RODC Facts Flashcards
Administrator Role Separation
(ARS)~
The ARS feature allows RODCs to provide a secure mechanism for granting non-administrative domain users the right to log on to a domain controller without jeopardizing the security of Active Directory Domain Services (AD DS).
This allows the domain user to perform local administrative tasks such as installing drivers or security updates. Keep in mind:
The domain user doesn’t have any user rights for the entire domain or any other domain controllers in the domain. This minimizes the risk to the security of the entire domain and prevents the domain user from accidentally modifying Active Directory.
To initially configure the administrator role separation feature for a RODC, you must be a member of the Domain Admins group.
All local built-in administrator accounts can be configured through ARS, including backup operators and server operators.
Unidirectional replication
An RODC supports only unidirectional replication. This means that it solely performs inbound replication. The benefits of unidirectional replication are:
Writable domain controllers that are replication partners don’t pull changes from the RODC.
No changes originate at the RODC because no changes are written directly by the RODC.
Any changes or corruption that a malicious user might make at branch locations can’t replicate from the RODC to the rest of the forest.
Workload reduction for bridgehead servers in the hub and reduced effort required to monitor replication.
Unidirectional replication has the following limitations:
An RODC can’t act as a bridgehead server because bridgehead servers replicate changes from other sites.
RODCs can’t be a source domain controller for any other domain controller.
Read-only data
Other than account passwords, an RODC contains all of the AD DS objects and attributes that a writable domain controller contains. Lightweight Directory Access Protocol (LDAP) applications can be redirected to a writable domain controller in a hub site when changes need to be made to Active Directory objects.
Password replication
Password replication allows a writable domain controller to replicate user or computer credentials to an RODC. These credentials are then cached so that the RODC can perform authentication without contacting a writable domain controller.
To understand how password replication and credential caching work, it’s helpful to understand the RODC authentication process:
A workstation sends a logon request to the RODC.
The RODC forwards the logon request to a writable Windows Server domain controller, which authenticates the request and returns the result (either positive or negative) to the RODC.
The RODC sends the result to the workstation.
The RODC asks the writable domain controller to replicate the user’s credentials to its replica of the Active Directory database.
The writable domain controller checks the password replication policy to see whether the RODC is permitted to cache the credentials for the user. The following occurs:
When the user’s account is on the allowed list, the writable domain controller allows replication of the account credentials to the RODC.
At the same time that the writable domain controller sends the credentials requested by the RODC, it writes the distinguished name of the user’s account to the msDS-RevealedList attribute of the RODC computer account, creating a record that the user’s credentials are cached on within the RODC.
The RODC stores the user’s credentials in the appropriate attributes of the user account in the Active Directory database. The next time this user tries to log on, the RODC won’t have to contact the writable domain controller because it cached the user account credentials. It uses the cached credentials to grant or deny authentication.
An RODC still performs password validation forwarding when a user presents a password that doesn’t match the credentials cached on the RODC.
When the WAN link to a writable domain controller is not available and the password for a computer account is not cached, a user in the branch office can’t log on to the computer because the workstation can’t retrieve the service ticket for that computer account. When the WAN is offline but the credentials are cached, authentication can still be granted locally.