Saturday, August 10, 2013

RODC - Read-Only Domain Controller

The RODC is a new function on server 2008 and if we want to be prosiest it’s new Domain-Controller. The main purpose of RODC is to provide and resolve security issues. Now we can use the RODC in small sites that we cannot put Physical servers because we cannot provide the ability to secure it. So the RODC will provide us the ability to put Domain-Controller without the sensitive data of our organization and Delegate the appropriate permission to the local administrator.

The RODC works only in one way, that’s mean that all databases that the RODC contains come from the root Domain-Controller, The RODC holds all object and their attributes.
So let’s imagine the next scenario, you put RODC in small site and the worst scenario upends and we have a thief in our site, the RODC will protect our organization date as follow:

·        First not like Regular Domain-Controller the RODC will not enable access to the organization Active-Directory database because RODC contains only Readable Database so we cannot change objects in the small site.

·        If we disabled password caching in RODC that’s provide us the ability to disabled the option of an attacker to use Brute-Force to crack our password to gain access to our database because the RODC is not contain objects Credentials . 

·        One of the most sensitive ROLES in DC is the DNS database; by using RODC we create protection on our DNS database so attacker cannot access our DNS records. If our RODC contains DNS role you cannot enabled the dynamic updates option, that’s mean that if you want to update a DNS record it’s not happens on the RODC, The RODC will send the request to the root DC (That’s old writable database) and just then the record will update and send back to the RODC server. 

·        When you give the Local admin delegations he can install software on the RODC, to be able to get that delegation the local admin need to be including in the Domain Admin group.

In case attacker gets the local admin Password he cannot make changes in other Domain-Controllers.

RODC Deployment
Before we deploy the RODC server our environment need to meet few perquisites:
1.       To be able to deploy RODC server we need to have at least one writable DC with server 2008 or server 2008 R2, Both servers need to be in the same Domain. The reason for that is that the RODC needs to get replica of our database because he don’t have one of his own.

2.       Now we need to prepare our domain and schema , here we need to notice two different possibilities :

-          The first option is to have new forest with only 2008 Domain-Controllers , in that case we don’t need to run the  adprep /rodcprep command .
-          The second option and probably the most relevant are to have both 2003 and 2008 servers in our forest. In that case we need to prepare both forest and domain  with the next two commands : 

Adprep /foresprep (On the Schema older).

Adprep /domainprep /gpprep (On infrastructure master). 

Adprep /rodcprep (You can run it on any domain controller).

3.       Be sure your Forest Functional level is Server2003 or higher.
      4.       Add yourself to Domain Admins group.

Installing RODC (Full Installation) follow the next easy steps:
1.      First connect to your server and add it to the domain (we do it in case we don’t use delegation install).

2.      Run “Dcpromo”. 

3.      Chose “Existing Forest” and “add domain controller to an existing domain”

4.       On the Network Credentials page, type the name of a domain in the forest, and then click next.
5.       Select the domain for the RODC, and then click next.
            6.      Chose the site you want to add the RODC.

7.      In the “additional Domain Controller Options” chose :

-          DNS server.

-          Global Catalog.

-          RODC.

8.      Next -> Finish.

Installing RODC (Delegate Installation) follow the next easy steps:
This is an optional possibility for us the organization admins to give the power to another user (Off course we need to trust this person….).

The installation need to follow 2 stages that both people need to be involved in them in the following way:

1.      The “Big” admin with the domain credentials need to create the RODC account in

AD-DS, that account will include all records and data that we need for attached the RODC in the second stage. This stage must create with the right credentials (Domains Admin Groups).Darning this stage we also specify the user account that will proceed with the second stage.

2.      The “Small” admin need to create the connection between the RODC that sits in other physical location into the account that the “Big” admin creates in the first stage of the process. The server that we install the RODC on must be joined to the domain before we precede the RODC installation. During the RODC installation the wizard checks our credentials to fit that has been created in the first stage and also that the name of the RODC much the name of the account created in stage one.

To create an RODC account by using Active Directory:

1.      Open RUN.

2.      Type: DSA.msc (Active Directory Users and Computers snap-in will show up).

3.      Open the “Domain-Controller”.

4.      Click the “Domain-Controller” -> Actions.

5.      Now you need to click on “Pre-create Read-only Domain Controller account”.

6.      A wizard will open and display.

7.      On the Network Credentials, under Specify the account credentials to use to perform the installation, click my current logged on credentials. 

We can specify credentials of another account:

Alternate credentials -> Set. In the Windows Security dialog box, provide the user name and password for an account that can install the additional domain controller.

8.      Now you will ask to provide the name of the RODC server.

9.      On the SITE selection you need to provide the site you want that the RODC will be belong into.

10.  In the “Additional Domain Controller Option” you need to go throw MICROSOFT recommendations as follow  :
    • DNS server: This option is selected by default so that your domain controller can function as a DNS server. If you do not want the domain controller to be a DNS server, clear this check box. However, if you do not install the DNS server role on the RODC and the RODC is the only domain controller in the branch office, users in the branch office will not be able to perform name resolution when the WAN to the hub site is offline.
    • Global catalog: This option is selected by default. It adds the read-only directory partitions of the global catalog to the domain controller, and it enables global catalog search functionality. If you do not want the domain controller to be a global catalog server, clear this option. However, if you do not install a global catalog server in the branch office or enable universal group membership caching for the site that includes the RODC, users in the branch office will not be able to log on to the domain when the WAN to the hub site is offline.
    • RODC – When you create an RODC account, this option is selected by default and you cannot clear it.
11.  In Select Users, Computers, and Groups, type the names of the accounts that you want to add to the policy -> OK.

12.   On the Delegation of RODC Installation and Administration page, type the name of the user or the group who will attach the server to the RODC account that you are creating.

13.   Now you need to see the Summery page to check the entire configuration that we created - click next.

That’s was the first stage of the RODC installation, after we created the account we need to install the RODC server and connect it to the account we just created.

Stage 2:
Attach the RODC account to the account we created   

1.       Connect to the RODC server (The server we want to install the RODC)with Local Administrator credentials.

2.      Open Run and type: Dcpromo /UseExistingAccount:Attach

3.      On the welcome screen click next.

4.      On the Network Credentials -> insert the Domain name in the forest where you want to install your additional DC:

Under Specify the Account : chose “Alternate credentials” -> Set -> in the Windows Security you need to provide the credentials that we inherit from the first stage .

5.      On the Select Domain Controller Account -> Confirm->Next.

6.      Location for Database ,Log Files, and SYSVOL : here you need to specify the location of the following databases.

7.      The Directory Services Restore Mode Administrator Password page : insert your recovery credentials
Now its seams not important but when you have database corruption or failed server trust me that you will need this password so keep it in place you can remember!!!!

    !!!!!Good Luck You Have a New Read Only Domain Controller!!!!!

No comments:

Post a Comment

My Presentations