Read Only Domain Controllers

8/3/2019 Read Only Domain Controllers

1/9

Read Only Domain Controllers

A new feature in Windows 2008 is a new type of domain controller the Read-Only Domain

Controller known as RODCs. An RODC makes it possible for organizations to easily deploy adomain controller in scenarios where physical security cannot be guaranteed, such as branch

office locations, or in scenarios where local storage of all domain passwords is considered aprimary threat. The RODC also have copy of the Active Directory (AD) database, but thecontents of the replica of the database on the domain controller is read-only and write operations

are not supported. It is also important to know that the RODCs do not participate in Active

Directory replication in the same way as writable domain controllers.

The difference between RODC replication and the multimaster replication model betweenwritable domain controllers is that RODC replication is unidirectional. This means all changes

from a writable domain controller are propagated to the RODCs. The result of this is that the

RODC receives changes, but does not partake in or perform outbound replication with otherdomain controllers. This provides an extra layer of security as any unauthorized data changes,

will not replicate out to other domain controllers. Another new RODC functionality thatimproves security is the replication that happens between a writable domain controller and a

RODC. Here, user account information is replicated, but account passwords are not.

Administrator Role Separation

You can delegate local administrative permissions for an RODC to any domain user without

granting that user any user rights for the domain or other domain controllers. This permits a local

branch user to log on to an RODC and perform maintenance work on the server. However, thebranch user cannot log on to any other domain controller or perform any other administrative

task in the domain, and therefore compromising the security of the rest of the domain.

Read-Only AD DS Database

Except for account passwords, an RODC holds most of the Active Directory objects and

attributes that a writable domain controller holds. However, changes cannot be made to the

database that is stored on the RODC. Changes must be made on a writable domain controller and

then replicated back to the RODC.

Read-Only DNS

You can install the DNS Server service on an RODC. An RODC is able to replicate all

application directory partitions that DNS uses. If the DNS server is installed on an RODC,

clients can query it for name resolution as they query any other DNS server. However, the DNSserver on an RODC does not support client updates directly. Consequently, the RODC does not

register name server NS resource records for any Active Directory integrated zone that it hosts.

Credential Caching


2/9

Credential caching is the storage of user or computer credentials, including the user password.

You can configure credential caching on the RODC by modifying the Password Replication

Policy for the specific domain controller. If you want the RODC to cache the credentials for allusers in the branch office that routinely log on in the office location, you can add all user

accounts in the branch office to the Password Replication Policy. Now users will be able to log

on to the domain controller even if the wide area network WAN connection to a writable domaincontroller is down. You can also add all of the branch office computer accounts, so that these

accounts can authenticate to the RODC even when the WAN link is down. In both cases, the

WAN connection to writable domain controller must be available during the first logon for thecredentials to be cached.

Prerequisite When Deploying an RODC

The following things should be done and complete before installing RODCs:

Active Directory running on Windows Server 2003 or Windows Server 2008 must already exist

in the environment.

The Active Directory schema must support the Windows 2008 Server extensions.

The forest and domain functional level must be running Windows Server 2003 or higher.

At least one domain controller within the domain must be running Windows 2008.

The PDC Emulator FSMO role must be running Windows 2008.

A regular non-read-only (writable) domain controller must already exist within the Active

Directory infrastructure.

The RODC cannot be the first domain controller within the Active Directory infrastructure.

If the DNS service will be configured on a Server Core installation, a non-read-only DNS servermust be present within the domain.

Limitations with Windows Server 2008 RODCs

There are situations when RODCs cannot be used. This is the case with bridgehead servers and

operations master role holders . Because an RODC can only perform inbound unidirectionalreplication, it cannot be designated as a bridgehead server, because these servers must support

both inbound and outbound replication. An RODC cannot be a Flexible Single Master

Operations (FSMO) role holder. Each FSMO role needs to write information to an ActiveDirectory domain controller.

There are more limitations to the out-of-the-box RODCs they cannot authenticate a smart card

logon. This is because the Enterprise Read-Only Domain Controller (ERODC) group is not


3/9

defined in the domain controller certificate template by default.

Unlike the limitations of RODCs talked about previous there is a way to work around this so anRODC can authenticate smart card logons. The following changes must be done in the certificate

templates for an RODC to support smart card logons:

ERODC group permissions for Enroll must be set to Allow on the Domain Controller certificate

template.

ERODC group permissions for Enroll and Auto enroll must be set to Allow on the Domain

Controller Authentication and Directory E-Mail Replication certificate template.

The Authenticated Users group permissions must be set to Allow Read on the Domain ControllerAuthentication and Directory E-Mail Replication certificate template.

Active Directory Lightweight Directory Services

AD LDS, known as Active Directory Application Mode (ADAM) when it was released withWindows Server 2003, is a Lightweight Directory Access Protocol directory service that can

replace AD DS functionality in some scenarios or be deployed together with AD DS. AD LDS

provides much of the same directory service functionality as AD DS, but it does not require the

deployment of domains or domain controllers. You can also configure AD LDS replication sothat the same instance of AD LDS is distributed across multiple computers. AD LDS is designed

to complement rather than replace AD DS. AD DS provides a network authentication and

management directory, while AD LDS is designed to be used purely as a directory service forapplications. AD LDS is designed to be deployed in the following scenarios:

Enterprise directory store: AD LDS can store application data in a local directory service either

on the same computer as the application or on a different computer.

Extranet authentication store: A lot of organizations have Web portal applications that requireextranet access to corporate business applications but provide access for users who are outside

the organization. These servers and portal applications require an authentication store to save

authorization information for the users. AD LDS can provide this authentication store because itcan host user objects that are not Windows security principals but can be authenticated with

LDAP simple binds.

Directory consolidation solution: Enterprise organizations frequently have several directories

deployed. User accounts may be located in multiple AD DS forests,domains, and OUs, or inseveral identity systems and other directories, such as human resource databases, AD LDS can

integrate with a metadirectory, which means that identities created in AD LDS can be


4/9

synchronized with the metadirectory. AD LDS can also accept identity synchronization from the

metadirectory.

Development environment for AD DS and AD LDS Because AD LDS uses the sameprogramming model and provides virtually the same administration experience as AD DS,

developers can use AD LDS when staging and testing various AD DS integrated applications.

Active Directory Federation Services

AD FS, first released with Windows Server 2003 R2,is designed to enable secure access to Web-based applications within an organization and between organizations without making an external

or forest trusts between those organizations. (can be used in both Windows and non-Windows

enviroments) providing browser-based clients with one-prompt access to protected

applications,even when the accounts and applications are located on different networks.

When a user need access to secure Web sites hosted outside of her own organization, the user has

to provide secondary credentials meaning that the user has to provide a user name and passwordother from the one she used to log onto her personal computer. AD FS takes care of this byenabling organizations to establish trust relationships with the directory services system running

at other organizations. Known as single sign-on (SSO) this, allows the systems at one

organization to recognize the users of another organization without having to prompt them for

credentials.

AD FS is composed of three different server components, as follows:

Federation server: A federation server is the main AD FS component, which holds theFederation Service role. These servers route authentication requests between connected

directories.

Federation proxy server: A federation proxy server acts as a reverse proxy for AD FS

authentication requests. This type of server normally resides in the demilitarized zone (DMZ) of

a firewall, and is used to protect the back-end AD FS server from direct exposure to the untrusted

Internet.

AD FS Web Agents: The Web Agents component of AD FS hosts the claims-aware agent and

the Windows token-based agent components that manage authentication cookies sent to web

server applications. Each one of these components can be individually installed in an AD FSstructure, or they can be all installed on the same system.

AD FS Deployment Requirements

In order to deploy AD FS, you must ensure that the following network requirements are met:


5/9

TCP/IP connectivity

For AD FS to function, TCP/IP network connectivity must exist between the client,and thecomputers that host the Federation Service, the Federation Service Proxy, and the AD FS Web

Agents

DNS requirements In order for AD FS to function, you must ensure that the client computerscan resolve the names of all of the servers running AD FS components.

Client Web Browser requirements Any Web browser with JScript enabled can work as an AD

FS client.AD FS creates authentication cookies that must be stored on client computers toprovide SSO functionality. Therefore, the client browser must be configured to accept cookies.

Authentication cookies are always Secure Hypertext Transfer Protocol (HTTPS) session cookies.

Account Store Requirements AD FS requires at least one account store to be used for

authenticating users and extracting security claims for those users. AD FS supports two types ofaccount stores: AD DS and AD LDS.

Web Server Requirements IIS is a mandatory requirement for all AD FS server components.

Public Key Infrastructure (PKI) Requirements In order to secure the communicationsbetween all of the AD FS components, AD FS requires that all Web sites that accept user

authentication traffic or security tokens be configured with server authentication certificates.

These certificates are used for account partner and resource partner authentication and forauthentication between federation servers and federation server proxies. This means that you

must obtain the required digital certificates from a certification authority (CA). You can use a

trusted third party CA or an internal Active Directory Certificate Services (AD CS) CA to issue

these certificates.

New in AD FS in Windows Server 2008

Improved installation: AD FS is included in Windows Server 2008 as a server role, and there

are new server validation checks in the installation wizard

Improved application support: AD FS is more tightly integrated with Microsoft Office

SharePoint Server 2007 and Active Directory Rights Management Services (AD RMS


6/9

A better administrative experience when you establish federated trusts: Improved trust

policy import and export functionality helps to minimize partner-based configuration issues that

are commonly associated with federated trust establishment.

AD FS 2.0

AD FS 2.0 is a downloadable Windows Server 2008 update

Active Directory Federation Services (AD FS) 2.0 provides support for claims-aware identity

solutions that involve Windows Server and Active Directory technology. AD FS 2.0 supports theWS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols.

AD FS 2.0 has the following features:

An enterprise claims provider for claims-based applications

Provide a single-sign-on (SSO) experience across multiple claims-aware applications.

Provide access to a claims-aware application to users in another organization.

Reduce concern about developers of custom applications making processor-intensive

authentication requests that unexpectedly burden an organizations directory services.A

Federation Service for identity federation across domains

You can configure AD FS 2.0 in the Federation Service role so that Web browser and Webservice applications can use federated Web SSO across domains. This helps reduce

administrative overhead, reduce security vulnerabilities as a result of lost or stolen passwords,

and improve user productivity through SSO.

Improved support for federation trusts AD FS 2.0 has improved support for federation trusts that

can speed up the process of establishing the trusts. AD FS 2.0 uses industry standard metadata

formats when it establishes trusts between federation partners.An enhanced snap-in management

console

The AD FS 2.0 snap-in is a single Microsoft Management Console (MMC) 3.0 snap-in. It

provides a graphical user interface (GUI) for configuring service and policy settings that are used

most commonly with AD FS 2.0.
http://www.anrdoezrs.net/9377tenkem158A8A951329B43B2


7/9

Support for issuance and use of Information Cards

AD FS 2.0 supports the issuance and use of managed Information Cards in Web browsers and

Web services scenarios to provide a phishing-resistant, extranet, log-in mechanism. With thissupport, you can issue a managed card that a user can use to log on to a federation server for an

application that is enabled for WS-Federation Passive. AD FS 2.0 also can assist in providingaccess to a Web site that users can access to obtain a managed Information Card.

An enhanced snap-in management console The AD FS 2.0 snap-in is a single MicrosoftManagement Console (MMC) 3.0 snap-in. It provides a graphical user interface (GUI) for

configuring service and policy settings that are used most commonly with AD FS 2.0.

Support for a Microsoft SQL Server based policy store AD FS 2.0 makes it possible for you tomove away from a file-based policy store to a database-centric policy store that can scale

dynamically to a large number of objects.

Unsupported features in AD FS 2.0

The following are the AD FS 1.x features and scenarios that are no longer supported in AD FS

2.0:

AD LDS used as an account store

The Windows NT token based Web agentThe AD FS 1.x claims-aware Web agent configured for Microsoft Office SharePoint Server 2007

The Federated Web Single-Sign-On (SSO) with Forest Trust scenario is no longer supported

Network Drive for Users

One of the most searched topics on our site is "how to map a drive". Unfortunately, until now,

the searches on this topic didn't return any result for our users. As a consequence to this, we

decided to create this article in which we show you how to create a drive mapping in Windows

Vista .

For those of you who don't know it, a drive mapping is a letter assigned to a disk or drive. The

most common drive mappings are A: for the floppy disk and C: for the primary hard disk. If you

are on a network, a drive mapping can reference remote drives to which you can assign a letter ofyour choice. For example, you can use the letter Z: to refer drive C: or a network server or a

specific shared folder to which you have access to.
http://www.vista4beginners.com/Map-Network-Drivehttp://en.wikipedia.org/wiki/Mapped_drives_or_map_drivehttp://www.vista4beginners.com/Map-Network-Drivehttp://en.wikipedia.org/wiki/Mapped_drives_or_map_drivehttp://www.vista4beginners.com/Map-Network-Drive


8/9

As you will see for yourself, the procedure of creating a map drive in Windows Vista is very

simple. Just follow these steps:

First, click on the Computershortcut from your desktop or from the Start Menu. In the toolbaryou will find several buttons, including one called Map network drive.

Click on it and the Map Network Drive window will open. Firstly, you need to assign a drive

letter for the connection and then type the drive or the folder you want to connect to.

The folder can be located on a remote server or computer you have access to, a FTP site or a

shared folder on your own computer.
http://www.vista4beginners.com/Map-Network-Drivehttp://www.vista4beginners.com/Map-Network-Drivehttp://www.vista4beginners.com/Map-Network-Drive


9/9

If you want to connect to a remote computer just type "\\" followed by the computer name or theIP address and then "\" followed by the location of the folder you want to connect to.

If you want to create a drive mapping to a folder on your own computer type "\\127.0.0.1\" (this

stands for the local host) or "\\computer_name\" and then the path towards that folder.Sometimes, when you create a drive mapping, you might need to use a special user name and

password that allows you to connect to it. In this case, click on the Connect using a different username link.

Type the appropriate user name and password and click on OK. Now you will return to theprevious window. Click onFinish and the drive mapping will be created.

If you access the Computershortcut again you will see that a new drive having the letter you

assigned is listed and you can access it at anytime.

Documents

Read Only Domain Controllers