Imagine that your up and coming career at paper products giant, Dunder-Mifflin, has led to your transfer to the Scranton, PA branch office. As you begin your first day of work in your new cubicle, you notice two things; first that logging on the servers in New York takes forever, and, that there is a peculiar guy name Dwight in the next cube, who shreds everything.
If I would have to pick my favorites of the new features introduced with Windows Server 2008, I would have to put the RODC close to the top of my list. The RODC – Read Only Domain Controller – solves a problem that has existed since Windows Server 2000 debuted.
Starting with Windows Server 2000, and continuing with Windows Server 2003, all domain controllers were writeable, that is, all held a full copy of the Active Directory, including all domain user accounts and their passwords. All domain controllers participated in two-way replication, which made it possible to originate changes to the Active Directory schema and configuration partitions. A skilled attacker that had physical access to a server could break through the security safeguards in less than five minutes. This meant that if a Domain Controller were stolen or compromised, critical data could be lost. Worse, if the database was modified, and the changes replicated back to other domain controllers, the entire network could be corrupted.
This vulnerability made it essential that domain controllers could only be located in sites that had server rooms with proper physical security measures, including electronic locks, and even guards and security cameras. Many branch office sites do not have those amenities, and domain controllers could not be installed in those locations. Branch office users would have to logon and search Active Directory across slow WAN links to the main office. There is nothing more tedious in a branch office user’s life than the time spent waiting for a response from a main office DC.
But an RODC can be located anywhere, including sites that do not have locked server rooms. RODC’s have a read-only copy of AD that does not have domain account passwords. Replication is one-way from the main office to the branch office, and no damaging changes can be replicated back. Plus, RODC’s can take advantage of Bitlocker technology, which encrypts the server’s disk drives. Even if the server is stolen and the drives removed, it would be a difficult task to extract useful information.
The RODC can be the branch office users’ new best friend.
Author: Mark Menges