Step by Step Implementation of Read Only Domain Controllers

The read-only domain controller (RODC) feature was starting time introduced in Windows Server 2008. The main purpose of the RODC is the secure installation of the ain domain controller in remote branches and offices where it is hard to physically secure an ADDS role server. The RODC contains a read-only copy of the Active Directory database. This ways that nobody can change data in AD (including reset of the domain admin password) fifty-fifty having physical admission to the domain controller host.

In this commodity, we'll await at how to install a new Read-Only domain controller based on Windows Server 2022/2019 and how to manage information technology.

Contents:

• What is a Read-Simply Domain Controller (RODC) in Active Directory?
• Installing RODC Using Server Manager GUI
• Deploying a Windows Server Read-Simply DC with PowerShell
• RODC Password Replication Policy and Credential Caching

What is a Read-But Domain Controller (RODC) in Active Directory?

Here are the principal differences of the RODC from common read-writable domain controllers (RWDC)

1. The RODC maintains a read-only copy of the Advertizing database. And so the clients of this domain controller cannot make changes to information technology;
2. The RODC doesn't replicate AD data and SYSVOL folder to other domain controllers (RWDC), one-manner replication is used;
3. The RODC maintains a total copy of the AD database except for countersign hashes of the AD objects and some other attributes containing sensitive information. This set of attributes is called Filtered Aspect Set (FAS). The attributes like ms-PKI-AccountCredentials, ms-FVE-RecoveryPassword, ms-PKI-DPAPIMasterKeys, etc. are included in it. You can add other attributes to this set, such as estimator passwords stored in cleartext in the ms-MCS-AdmPwd attribute when using LAPS;
4. If the RODC receives an authentication request from a user, it forwards the request to the RWDC;
5. The RODC can enshroud credentials of some users (it speeds up the authentication and allows the users to authenticate on the domain controller, even if there is no connection to the RWDC);
6. Y'all can provide administrative and RDP access to the RODC to the non-admin users (for case, for the co-operative SysOps);
7. The DNS service on the RODC is in read-merely style.

Requirements to deploy the Read-But Domain Controller.

• A static IP has to be assigned on the server;
• The Windows Firewall has to exist disabled or configured correctly to pass traffic betwixt DCs and clients;
• The nearest RWDC must be specified as the DNS server;
• You can install RODC on both Windows Server Full GUI and Windows Server Cadre edition;
• Y'all shouldn't place the RODC on the same AD site every bit the RWDC.

Installing RODC Using Server Managing director GUI

Open the Server Manager console and add together the Active Directory Domain Services part (agree to install all additional components and management tools).

When you specify the settings for the new DC, cheque the Add a domain controller to an existing domain option, specify the domain name and the credentials of the user account with the domain administrator privileges if necessary.

Specify that the DNS server, global catalog (GC), and RODC capabilities must be installed. And then select a site, where the new controller will be located, and the countersign to access it in DSRM fashion.

Next, you need to specify the user to whom y'all want to delegate administrative admission to the domain controller, and the list of accounts/groups, whose passwords are allowed or denied from replicating to the RODC (you tin do this later).

Specify that Advertisement database data can exist replicated from whatever DC.

Replicate from -> Any domain controller

Then specify the paths to the NTDS database, logs, and SYSVOL folder (you lot can move them to another drive afterward if necessary).

After yous have checked all options, yous tin can install the ADDS role.

Alternatively, yous can deploy RODC using the Staged feature. Information technology consists of pre-creating the RODC figurer account in the ADUC console and basic setup. To do this, correct-click the Domain Controllers container and select Pre-create a read-only domain controller account.

When installing the ADDS role on a server with the aforementioned name, the following message volition appear:

A Pre-created RODC account that matches the name of the target server exists in the directory. Choose whether to use this existing RODC account or reinstall this domain controller.

Select the Use existing RODC business relationship option to apply the pre-created RODC object.

After completing the office installation and restarting the server, you will receive an RODC controller. You lot can cheque the health of the domain controller.

When the ADUC snap-in (dsa.msc) connects to the RODC, all new Ad object create buttons are greyed out. Besides, you cannot change the attributes of Advertizing objects on a read-simply domain controller. All other actions in the Agile Directory panel, including search, work equally usual.

Deploying a Windows Server Read-Just DC with PowerShell

To deploy a new RODC using PowerShell, you demand to install the ADDS function and the PowerShell ADDS module:

Add-WindowsFeature Advertising-Domain-Services,RSAT-AD-AdminCenter,RSAT-ADDS-Tools

Now you tin install the RODC:

Install-ADDSDomainController -ReadOnlyReplica -DomainName woshub.com -SiteName MUN_Branch1_RO_Site -InstallDns:$true -NoGlobalCatalog:$false

After the installation is over, the cmdlet will prompt you to restart your server.

List the DCs in your domain using the Get-ADDomainController cmdlet from the Active Directory PowerShell module:

Get-ADDomainController -Filter * | Select-Object Name,IsReadOnly

The IsReadOnly attribute value for a read-merely domain controller must exist Truthful.

To list all RODCs in your domain, run:

Get-ADDomainController –filter {IsReadOnly –eq $true}

If you lot want to pre-create a domain RODC account commencement (staged deployment), use this command:

Add-ADDSReadOnlyDomainControllerAccount -DomainControllerAccountName MUN-RODC01 -DomainName woshub.com -DelegatedAdministratorAccountName "woshub\mbak" -SiteName MUN_Branch1_RO_Site

When promoting a Windows Server host to a DC, use the command:

Install-ADDSDomainController -DomainName woshub.com -Credential (Get-Credential) -LogPath "C:\Windows\NTDS" -SYSVOLPath "C:\Windows\SYSVOL" -ReplicationSourceDC "MUN-DC01.woshub.com" – UseExistingAccount

You cannot apply PowerShell to alter the attributes of AD objects when connecting to an RODC. If you want to alter the attributes of an object from a site with an RODC, specify the accost of the closest RWDC using the –Server parameter bachelor in the Set-ADUser, Ready-ADComputer, New-ADUser, so on PowerShell cmdlets.

RODC Password Replication Policy and Credential Caching

On each RODC y'all can specify a listing of users, computers, and servers, whose password hashes are allowed to or denied from replicating to this domain controller.

All computers, users, and servers whose passwords are stored in the RODC cache will be able to authenticate to this domain controller, even if there is no connection to the RWDC.

By default, two new global groups are created in the domain:

• Allowed RODC Countersign Replication Group
• Denied RODC Countersign Replication Grouping

By default, the showtime group is empty, and the 2nd one contains privileged security groups, whose passwords cannot be replicated or cached on the RODC to prevent them from being compromised. Past default, the following groups are included here:

• Group Policy Creator Owners
• Domain Admins
• Cert Publishers
• Enterprise Admins
• Schema Admins
• Account krbtgt
• Account Operators
• Server Operators
• Fill-in Operators

The RODC Password Replication Allowed group typically includes users at the branch part where the RODC is located.

If y'all are deploying multiple RODCs in a domain, information technology is best to create such groups for each RODC. Y'all can bind the groups to the RODC in the PasswordReplication Policy tab of the server properties section in the ADUC console.

On the Advanced Password Replication Policy for RODC_name, you can view:

• Accounts whose passwords are stored on this Read-Only Domain Controller – a list of users and computers whose passwords are cached on this RODC
• Accounts that accept been authenticated to this Read-Simply DC– a listing of users and computers currently authenticated with this read-but domain controller

On the Resultant Policy tab, you tin can select a user account and cheque if its password volition be cached on the RODC.

You lot can manage RODC groups using PowerShell. List users in an Advert group:

Become-ADGroupMember -Identity "Denied RODC Password Replication Group" | ft Name, ObjectClass

Add all enabled users from a specific Agile Directory Organizational Unit of measurement (OU) to the RODC grouping:

Get-ADUser -SearchBase 'OU=MUN_Branch1,DC=woshub,DC=com' -Filter {Enabled -eq "True"} | ForEach-Object {Add-ADGroupMember -Identity 'Allowed RODC Password Replication Group' -Members $_ -Confirm:$false }

To pre-populate the user password cache from the OU to the RODC, use the following PowerShell script:

$usrs = Become-ADUser -SearchBase 'OU= MUN_Branch1,DC=woshub,DC=com' -Filter {Enabled -eq "Truthful"}
foreach ($usr in $usrs) {
Get-ADObject -identity $usr | Sync-ADObject -Source MUN-DC01 ‑Destination MUN-RODC1 -PasswordOnly
}

You can listing the users and computers whose passwords are in the RODC enshroud:

Get-ADDomainControllerPasswordReplicationPolicyUsage -Identity MUN-RODC1 ‑RevealedAccounts

Y'all cannot remove the password for a specific user from the RODC cache. However, y'all can invalidate this cache by resetting the user's countersign via the ADUC snap-in or with the Fix-ADAccountPassword PowerShell cmdlet.

tyrrelldifewore.blogspot.com

Source: http://woshub.com/deploying-read-domain-controller-windows-server-2016/

Share this post