Read Only Domain Controllers

Embed Size (px)

Citation preview

  • 8/3/2019 Read Only Domain Controllers

    1/9

    Read Only Domain Controllers

    A new feature in Windows 2008 is a new type of domain controller the Read-Only Domain

    Controller known as RODCs. An RODC makes it possible for organizations to easily deploy adomain controller in scenarios where physical security cannot be guaranteed, such as branch

    office locations, or in scenarios where local storage of all domain passwords is considered aprimary threat. The RODC also have copy of the Active Directory (AD) database, but thecontents of the replica of the database on the domain controller is read-only and write operations

    are not supported. It is also important to know that the RODCs do not participate in Active

    Directory replication in the same way as writable domain controllers.

    The difference between RODC replication and the multimaster replication model betweenwritable domain controllers is that RODC replication is unidirectional. This means all changes

    from a writable domain controller are propagated to the RODCs. The result of this is that the

    RODC receives changes, but does not partake in or perform outbound replication with otherdomain controllers. This provides an extra layer of security as any unauthorized data changes,

    will not replicate out to other domain controllers. Another new RODC functionality thatimproves security is the replication that happens between a writable domain controller and a

    RODC. Here, user account information is replicated, but account passwords are not.

    Administrator Role Separation

    You can delegate local administrative permissions for an RODC to any domain user without

    granting that user any user rights for the domain or other domain controllers. This permits a local

    branch user to log on to an RODC and perform maintenance work on the server. However, thebranch user cannot log on to any other domain controller or perform any other administrative

    task in the domain, and therefore compromising the security of the rest of the domain.

    Read-Only AD DS Database

    Except for account passwords, an RODC holds most of the Active Directory objects and

    attributes that a writable domain controller holds. However, changes cannot be made to the

    database that is stored on the RODC. Changes must be made on a writable domain controller and

    then replicated back to the RODC.

    Read-Only DNS

    You can install the DNS Server service on an RODC. An RODC is able to replicate all

    application directory partitions that DNS uses. If the DNS server is installed on an RODC,

    clients can query it for name resolution as they query any other DNS server. However, the DNSserver on an RODC does not support client updates directly. Consequently, the RODC does not

    register name server NS resource records for any Active Directory integrated zone that it hosts.

    Credential Caching

  • 8/3/2019 Read Only Domain Controllers

    2/9

    Credential caching is the storage of user or computer credentials, including the user password.

    You can configure credential caching on the RODC by modifying the Password Replication

    Policy for the specific domain controller. If you want the RODC to cache the credentials for allusers in the branch office that routinely log on in the office location, you can add all user

    accounts in the branch office to the Password Replication Policy. Now users will be able to log

    on to the domain controller even if the wide area network WAN connection to a writable domaincontroller is down. You can also add all of the branch office computer accounts, so that these

    accounts can authenticate to the RODC even when the WAN link is down. In both cases, the

    WAN connection to writable domain controller must be available during the first logon for thecredentials to be cached.

    Prerequisite When Deploying an RODC

    The following things should be done and complete before installing RODCs:

    Active Directory running on Windows Server 2003 or Windows Server 2008 must already exist

    in the environment.

    The Active Directory schema must support the Windows 2008 Server extensions.

    The forest and domain functional level must be running Windows Server 2003 or higher.

    At least one domain controller within the domain must be running Windows 2008.

    The PDC Emulator FSMO role must be running Windows 2008.

    A regular non-read-only (writable) domain controller must already exist within the Active

    Directory infrastructure.

    The RODC cannot be the first domain controller within the Active Directory infrastructure.

    If the DNS service will be configured on a Server Core installation, a non-read-only DNS servermust be present within the domain.

    Limitations with Windows Server 2008 RODCs

    There are situations when RODCs cannot be used. This is the case with bridgehead servers and

    operations master role holders . Because an RODC can only perform inbound unidirectionalreplication, it cannot be designated as a bridgehead server, because these servers must support

    both inbound and outbound replication. An RODC cannot be a Flexible Single Master

    Operations (FSMO) role holder. Each FSMO role needs to write information to an ActiveDirectory domain controller.

    There are more limitations to the out-of-the-box RODCs they cannot authenticate a smart card

    logon. This is because the Enterprise Read-Only Domain Controller (ERODC) group is not

  • 8/3/2019 Read Only Domain Controllers

    3/9

    defined in the domain controller certificate template by default.

    Unlike the limitations of RODCs talked about previous there is a way to work around this so anRODC can authenticate smart card logons. The following changes must be done in the certificate

    templates for an RODC to support smart card logons:

    ERODC group permissions for Enroll must be set to Allow on the Domain Controller certificate

    template.

    ERODC group permissions for Enroll and Auto enroll must be set to Allow on the Domain

    Controller Authentication and Directory E-Mail Replication certificate template.

    The Authenticated Users group permissions must be set to Allow Read on the Domain ControllerAuthentication and Directory E-Mail Replication certificate template.

    Active Directory Lightweight Directory Services

    AD LDS, known as Active Directory Application Mode (ADAM) when it was released withWindows Server 2003, is a Lightweight Directory Access Protocol directory service that can

    replace AD DS functionality in some scenarios or be deployed together with AD DS. AD LDS

    provides much of the same directory service functionality as AD DS, but it does not require the

    deployment of domains or domain controllers. You can also configure AD LDS replication sothat the same instance of AD LDS is distributed across multiple computers. AD LDS is designed

    to complement rather than replace AD DS. AD DS provides a network authentication and

    management directory, while AD LDS is designed to be used purely as a directory service forapplications. AD LDS is designed to be deployed in the following scenarios:

    Enterprise directory store: AD LDS can store application data in a local directory service either

    on the same computer as the application or on a different computer.

    Extranet authentication store: A lot of organizations have Web portal applications that requireextranet access to corporate business applications but provide access for users who are outside

    the organization. These servers and portal applications require an authentication store to save

    authorization information for the users. AD LDS can provide this authentication store because itcan host user objects that are not Windows security principals but can be authenticated with

    LDAP simple binds.

    Directory consolidation solution: Enterprise organizations frequently have several directories

    deployed. User accounts may be located in multiple AD DS forests,domains, and OUs, or inseveral identity systems and other directories, such as human resource databases, AD LDS can

    integrate with a metadirectory, which means that identities created in AD LDS can be

  • 8/3/2019 Read Only Domain Controllers

    4/9

    synchronized with the metadirectory. AD LDS can also accept identity synchronization from the

    metadirectory.

    Development environment for AD DS and AD LDS Because AD LDS uses the sameprogramming model and provides virtually the same administration experience as AD DS,

    developers can use AD LDS when staging and testing various AD DS integrated applications.

    Active Directory Federation Services

    AD FS, first released with Windows Server 2003 R2,is designed to enable secure access to Web-based applications within an organization and between organizations without making an external

    or forest trusts between those organizations. (can be used in both Windows and non-Windows

    enviroments) providing browser-based clients with one-prompt access to protected

    applications,even when the accounts and applications are located on different networks.

    When a user need access to secure Web sites hosted outside of her own organization, the user has

    to provide secondary credentials meaning that the user has to provide a user name and passwordother from the one she used to log onto her personal computer. AD FS takes care of this byenabling organizations to establish trust relationships with the directory services system running

    at other organizations. Known as single sign-on (SSO) this, allows the systems at one

    organization to recognize the users of another organization without having to prompt them for

    credentials.

    AD FS is composed of three different server components, as follows:

    Federation server: A federation server is the main AD FS component, which holds theFederation Service role. These servers route authentication requests between connected

    directories.

    Federation proxy server: A federation proxy server acts as a reverse proxy for AD FS

    authentication requests. This type of server normally resides in the demilitarized zone (DMZ) of

    a firewall, and is used to protect the back-end AD FS server from direct exposure to the untrusted

    Internet.

    AD FS Web Agents: The Web Agents component of AD FS hosts the claims-aware agent and

    the Windows token-based agent components that manage authentication cookies sent to web

    server applications. Each one of these components can be individually installed in an AD FSstructure, or they can be all installed on the same system.

    AD FS Deployment Requirements

    In order to deploy AD FS, you must ensure that the following network requirements are met:

  • 8/3/2019 Read Only Domain Controllers

    5/9

    TCP/IP connectivity

    For AD FS to function, TCP/IP network connectivity must exist between the client,and thecomputers that host the Federation Service, the Federation Service Proxy, and the AD FS Web

    Agents

    DNS requirements In order for AD FS to function, you must ensure that the client computerscan resolve the names of all of the servers running AD FS components.

    Client Web Browser requirements Any Web browser with JScript enabled can work as an AD

    FS client.AD FS creates authentication cookies that must be stored on client computers toprovide SSO functionality. Therefore, the client browser must be configured to accept cookies.

    Authentication cookies are always Secure Hypertext Transfer Protocol (HTTPS) session cookies.

    Account Store Requirements AD FS requires at least one account store to be used for

    authenticating users and extracting security claims for those users. AD FS supports two types ofaccount stores: AD DS and AD LDS.

    Web Server Requirements IIS is a mandatory requirement for all AD FS server components.

    Public Key Infrastructure (PKI) Requirements In order to secure the communicationsbetween all of the AD FS components, AD FS requires that all Web sites that accept user

    authentication traffic or security tokens be configured with server authentication certificates.

    These certificates are used for account partner and resource partner authentication and forauthentication between federation servers and federation server proxies. This means that you

    must obtain the required digital certificates from a certification authority (CA). You can use a

    trusted third party CA or an internal Active Directory Certificate Services (AD CS) CA to issue

    these certificates.

    New in AD FS in Windows Server 2008

    Improved installation: AD FS is included in Windows Server 2008 as a server role, and there

    are new server validation checks in the installation wizard

    Improved application support: AD FS is more tightly integrated with Microsoft Office

    SharePoint Server 2007 and Active Directory Rights Management Services (AD RMS

  • 8/3/2019 Read Only Domain Controllers

    6/9

    A better administrative experience when you establish federated trusts: Improved trust

    policy import and export functionality helps to minimize partner-based configuration issues that

    are commonly associated with federated trust establishment.

    AD FS 2.0

    AD FS 2.0 is a downloadable Windows Server 2008 update

    Active Directory Federation Services (AD FS) 2.0 provides support for claims-aware identity

    solutions that involve Windows Server and Active Directory technology. AD FS 2.0 supports theWS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols.

    AD FS 2.0 has the following features:

    An enterprise claims provider for claims-based applications

    Provide a single-sign-on (SSO) experience across multiple claims-aware applications.

    Provide access to a claims-aware application to users in another organization.

    Reduce concern about developers of custom applications making processor-intensive

    authentication requests that unexpectedly burden an organizations directory services.A

    Federation Service for identity federation across domains

    You can configure AD FS 2.0 in the Federation Service role so that Web browser and Webservice applications can use federated Web SSO across domains. This helps reduce

    administrative overhead, reduce security vulnerabilities as a result of lost or stolen passwords,

    and improve user productivity through SSO.

    Improved support for federation trusts AD FS 2.0 has improved support for federation trusts that

    can speed up the process of establishing the trusts. AD FS 2.0 uses industry standard metadata

    formats when it establishes trusts between federation partners.An enhanced snap-in management

    console

    The AD FS 2.0 snap-in is a single Microsoft Management Console (MMC) 3.0 snap-in. It

    provides a graphical user interface (GUI) for configuring service and policy settings that are used

    most commonly with AD FS 2.0.

    http://www.anrdoezrs.net/9377tenkem158A8A951329B43B2
  • 8/3/2019 Read Only Domain Controllers

    7/9

    Support for issuance and use of Information Cards

    AD FS 2.0 supports the issuance and use of managed Information Cards in Web browsers and

    Web services scenarios to provide a phishing-resistant, extranet, log-in mechanism. With thissupport, you can issue a managed card that a user can use to log on to a federation server for an

    application that is enabled for WS-Federation Passive. AD FS 2.0 also can assist in providingaccess to a Web site that users can access to obtain a managed Information Card.

    An enhanced snap-in management console The AD FS 2.0 snap-in is a single MicrosoftManagement Console (MMC) 3.0 snap-in. It provides a graphical user interface (GUI) for

    configuring service and policy settings that are used most commonly with AD FS 2.0.

    Support for a Microsoft SQL Server based policy store AD FS 2.0 makes it possible for you tomove away from a file-based policy store to a database-centric policy store that can scale

    dynamically to a large number of objects.

    Unsupported features in AD FS 2.0

    The following are the AD FS 1.x features and scenarios that are no longer supported in AD FS

    2.0:

    AD LDS used as an account store

    The Windows NT token based Web agentThe AD FS 1.x claims-aware Web agent configured for Microsoft Office SharePoint Server 2007

    The Federated Web Single-Sign-On (SSO) with Forest Trust scenario is no longer supported

    Network Drive for Users

    One of the most searched topics on our site is "how to map a drive". Unfortunately, until now,

    the searches on this topic didn't return any result for our users. As a consequence to this, we

    decided to create this article in which we show you how to create a drive mapping in Windows

    Vista .

    For those of you who don't know it, a drive mapping is a letter assigned to a disk or drive. The

    most common drive mappings are A: for the floppy disk and C: for the primary hard disk. If you

    are on a network, a drive mapping can reference remote drives to which you can assign a letter ofyour choice. For example, you can use the letter Z: to refer drive C: or a network server or a

    specific shared folder to which you have access to.

    http://www.vista4beginners.com/Map-Network-Drivehttp://en.wikipedia.org/wiki/Mapped_drives_or_map_drivehttp://www.vista4beginners.com/Map-Network-Drivehttp://en.wikipedia.org/wiki/Mapped_drives_or_map_drivehttp://www.vista4beginners.com/Map-Network-Drive
  • 8/3/2019 Read Only Domain Controllers

    8/9

    As you will see for yourself, the procedure of creating a map drive in Windows Vista is very

    simple. Just follow these steps:

    First, click on the Computershortcut from your desktop or from the Start Menu. In the toolbaryou will find several buttons, including one called Map network drive.

    Click on it and the Map Network Drive window will open. Firstly, you need to assign a drive

    letter for the connection and then type the drive or the folder you want to connect to.

    The folder can be located on a remote server or computer you have access to, a FTP site or a

    shared folder on your own computer.

    http://www.vista4beginners.com/Map-Network-Drivehttp://www.vista4beginners.com/Map-Network-Drivehttp://www.vista4beginners.com/Map-Network-Drive
  • 8/3/2019 Read Only Domain Controllers

    9/9

    If you want to connect to a remote computer just type "\\" followed by the computer name or theIP address and then "\" followed by the location of the folder you want to connect to.

    If you want to create a drive mapping to a folder on your own computer type "\\127.0.0.1\" (this

    stands for the local host) or "\\computer_name\" and then the path towards that folder.Sometimes, when you create a drive mapping, you might need to use a special user name and

    password that allows you to connect to it. In this case, click on the Connect using a different username link.

    Type the appropriate user name and password and click on OK. Now you will return to theprevious window. Click onFinish and the drive mapping will be created.

    If you access the Computershortcut again you will see that a new drive having the letter you

    assigned is listed and you can access it at anytime.