Active DirectoryMicrosoft TechnologiesWindows Server

Why Read-only domain controllers (RODC) ?

In enterprise level network its common to have HQ(Head Quarters)-Branch Office network. These branch offices may required  to connected with HQ resources for its operations. Most of the time this kind of setup uses WAN links to connect branch  Offices with HQ network. Let's assume we have company called ABC and its HQ is located in Canada Toronto. Due to the  Expansion its need branch office open in London, UK. So the requirement is more complicated as its 2 different countries. 
The users in London office still need to authenticate the company domain environment and access the resources. Let's Look in 
to some of the difficulties, challenges faces with typical this kind of setup.

Lack of Resources

To connect HQ with branch site its required secure, reliable connection. But these connections typically comes with high $$$$ cost. Even though its cost mostly these links will be with speed of 128kb, 256kb, 512kb etc. If users in branch site is authenticating company AD it will use WAN link for the all the authentication, resources access etc. if the number of  users increase in branch site the link utilization just for the AD activities will increased. Also since its between  different geographical locations, different ISP, many facts will affect the reliability of the link as well. what happen if  the WAN link went down on critical business day ? so solution is to deploy AD in branch site and it will be opening whole different range of concerns, problems.

Security Risks

Even though branch office dc will increase the authentication and resource access process its open potential security  risks to the network. some companies will have fully secure datacenter facilities in branch sites as well but majority  cant afford such investments. As we know regular DC is keeping critical data about users, resource authentications etc.  what if these branch office dc get compromised or stolen?. It will affect entire company network operations and some time  this kind of issue can cause millions of dollars lost to the company.

Management

If we host a branch site DC, typically it will required maintenance time to time. it may be to deploy fail over dc, upgrade hardware, site-link changes, user credential changes etc. So some time company may need to keep a IT department  running on branch office which will increase the company operation cost. Also since its integrated directly with main  domain environment, any changes triggers in branch office DC will also directly affect entire domain environment.

So what is the answer then ?

With windows 2008 server Microsoft introduce the Read-Only domain controller feature to specially address these  difficulties company face in this kind of branch site scenario.

Read-Only!!!!

As its name says its by default Read-only copy of the company main DC. So the changes making on branch site RODC will not  affect DC operations. So basically its keep all the info about the DC attributes in Branch-DC as read-only copy and once  its receive request for authentication it directs the request to the RODC instead going via WAN link.

Password Replication Policy (PRP)

We can also control this "credential caching" in detail level by using Password Replication Policy. what it does is we can  define which users, group need the credential caching on that particular RODC. For example let's assume we have another  branch in India. The users in India office will not login from London office anyway. so why we should cache credential info  for India office users in London office RODC ? Also in this way it improve security of dc more. So if one of branch office  RODC compromised it will only hold limited data about the DC.

In windows 2012 server to configure we can use 2 security groups it creates with RODC setup. According to Microsoft its as  following,

Allowed RODC Password Replication Group : Members of this group are placed in the Allow list of the Password Replication  Policies of all RODCs by default. This group has no members when Windows Server 2012 is first installed.

Denied RODC Password Replication Group: Members of this group are placed in the Deny list of the Password Replication  Policies of all RODCs by default. Some of the groups include Administrators, Server Operators, Backup Operators, Account  Operators, and Denied RODC Password Replication Group.

Local Administrators Group

Some time the branch offices need some IT support for their users. It may have local IT staff or outsourced IT company for this. In typical DC environment to do the maintenance a particular user need to have domain admin rights or delegated permissions. But in RODC we can define Local administrator accounts which will give full control over the RODC environment and it still will not affect the parent DC setup.

In next post will look in to the configuration of a RODC.
 

Related posts
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Microsoft Entra lifecycle workflows Part 02 - How to synchronize value for employeeHireDate attribute from on-premises Active Directory ?

In my previous blog post, I explained how we can automate JML (Joiners/Movers/Leavers) process by…
Read more
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide : Automate JML(Joiners/Movers/Leavers) process with Microsoft Entra lifecycle workflows

JML (Joiners/Movers/Leavers) process of an organization has a major impact on its security and…
Read more
Cyber SecurityMicrosoft DefenderMicrosoft Technologies

Microsoft Defender for Identity Part 02 – Create Directory Service Account

In Part 01 of Microsoft Defender for Identity blog series, I have explained about Microsoft Defender…
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

7 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *