Deploying Read-Only Domain Controllers

As a systems administrator, your job is to employ the most efficient and secure solutions to your organization. You’ll want to stay in-the-know about industry best-practices, or you could put your organization (and your career) at risk. One best-practice prevalent in the IT field is the deployment of read-only domain controllers into your Active Directory Domain Services (AD DS) forest.

What is a read-only domain controller?

In AD DS, a read-only domain controller (RODC) is just like a normal domain controller (DC) in that it provides authentication services to users and computers in an AD DS domain. The difference is that a DC holds writable files containing sensitive data, such as passwords, about all users and computers throughout the domain. The key word here is *writable*, meaning that changes made on a DC will impact the entire domain. An RODC, on the other hand, stores read-only data about a subset of users and computers in the domain which it has been authorized to authenticate.

The benefit of incorporating RODCs can be summed up by one word: SECURITY! Security should always be a top priority for any IT professional. RODC implementation provides a more secure alternative for providing local authentication in branch locations. Writable DCs would be located at a company’s headquarters or main offices, where physical security of all systems is strong. RODCs are typically deployed in branch office locations where system security may be less reliable. Because only a partial, read-only copy of the database is stored on an RODC, the entire AD DS database would not be vulnerable to an attack by a hacker.

An Example Scenario: When to Deploy an RODC

Employees at one of your organization’s overseas branch offices are experiencing unreasonably slow logins. The solution, of course, would be to deploy a new DC to provide authentication locally so that authentication requests do not have to travel over a wide-area network to the main office DC. An RODC is perfect for this case because it can provide fast local authentication without creating unnecessary vulnerability. A hacker could still access some data, but the resulting damage would be relatively insignificant. If a hacker got a hold of the data on a writeable DC, they could change security settings and effectively hijack the entire organization! RODCs help to avoid this type of disaster. Let’s walk through how to setup an RODC.

Prerequisites for deploying RODCs

The following requirements must be met before deploying RODCs:

  • Forest functional level must be at least Windows Server 2003.
  • At least one writable domain controller that runs Windows Server 2008 or later must be installed in the same domain.

*For more information, see Prerequisites for Deploying an RODC.

How to Install an RODC using the GUI in Windows Server 2012

RODC deployment is surprisingly easy, thanks to the mighty installation wizard. Here are the steps:

  1. On the Server Manager dashboard, click Add Roles and Features. Run through the Add Roles and Features wizard as you normally would when configuring a server as a domain controller.

2. In the Active Directory Domain Services Configuration Wizard, on the Deployment Configuration page, select Add a domain controller to an existing domain. Next to the Domain field, click Select.

3. In the Windows Security dialog box, type your username and password, and then click OK.

4. In the Select a domain from the forest dialog box, click the name of the desired domain, then click OK.

5. On the Deployment Configuration page, click Next.

6. In the Type the Directory Services Restore Mode (DSRM) password section, type your password in both text boxes, then click Next.

7. On the DNS Options page, click Next.

8. On the Additional Options page, click Next.

9. On the Paths page, accept the default folders, and then click Next.

10. On the Review Options page, click Next.

*Note: On the Review Options page, you will see a View Script button. Click this button to view the Windows PowerShell script that the wizard generates. You can save this script and also edit it for automation of this entire RODC installation process. (If you’re into that sorta thing.) In a later post, I will discuss the topic of using PowerShell scripts to perform repetitive and bulk operations automatically- or, as my colleagues and I say, automagically! I digress…

11. On the Prerequisites Check page, ensure that there are no warning messages, and then click Install.

…And now, we wait. The wizard will now install your RODC. This will only take a few minutes.When the installation completes successfully, you will need to restart your computer.

Congratulations! You have now deployed your first RODC, one of many best-practice implementations that will set you apart as an exemplary sysadmin! I hope that from now on, you’ll consider whether or not it is necessary to deploy a full DC and, if not, deploy an RODC instead. A wise sysadmin once asked, “To RODC, or not to RODC?”… a wise sysadmin indeed.

Signing off ’til next time… Happy Systems Administrating!