Tag Archives: RODC

Password Replication in RODC

In last 2 posts I have explain benifits of the RODC and how we can deploy a RODC. if you haven't read them yet you can read them with following links,

Why Read-only domain controllers (RODC) ?
Step-by-Step guide to install Read-Only Domain Controller (RODC)

In RODC environment one of the great feature is the password replication. in RODC environment we can determine which passwords need to be cache in RODC and which accounts still need to be authenticate via writable domain controller. As example domain administrator accounts do not need to be cached on RODC. its always safe if it can be authaticate via routable DC for security purposes. so if a domain administrator login from a RODC enviornment, we can set system to forward the authtication request or service ticket to the writable domain controller.

Microsoft made this easy by introducing password replication policy (PRP) to RODC environment. by default system create domain-wide password replication policy two domain local security groups.

Allowed RODC Password Replication Group : Members of this group will allow to cache passwords in RODC. by default this group do not have any members.

Denied RODC Password Replication Group: Members of this group are deny to cache passwords in RODC. Some of the groups which are security critical are member of this group by default such as Administrators, Server Operators, Backup Operators, Account  Operators.

One of the biggest mistakes administrator do is only allow/deny user accounts. But computers it self also uses authatication and service tickets requests. so make sure you add computer accounts also in to these lists.

How to configure RODC password replication policy(PRP) ?

1) Login to a writable domain controller with domain administrator account
2) Open "Active Directory Users and Computers" snap in by Server Manager > Tools > Active Directory Users and Computers
3) Go to "Domain Controllers" OU

prp1

4) Click to select the RODC you need to configure PRP. Then right click and click on properties.

prp2

5) In the properties window click on "Password Replication Policy" tab

prp3

6) In there we can see the 2 groups i mentioned above.

prp4

7) We can add users to these groups. to add users/computers to those double click on the group. in here i will use "Allowed RODC Password Replication Group"

prp5

8) To add users/computers to group click on members tab and click on add.

prp6

9) Once users/computers added click on "OK" to apply changes.

Policy Usage Reports and Pre-Populate Credential Caching

Microsoft provided a easy method of reporting where we can check the status of password replication. in order to use this facility need to follow following steps.

1) Login to a writable domain controller with domain administrator account
2) Open "Active Directory Users and Computers" snap in by Server Manager > Tools > Active Directory Users and Computers
3) Go to "Domain Controllers" OU
4) Click to select the RODC you need to configure PRP. Then right click and click on properties.
5) In the properties window click on "Password Replication Policy" tab
6) Click on "Advanced" button

prp7

7) In here drop-down list there is 2 options listed

Accounts Whose Passwords Are Stored On This Read-Only Domain Controller: This option will list all the user accounts/computer accounts which are currently cached password on RODC.

Accounts That Have Been Authenticated To This Read-Only Domain Controller: This option will list the user accounts/computer accounts which were forwarded to writable domain controller for authentication and service tickets process. This is good place to identify the user accounts/ computer accounts which will still need to add to allow list for password caching.

prp8

In PRP lets assume we allowed USER A to cache his credentials in RODC. But it will not cache it right away. it will cache credential once user made first authentication request to the RODC. but microsoft given opertunity where we can pre-populate the caching. so when user login first time his password is already been cached on RODC.

In order to use this feature click on "Pre-Populate Passwords…" button in same advance window.

prp9

It will open up window where you can select the accounts you need. once its selected it will pop-up following information window. click on yes to accept the changes.
before do this make sure you have already allow that user/computer account in Allow list of password caching.

prp10

if you have any questions please feel free to contact me on rebeladm@live.com

Step-by-Step guide to install Read-Only Domain Controller (RODC)

In previous post i have explain what is RODC and the benefits of it. If you not read it yet you can find it in here.

Before install a RODC in a domain environment it need to meet the following requirements,

  • Forest function level should be windows 2003 server or higher
  • Needs at least one writable domain controller running windows server 2008 or higher

If forest have any DC running windows server 2003 we need to adjust permissions on DNS application directory partition to allow them to replicate to RODC. It can be done by running adprep /RODCprep from windows 2012 server installation disk \support\adprep folder.

In my demo setup i do have a domain called contoso. Before start lets check the forest function level.

  • To do that, log in to the DC as domain admin and open "Server Manager"
  • Then from tools click on "Active Directory Domains and Trust"

rodc1

  • Right click on domain and select "Properties"

rodc2

As we can see here its runs with windows server 2012 R2 so we do not need to prepare domain with adprep /RODCprep

rodc3

To install RODC i have a fresh installed windows 2012 R2 server and its already added to the domain. (Here i do not going to explain how to add it to domain as in previous in my posts i explain how to add server to a domain)

rodc4

  • To begin the setup first make sure you login as a domain administrator to the server.
  • Open "Server Manager" and from dashboard window click on "Add roles and features"

rodc5

  • It will open up the wizard and click on "next" to continue.

rodc6

  • In next window select "Role-based or feature-based installation" and click next

rodc7

  • In next window by default it select the current server and click next to continue

rodc8

  • In next window click on "Active Directory Domain Service" and it will pop up with the features. click on "add features" to continue and then "next"

rodc9

  • In next window will let it run with default features. click on next to continue

rodc10

  • In next window it will gives brief description about the AD DS and click next to continue

rodc11

  • Next window it will ask for confirmation and click ok "install" to begin the service installation

rodc12

  • Once installation done open "Server Manager" and click on "AD DS"

rodc13

  • Then in right hand side panel click "More" as in image

rodc14

  • Then it will open up the wizard and click on option "Promote this server to a domain…"

rodc15

  • It will open up the configuration wizard. in here we will keep the default selection and click on next to continue

rodc16

  • In next window make sure to select option "Read only domain controller(RODC)" and then also type a password for restore. click on next to continue

rodc17

  • In next window we can select what groups/users allowed for the password caching, what group/users denied for caching and also delegated admin accounts. in here for now we will keep the default selection.

rodc18

  • in next window we can define from which DC we need replication done.

rodc19

  • In next window it gives option to change the folder paths. in here we keep default. click next to continue.

rodc20

  • In next window it gives option to review the installation selection and click next to continue.
  • In next window system will check if its meet all the prerequisites for the installation. click on Install to begin the installation

rodc21

  • Once installation done system will automatically reboot.

rodc22

This completes the installation of RODC in domain. in next post we will look in to configuring RODC with different policies.

Why Read-only domain controllers (RODC) ?

In enterprise level network its common to have HQ(Head Quarters)-Branch Office network. These branch offices may required  to connected with HQ resources for its operations. Most of the time this kind of setup uses WAN links to connect branch  Offices with HQ network. Let's assume we have company called ABC and its HQ is located in Canada Toronto. Due to the  Expansion its need branch office open in London, UK. So the requirement is more complicated as its 2 different countries. 
The users in London office still need to authenticate the company domain environment and access the resources. Let's Look in 
to some of the difficulties, challenges faces with typical this kind of setup.

Lack of Resources

To connect HQ with branch site its required secure, reliable connection. But these connections typically comes with high $$$$ cost. Even though its cost mostly these links will be with speed of 128kb, 256kb, 512kb etc. If users in branch site is authenticating company AD it will use WAN link for the all the authentication, resources access etc. if the number of  users increase in branch site the link utilization just for the AD activities will increased. Also since its between  different geographical locations, different ISP, many facts will affect the reliability of the link as well. what happen if  the WAN link went down on critical business day ? so solution is to deploy AD in branch site and it will be opening whole different range of concerns, problems.

Security Risks

Even though branch office dc will increase the authentication and resource access process its open potential security  risks to the network. some companies will have fully secure datacenter facilities in branch sites as well but majority  cant afford such investments. As we know regular DC is keeping critical data about users, resource authentications etc.  what if these branch office dc get compromised or stolen?. It will affect entire company network operations and some time  this kind of issue can cause millions of dollars lost to the company.

Management

If we host a branch site DC, typically it will required maintenance time to time. it may be to deploy fail over dc, upgrade hardware, site-link changes, user credential changes etc. So some time company may need to keep a IT department  running on branch office which will increase the company operation cost. Also since its integrated directly with main  domain environment, any changes triggers in branch office DC will also directly affect entire domain environment.

So what is the answer then ?

With windows 2008 server Microsoft introduce the Read-Only domain controller feature to specially address these  difficulties company face in this kind of branch site scenario.

Read-Only!!!!

As its name says its by default Read-only copy of the company main DC. So the changes making on branch site RODC will not  affect DC operations. So basically its keep all the info about the DC attributes in Branch-DC as read-only copy and once  its receive request for authentication it directs the request to the RODC instead going via WAN link.

Password Replication Policy (PRP)

We can also control this "credential caching" in detail level by using Password Replication Policy. what it does is we can  define which users, group need the credential caching on that particular RODC. For example let's assume we have another  branch in India. The users in India office will not login from London office anyway. so why we should cache credential info  for India office users in London office RODC ? Also in this way it improve security of dc more. So if one of branch office  RODC compromised it will only hold limited data about the DC.

In windows 2012 server to configure we can use 2 security groups it creates with RODC setup. According to Microsoft its as  following,

Allowed RODC Password Replication Group : Members of this group are placed in the Allow list of the Password Replication  Policies of all RODCs by default. This group has no members when Windows Server 2012 is first installed.

Denied RODC Password Replication Group: Members of this group are placed in the Deny list of the Password Replication  Policies of all RODCs by default. Some of the groups include Administrators, Server Operators, Backup Operators, Account  Operators, and Denied RODC Password Replication Group.

Local Administrators Group

Some time the branch offices need some IT support for their users. It may have local IT staff or outsourced IT company for this. In typical DC environment to do the maintenance a particular user need to have domain admin rights or delegated permissions. But in RODC we can define Local administrator accounts which will give full control over the RODC environment and it still will not affect the parent DC setup.

In next post will look in to the configuration of a RODC.