Free Certification Practice Tests and Study Guides
Join Us! | Login | Help





Read Only Domain Controllers and Password Replication Policy

<<  Index | Next  >>

Introduction:

Active Directory (carried on DC Servers) is required to authenticate a user logging on to a domain within a domain environment. AD issues service tickets to users, allows users to connect to and use services such as File and Print services etc. A user thus requires access to a DC Server (which hosts Active Directory) in a domain LAN.

Login Process

The more DCs in a domain there are, the greater the AD replication traffic back and forth between them using Replication Partner technology.
AD Replication

There is a balance to be made between the number of DCs required and positioned appropriately to quickly authenticate user logons and provide service tickets, and keeping AD replication to a minimum to prevent excessive use of available bandwidth. The latter is of particular importance for users\systems connecting to a DC over a slow link (a WAN link), where excessive AD replication traffic can readily congest the bandwidth as shown in the image below.

AD Replication

Read Only Domain Controller (RODC):

To help with the issue of user logons and AD replication in branch office scenarios with relatively few users and limited bandwidth, Windows Server 2008 onwards has the option to create RODCs (Read Only Domain Controllers). A RODC (typically deployed in a branch office scenario) is a DC with non editable AD data that maintains only a subset of AD information and caches username and credentials locally. While Windows 2008 and 2012 server are the only operating systems that this functionality can be installed on, RODCs will function on networks with Windows 2003 servers.

As the RODC does not contain editable AD data, replication between this DC and others is only one way, thus reducing network traffic, while cached user details allows for user logon authentication from that point of the RODC Server. The following image shows the use of a RODC across a slow WAN link.

AD Replication with a RODC across a slow WAN link

User information is selectively cached on a RODC using a PRP (Password Replication Policy) setup on a writable DC. PRP determines which AD users can have their usernames and passwords cached locally on the RODC.

Installing a RODC:

A RODC installs like a writable DC using DCPromo. The only requirement is to have a writable Windows 2008\2008 R2, 2012 DC already running. If not, the Active Directory Domain Services role will need to be installed first. If the domain has any Windows 2003 DCs you will need to first prepare the forest\domain schema using ADPrep /RoDCPrep (as shown below), and then complete the previously mentioned step if necessary.

Installing a RODC

This ensures the RODC can receive replicated AD data from the writeable DCs, including DNS data (if selected as a DNS server also) from any DNS Application partitions from within the AD database. Next, run DCPromo from the command line.

Installing a RODC

The DCPromo wizard starts.

DCPromo Wizard

We need to add a DC to the existing domain for RODCs.

DCPromo Wizard

Specify the domain the new DC is in.

DCPromo Wizard

Specify the site for the new DC.

DCPromo Wizard

Check the "Read-only Domain Controller (RODC) checkbox, and also the checkboxes for DNS Server and GC Server if appropriate for your situation.

DCPromo Wizard

Next, give a user or group administrative permissions to this server (Administrators only).

DCPromo Wizard

Specify suitable locations for the AD database, log files, and the public SYSVOL volume. The default locations are shown in the next image.

DCPromo Wizard

Enter an administrator password for accessing the server in Directory Services Restore Mode.

DCPromo Wizard

Next, is a summary of the settings that you selected. Double-check them to avoid have to undo and redo these steps.

DCPromo Wizard

Next, AD data will begin replicating from a writable DC to the new RODC.

DCPromo Wizard

After replication, the installation is complete. If we launch Active Directory Users and Computers, the new RODC should appear there. In this example, Server3 is there and shows as an RODC.

DCPromo Wizard

Password Replication Policy (PRP):

PRP (Password Replication Policy) determines which users credentials can be cached on a RODC Server. If set to Allow, a user’s authentication and services tickets can be processed by the RODC Server. If set to Deny, the user’s authentication and services tickets are referred to any writable DC by the RODC Server.

Configure PRP for the RODC on a writable DC via AD Users and Computers. Select the "Password Replication Policy" tab in the RODC Server Properties. Keep in mind that because the RODC is not writeable, account creation and modification must occur on a server that is.

Note that the following steps could have been achieved during the installation of the RODC above if we had selected "Use advanced mode installation" in the first step of the wizard. The following steps are for configuring PRP after the fact.

Password Replication Policy

Use the built-in Groups, or specify your own users or groups, and Add them in to give them Allow or Deny permissions to cache passwords on the RODC.

Password Replication Policy

This user below has been added and allowed to have their passwords cached on the RODC. If that is nearest to a unit they logon from this will improve logon times for them.

Password Replication Policy

Select the "Advanced" button to allow users to have their passwords cached in advance (pre-populated) on the RODC even before the first time they attempt to logon to the domain via the RODC.

Password Replication Policy

The user was successfully added with a pre-populated password on the RODC.

Password Replication Policy