Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 11: Read-Only Domain Controllers. Overview Describe the Read-Only Domain Controllers role Use Read-Only Domain Controllers.

Published byVirginia Hopkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Module 11: Read-Only Domain Controllers. Overview Describe the Read-Only Domain Controllers role Use Read-Only Domain Controllers."— Presentation transcript:

1 Module 11: Read-Only Domain Controllers

2 Overview Describe the Read-Only Domain Controllers role Use Read-Only Domain Controllers

3 Lesson 1: Read-Only Domain Controller Describe the role of Read-Only Domain Controllers Describe Windows Server 2008 domain upgrade requirements and prerequisites List the prerequisites for RODC deployment Describe scenarios in which RODC usage is recommended Describe Read-Only Domain Controller Replication

4 Read-Only Domain Controller Branch Office Guide Recommendations

5 Windows Server 2008 Domain Upgrade Requirements and Prerequisites In-place upgrade from Windows 2000 Server is not supported In-place upgrade from Windows Server 2003 domain controller to Windows Server 2008 RODC or Windows Server 2008 Server Core is not supported Prepare your Active Directory environment with Windows Server 2008 updates Extend the domain schema

6 RODC Deployment Prerequisites 1. Works in existing environments 2. Windows Server® 2003 Forest Functional Mode One Windows Server® 2008 DC 3. No patching to down-level DCs or clients is needed 4. Multiple Windows Server 2008 DCs per Domain One RODC per Domain per Site 1. Works in existing environments 2. Windows Server® 2003 Forest Functional Mode One Windows Server® 2008 DC 3. No patching to down-level DCs or clients is needed 4. Multiple Windows Server 2008 DCs per Domain One RODC per Domain per Site

7 Read-Only Active Directory Database

8 Read-Only Domain Controller Replication Replication is Unidirectional Cannot Perform Outbound Replication Domain Partition replication must be sourced from Windows Server 2008 Requires writeable 2008 domain controller in nearest site in the topology

9 Placing RODCs with site link bridging 2008 writable DC can be placed in Site A rather than Site B Physical connectivity between Site A and C available implicitly If WAN links are available for a time that is sufficient to complete replication, RODC in Site C can replicate from the writable domain controller running Windows Server 2008 in Site A

10 Placing RODCs without site link bridging Bridge all site links option is disabled Writable DC running 2008 for the same domain should be placed in Site B to replicate the domain partition to the RODC Otherwise, the RODC in Site C can replicate the schema, configuration, and application directory partitions, but not the domain partition

11 RODCs in Spoke Sites In this scenario do any of the following to accommodate the need for direct replication between RODC and writable DC Additional site link between A and C and between site A and site D Create a site link bridge that includes site link A-B, site link B- C, and site link B-D Add a writable 2008 DC in the intermediary site (site B).

12 Lesson 2: Read-Only Domain Controller Operation Describe how credential caching is controlled on an RODC Describe how to configure Administrator Role Separation Configure read-only DNS servers Describe how to recover from a compromised RODC

13 Credential Caching Credential Caching is storing user passwords on RODC Must be explicitly allowed Configured via Password Replication Policy on RODC’s writeable replication partner

14 Administrator Role Separation Problem Too many domain administrators Problem Too many domain administrators Solution Provides a new “local administrator” level of access per RODC Prevents accidental Active Directory modifications by computer administrators Does not prevent “local administrator” from maliciously modifying the local database This is a true security feature for Read-Only Domain Controller Solution Provides a new “local administrator” level of access per RODC Prevents accidental Active Directory modifications by computer administrators Does not prevent “local administrator” from maliciously modifying the local database This is a true security feature for Read-Only Domain Controller Read-Only Domain Controller

15 Read-Only Domain Name System Does not support client updates directly Refers clients to a writeable authoritative DNS Replicates updated records from writeable DNS

16 Recovering from RODC Compromise Delete the RODC from the domain Change passwords of accounts that are cached on compromised RODC Manually remove the server object for the deleted RODC

Download ppt "Module 11: Read-Only Domain Controllers. Overview Describe the Read-Only Domain Controllers role Use Read-Only Domain Controllers."

Similar presentations

Copyright line. Configuring Server Roles in Windows 2008 Exam Objectives New Roles in 2008 New Roles in 2008 Read-Only Domain Controllers (RODCs) Read-Only.

Copyright line. Configuring Server Roles in Windows 2008 Exam Objectives New Roles in 2008 New Roles in 2008 Read-Only Domain Controllers (RODCs) Read-Only.
What’s New in Windows Server 2008 AD?

What’s New in Windows Server 2008 AD?
The following 10 questions test your knowledge of Internet-based client management in Configuration Manager 2007. Configuration Manager 2007 Internet-Based.

The following 10 questions test your knowledge of Internet-based client management in Configuration Manager Configuration Manager 2007 Internet-Based.
Implementing and Administering AD DS Sites and Replication

Implementing and Administering AD DS Sites and Replication
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Module 12 Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010.

Module 12 Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Lesson 16: Configuring Domain Controllers

Lesson 16: Configuring Domain Controllers
Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
Chapter 6 Introducing Active Directory

Chapter 6 Introducing Active Directory
By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.

By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.
Chapter 4 Introduction to Active Directory and Account Management

Chapter 4 Introduction to Active Directory and Account Management
Lesson 13: Installing Domain Controllers

Lesson 13: Installing Domain Controllers
Course 6425A Module 2: Configuring Domain Name Service for Active Directory® Domain Services Presentation: 50 minutes Lab: 45 minutes This module helps.

Course 6425A Module 2: Configuring Domain Name Service for Active Directory® Domain Services Presentation: 50 minutes Lab: 45 minutes This module helps.
Understanding Active Directory

Understanding Active Directory
Vikram Thakur Introduction to Active Directory Structure.

Vikram Thakur Introduction to Active Directory Structure.
Active Directory Implementation Class 4

Active Directory Implementation Class 4
ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS

ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS
Module 1: Installing Active Directory Domain Services

Module 1: Installing Active Directory Domain Services
Module 1: Installing Active Directory Domain Services

Module 1: Installing Active Directory Domain Services

Similar presentations

Ads by Google