can alter necessary settings and use this file to pre-create another Read-only Domain Controller in unattended mode. (Click here to download answer files used in Senario 1 articles)
    15. Click Finish on the Completing the Active Directory Domain Services Installation wizard page.


    16. Newly created Domain Controller account is now shows as Unoccupied DC Account (Read-only, GC) in the Active Directory Users and Computers console.

       

Stage 2: From the server which will become the Read-Only Domain Controller (RODC)

    1. Login to the server using a local administrator account and verify the connectivity to the available Domain Controllers. Verify the computer name and change it if required. Note that the computer name should match with the name you pre-created in earlier steps. Here we use the computer name EX-DC4.


    2. Verify the Network Configuration. We have configured 192.168.2.1 (an IP Address from Kandy branch subnet) as the IP Address of the server and set previously installed Domain Controllers' IP Addresses, i.e. 192.168.1.1 and 192.168.1.2 as the Prefferd and Alternate DNS Server.


    3. Open a command prompt. Type dcpromo /UseExistingAccount:Attach and press Enter.



      Active Directory Installation wizard will check whether the required Active Directory Domain Service (AD DS) binaries are installed on the system. As AD DS binaries are not installed on the system previously, Active Directory Installation wizard will installed necessary binaries.


    4. Select Use advanced mode installation and click Next on the Welcome to the Active Directory Domain Services Installation wizardpage.


    5. Type the domain name which you are goin to install this RODC and set the credentials as we logged in to the server as a local administrator. We have created a user account named kndadmin and added it to the Kandy Admins group. Click Next to continue.


    6. Wizard will check the forest configuration.




    7. Select the RODC Account you have pre-created and click Next.


    8. Wizard will check the forest configuration again.


    9. If you selected Use advanced mode installation on the first page of the wizard, Install from Media page will be displayed. As we do not use IMF for this senario select Replicate data over the network from an existing doamin controller and click Next.


    10. Wizard will check the existing domain controller availability.


    11. If you selected Use advanced mode installation on the first page of the wizard, you can select a specific Domain Controller to replicate data. Select a Domain Controller from the list and click Next.


    12. Select Database, Log files and SYSVOL folder locations and click Next.



      It is recommended to store database and log files on separate volumes for better performace and recoverability.
    13. Set the Active Directory Restore Mode password. Click Next to continue.



      You need this password to login to the Directory Services Restore Mode in case you need to perform advanced Active Directory recovery options. Keep this password in a safe place. You can reset it later using NTDSUTIL command line tool if required.
    14. Next page will provide you the summary of settings you configured. Review all settings and click Export settings to create an Answer File with settings configured in previous steps.



      Click OK for the informational message and click Next to continue.



      Sample answer file:


      You can alter necessary settings and use this file to install another pre-created Read-Only Domain Controller in unattended mode. (Clickhere to download answer files used in Senario 1 articles)
    15. It may take some time depending on the hadware configuration of your system to complete the installation.


    16. Click Finish on the Completing the Active Directory Domain Services Installation wizard page. If you have selected Reboot on completion check box in the previous message box, server will be automatically restarted at the end of the process without displaying this page and the bellow message box.



      Click Restart Now to complete the installation.



Post Installation Tasks

    1. Login to the server using the delegated user account.


    2. Verify the full computer name and domain using Server Manager or System Properties.


    3. Check and verify that the Preffered DNS Server IP address is now configure to localhost. DNS Servers you configured earlier should be listed as Alternate DNS Servers.


    4. Open the Active Directory Users and Computers console. Select Domain Controllers Orginizational Unit. Status of the RODC is changed from Unoccupied DC Account (Read-only, GC).


    5. Right-click the Users container and check available menu items.


    6. Log off and log in again as a domain administrator.


    7. Open the Active Directory Users and Computers console. Right-click the Users container and compare available menu items for the delegated user account and Domain Admins.


    8. Open the Active Directory Sites and Services console. Verify that the server is listed under Kandy site.


    This concludes the article Installing a Read-Only Domain Controller (Pre-create RODC Account). It is recommended to verify the installation using the steps mentioned in Verifying a Domain Controller Installation article.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)