For the first time the functionality of read-only domain controller (RODC) was introduced in Windows Server 2008. The main task of the RODC technology is the secure installation of the own domain controller in remote branches and offices where it is difficult to provide physical protection of the server with the DC role. RODC contains a read-only copy of the Active Directory database. It means that nobody can change data in AD (including reset of the domain administrator password) even having physical access to the domain controller.
In this article we’ll look at the main RODC features and how to deploy a new a Read-Only domain controller on Windows Server 2016.
Features of the Read-Only domain controller (RODC)
Here are the main differences of the RODC from common read/write domain controllers (RWDC)
- The RODC stores a read-only copy of the AD database. So the clients of this domain controllers cannot make changes to it.
- The RODC doesn’t replicate AD data and SYSVOL folder to other domain controllers (RWDC).
- The RODC stores a full copy of the AD database except for password hashes of the AD objects and some other attributes containing sensitive information. This set of attributes is called Filtered Attribute Set (FAS). The attributes like ms-PKI-AccountCredentials, ms-FVE-RecoveryPassword, ms-PKI-DPAPIMasterKeys, etc. are included in it. If necessary, you can add some other attributes, for instance, if you are using LAPS, ms-MCS-AdmPwd should be added to the set.
- If the RODC receives an authentication request from a user, it forwards the request to the RWDC.
- The RODC can cache credentials of some users (it speeds up the authentication and allows the users to authorize on the domain controller, even if there is no connection to the full-featured DC).
- You can provide administrative RDP access to the RODC to the ordinary domain users (for example, for the branch SysOps).
Requirements to deploy the Read-Only Domain Controller.
- A static IP has to be assigned on the server
- The Windows Firewall has to be disabled or configured correctly to pass traffic between DCs and client access
- The nearest RWDC must be specified as the DNS server
Installing RODC Using Server Manager GUI
Open Server Manager console and add Active Directory Domain Services role (agree to install all additional components and management tools).
When you specify the settings for the new DC, check Add a domain controller to an existing domain option, specify the domain name and the credentials of the user account with the domain administrator privileges if necessary.
Specify that the DNS server, global catalog (GC) and RODC capabilities must be installed. Then select a site, where the new controller will be located, and the password to access it in DSRM mode.
In the next window for specifying RODC options, specify the users who will be delegated administrative access to the domain controller, and the list of accounts/groups, whose passwords are allowed or denied from replicating to the RODC (you can do it later).
Specify that the information from the AD database can be replicated from any DC.
Then specify the paths to the NTDS database, logs and SYSVOL folder (if necessary, they can be transferred to another disk later).
That’s all. After you have checked all options, you can install the role.
Installing RODC on Windows Server 2016 Using PowerShell
To deploy a new RODC using PowerShell, you must install ADDS role and ADDS PowerShell module:
Add-WindowsFeature AD-Domain-Services, RSAT-AD-AdminCenter,RSAT-ADDS-Tools
Now you can install the RODC:
Install-ADDSDomainController -ReadOnlyReplica -DomainName woshub.com -SiteName "Default-First-Site-Name" -InstallDns:$true -NoGlobalCatalog:$false
After the installation is over, the cmdlet will prompt you to restart your server.
To verify that the server is running in RODC mode, you can use the command:
Get-ADDomainController -Identity LonRODC16
The value of IsReadOnly attribute must be True.
Password Replication in RODC
On each RODC you can specify the list of users or groups, whose passwords are allowed to or denied from replicating to this domain controller.
By default, two new global groups are created in the domain:
- Allowed RODC Password Replication Group
- Denied RODC Password Replication Group
By default, the first group is empty, and the second one contains administrative security groups, whose user passwords cannot be replicated or cached on the RODC to prevent them from being compromised. By default, the following groups are included here:
- Group Policy Creator Owners
- Domain Admins
- Cert Publishers
- Enterprise Admins
- Schema Admins
- Account krbtgt
- Account Operators
- Server Operators
- Backup Operators
As a rule, you can add groups of branch users that are served by this RODC to the Allowed RODC Password Replication Group.
If there are several DCs in the domain, it is recommended to create these groups individually for each RODC. You can bind the groups to the RODC in the PasswordReplication Policy tab of the server properties section in the ADUC console.
If you connect to the domain controller with the RODC role using the ADUC console, even the domain administrator won’t be able to edit user/computer attributes (fields are not editable) or create new ones.