Last Updated on October 15, 2014 by Dishan M. Francis
In enterprise level network its common to have HQ(Head Quarters)-Branch Office network. These branch offices may required to connected with HQ resources for its operations. Most of the time this kind of setup uses WAN links to connect branch Offices with HQ network. Let's assume we have company called ABC and its HQ is located in Canada Toronto. Due to the Expansion its need branch office open in London, UK. So the requirement is more complicated as its 2 different countries.
The users in London office still need to authenticate the company domain environment and access the resources. Let's Look in
to some of the difficulties, challenges faces with typical this kind of setup.
Lack of Resources
To connect HQ with branch site its required secure, reliable connection. But these connections typically comes with high $$$$ cost. Even though its cost mostly these links will be with speed of 128kb, 256kb, 512kb etc. If users in branch site is authenticating company AD it will use WAN link for the all the authentication, resources access etc. if the number of users increase in branch site the link utilization just for the AD activities will increased. Also since its between different geographical locations, different ISP, many facts will affect the reliability of the link as well. what happen if the WAN link went down on critical business day ? so solution is to deploy AD in branch site and it will be opening whole different range of concerns, problems.
Even though branch office dc will increase the authentication and resource access process its open potential security risks to the network. some companies will have fully secure datacenter facilities in branch sites as well but majority cant afford such investments. As we know regular DC is keeping critical data about users, resource authentications etc. what if these branch office dc get compromised or stolen?. It will affect entire company network operations and some time this kind of issue can cause millions of dollars lost to the company.
If we host a branch site DC, typically it will required maintenance time to time. it may be to deploy fail over dc, upgrade hardware, site-link changes, user credential changes etc. So some time company may need to keep a IT department running on branch office which will increase the company operation cost. Also since its integrated directly with main domain environment, any changes triggers in branch office DC will also directly affect entire domain environment.
So what is the answer then ?
With windows 2008 server Microsoft introduce the Read-Only domain controller feature to specially address these difficulties company face in this kind of branch site scenario.
As its name says its by default Read-only copy of the company main DC. So the changes making on branch site RODC will not affect DC operations. So basically its keep all the info about the DC attributes in Branch-DC as read-only copy and once its receive request for authentication it directs the request to the RODC instead going via WAN link.
Password Replication Policy (PRP)
We can also control this "credential caching" in detail level by using Password Replication Policy. what it does is we can define which users, group need the credential caching on that particular RODC. For example let's assume we have another branch in India. The users in India office will not login from London office anyway. so why we should cache credential info for India office users in London office RODC ? Also in this way it improve security of dc more. So if one of branch office RODC compromised it will only hold limited data about the DC.
In windows 2012 server to configure we can use 2 security groups it creates with RODC setup. According to Microsoft its as following,
Allowed RODC Password Replication Group : Members of this group are placed in the Allow list of the Password Replication Policies of all RODCs by default. This group has no members when Windows Server 2012 is first installed.
Denied RODC Password Replication Group: Members of this group are placed in the Deny list of the Password Replication Policies of all RODCs by default. Some of the groups include Administrators, Server Operators, Backup Operators, Account Operators, and Denied RODC Password Replication Group.
Local Administrators Group
Some time the branch offices need some IT support for their users. It may have local IT staff or outsourced IT company for this. In typical DC environment to do the maintenance a particular user need to have domain admin rights or delegated permissions. But in RODC we can define Local administrator accounts which will give full control over the RODC environment and it still will not affect the parent DC setup.
In next post will look in to the configuration of a RODC.