DC Secure Topology Question (2008 functional level)

Posted on 2011-10-12
Last Modified: 2012-05-12
So, I had a thought, relating to security of an AD network.  Particularly to the prevention of malicious people creating backdoor accounts.

What would happen if I had 3 sites (one for each physical building).

Site 1 (primary site):
Full domain controller, private subnet, ONLY reachable by other DCs (layer 2/3/4 ACLs)
RODC, public subnet, reachable by local users

Site 2:
RODC, public subnet, reachable by local users

Site 3:
RODC, public subnet, reachable by local users

The replication would be between each RODC and the RWDC.  The RWDC of course being where IT staff would connect to, to create/modify accounts.

My question comes to bear mostly on my lack of understanding of what you can and cannot do on an RODC.  If a user is completely unable to reach a RWDC, can they still change their passwords on expiry (or anything else that a user may need to do)?  In implementation there would obviously be more than one RWDC for availability, but for simplicity there is one in this example.
Question by:lunanat
    LVL 15

    Assisted Solution

    Hi there,

    From my understand, if a RWDC is offline/not available to a RODC then password changes fail as do many operations as a RODC can only replicate with a RWDC.

    Link below has more answers.

    Specifically: (Direct C&P from above link)


    Can an RODC replicate to other RODCs?

    No, an RODC can only replicate from a writable Windows Server 2008 domain controller. In addition, two RODCs for the same domain in the same site do not share cached credentials. You can deploy multiple RODCs for the same domain in the same site, but it can lead to inconsistent logon experiences for users if the WAN to the writeable domain controller in a hub site is offline. This is because the credentials for a user might be cached on one RODC but not the other. If the WAN to a writable domain controller is offline and the user tries to authenticate with an RODC that does not have the user’s credentials cached, then the logon attempt will fail.

    What operations fail if the WAN is offline, but the RODC is online in the branch office?

    If the RODC cannot connect to a writable domain controller running Windows Server 2008 in the hub, the following branch office operations fail:

        Password changes

        Attempts to join a computer to a domain

        Computer rename

        Authentication attempts for accounts whose credentials are not cached on the RODC

        Group Policy updates that an administrator might attempt by running the gpupdate /force command

    LVL 24

    Accepted Solution

    RODCs also participate in normal AD DS replication, connection objects must be created between RODCs and other domain controllers.Because RODCs have read-only copies of the AD DS database, the KCC will only create single one-way connection object from a domain controller with a writable copy of the database to the RODC. The RODC can only pull changes from other domain controllers; it can never be configured as a replication source.

    RODC replication is also limited by which domain controllers can be direct replication partners. RODCs can replicate all AD DS partitions except the domain partition from Windows Server 2003 domain controllers. RODCs can also replicate all partitions from another Windows Sever 2008 domain controller, but they must replicate the domain partition from a domain controller running Windows Server 2008,meaning that each RODC must have a connection object with a Windows Server 2008 domain controller with a writable copy of the database for the RODCs domain. It also means that when you upgrade a domain from Windows Server 2003, the first Windows Server 2008 domain controller cannot be an RODC.

    From a technical/deployment perspective, there isn’t anything stopping you from deploying 2 RODC’s from the same domain into the same site.  But there are definitely some important gotcha’s to remember:

    1.  RODC’s don’t replicate out to anyone – so that means they don’t replicate out to each other either.  Therefore, from a replication perspective, each server will still replicate in from a full, upstream DC.

    2.  Replicated passwords are part of #1 – This is important.  If I’m a user in a site, and the site has 2 RODC’s from my domain in them, but only one of them has my password cached.  Then if the WAN link goes offline, and I try to log-on, Murphy’s Law says that DCLocator will find the “other” RODC for me (which does not have my password cached).  In this case, auth will fail, and I will be an unhappy user.  You as the AD admin, will cache a boatload of flack for this flagrant violation of our SLA.

    Refer this KB article for more details:

    LVL 1

    Author Closing Comment

    RODCs forwarding password changes to the RWDCs is exactly what I wanted to know, clearly explained in both comments.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    This is my first article in EE and english is not my mother tongue so any comments you have or any corrections you would like to make, please feel free to speak up :) For those of you working with AD, you already are very familiar with the classi…
    Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now