Solved

PRO/CON Read Only Domain Controller

Posted on 2014-01-03
9
3,711 Views
Last Modified: 2014-01-08
Hello EE,
We currently have an environment setup where we have a parent forest
bergquistcompany.com

and a child domain where we have a domain controller at each of our 6 branch offices.
Each has it's own subnet and users log in locally.  All DNS is replicated.

I am wondering rather than having full DCs at each branch if we were to leave corporate as a full DC and the branches all read only what are the pros/cons?  Recommended?  Not Recommended and why?
0
Comment
Question by:bergquistcompany
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39754155
What is the physical security like at the branch offices?  RODCs are meant to help with security.  You generally only see them in locations where physical security is not that great.   RODCs really haven't taken off  like some thought they would.



Thanks

Mike
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 250 total points
ID: 39754168
See Answers below...

PROs
- Great for enhancing physical security (read only)
- Easy to Manage
- If Primary DC goes down users will still be able to function within their site
- Group Membership Caching (which allows you to specify users you want to cache passwords to the RODC)

CONs
- You cannot have Exchange hosted in a site with a RODC (needs r/w DC)
- Passwords are still sent back to a writable DC for authentication
- If R/W DC is down users in remote sites will not be able to update passwords
- If you have 2003 DC's in your environment you Require a 2008 DC to be the replicating partner for the RODC

More detail on Authentication process for RODC - http://technet.microsoft.com/en-us/library/cc753459(WS.10).aspx

Will.
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 250 total points
ID: 39754531
There are many considerations weather to deploy RODC or not ?
Personally I do not recommend RODC for below reasons

1st of all what is link speed from your branch location to Main office ?
The reason for asking this question, if the bandwidth is low, You should not put-up RODC as one replication is still there from R\W to RODC (one way).

How many users do you have in each branch office ?
MS is telling that it is recommended for few users (not sure how much exactly, at one point MS saying that up to 100 users, but now that document is not found, please try to find)
http://technet.microsoft.com/en-us/library/cc732801(v=ws.10).aspx

Are the users are accessing all applications in main office only (Hub and Spoke technology) ?
Because in most cases small branch offices do not contains application servers and read-only GC will not helping most of the cases for apps those required GC lookups.
in that case if WAN link get down, then there is no use weather user is able to logon with RODC cached credentials as same functionality can be achieved through enabling cache login and it is actually enabled by default (10 for XP and 25 for Win7 hopefully)
if internet is available, user still can access webmail over internet
RODC must required 2008 R/W DC in order to receive updates and for any user \ computer to logon 1st time through RODC, it must be able to communicate with R/W DC 1st for fetching and catching its credentials.
it means if wan link is down then those users cannot be logon 1st time directly through RODC
There is option called Prepopulating user password on RODC, but this is an extra step
Also if you want to cache credentials for users you must add them to allowed password replication group on RODC.
More even you must add client computer accounts also in that group otherwise computer password is not cached on RODC and those computers cannot login in case of link failure
This will unnecessarily increase administrative overheads

Now if user left from organization, you must remove its account from allowed password replication group and also must reset its password so that it will be get cleared from RODC cache
If user wants to reset password still it must require to communicate with R/W DC through RODC meaning if link is down user cannot reset password
In case of computers for resigned employees they won't get cleared from RODC cache unless you reset their password in active directory with netdom utility. This situation is in Year 2010 I faced, don't know if MS has changed that behaviour now.

There is no mechanism to erase passwords after they are cached on an RODC. If you want to clear a password that is stored on an RODC, an administrator should reset the password in the hub site. This way, the password that is cached in the branch will no longer be valid for accessing any resources in the hub site or other branches. In the branch that contains the RODC on which the password may have been compromised, the password will still be valid for authentication purposes until the next replication cycle, at which time its value that is stored on the RODC will be changed to Null. The new password will be cached only after the user authenticates with it—or the new password is prepopulated on the RODC—and if the PRP has not been changed.
http://technet.microsoft.com/en-us/library/cc754956(v=ws.10).aspx

In the event that an RODC is compromised, You should reset the passwords for all accounts that have cached passwords and then rebuild the RODC.

lastly MS is recommending RODC if you have less security in branch:
I assume that branches where physical security is less, no one put-up production servers there since all applications remains in Hub location probably

Finally, according to me one should try to avoid deployment of domain controllers at multiple locations as far as possible unless you have genuine requirements
Also in case of branch offices having few users, you can avoid DCs and allow them to authenticate over WAN as WAN failure means as good as stopping their work
This will keep ur AD environment up to date by avoiding corruption \ latency \ manageability issues.
RODC has more administrative overheads.

Mahesh
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39755786
0
 

Author Comment

by:bergquistcompany
ID: 39759578
@Mahesh - I like how they say "few" users.  

Can you elaborate on this as I'm unclear on your statement:
Are the users are accessing all applications in main office only (Hub and Spoke technology) ?
Because in most cases small branch offices do not contains application servers and read-only GC will not helping most of the cases for apps those required GC lookups.
in that case if WAN link get down, then there is no use weather user is able to logon with RODC cached credentials as same functionality can be achieved through enabling cache login and it is actually enabled by default (10 for XP and 25 for Win7 hopefully)

They have a local file server but it may eventually be centralized.  Are you saying if users access the main office only they need a GC domain contoller? Or are you saying the RODC is not relevant as if a line goes down they can't access the data outside their PC anyway?

How about DHCP?  We have a different DHCP subnet at each site so we would need something at the branch to give out DHCP locally as all users get DHCP.  Can this be RODC or does it need a R/W DC?
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39759625
You can have DHCP role installed on the RODC server. There are however possible issues after installing the DHCP role and starting the service, as it cannot write back to the DC's. You need to create the domain local groups first and then add the DHCP role to the server. From there you can use RSAT (remote server admin tools) to manage the RODC in the branch office.

Will.
0
 

Author Comment

by:bergquistcompany
ID: 39759709
Then will the branch offices DHCP information need to be configured on the R/W DC as now each sites DHCP is unique to that site and I'm wondering how that will work for configuring it?

I am assuming once it's in that it will work the same way.  DHCP assigned locally however any changes will need to be done at the R/W side or can it be kept at the branch?

I.E
100.100.x.x branch 1
100.200.x.x branch 2
100.300.x.x branch 3
0
 

Author Comment

by:bergquistcompany
ID: 39759730
Also I read somewhere on the limitations of applications that require LDAP and I'm concerned if we roll this out how common is it 3rd party apps won't work?
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39759920
What I mean to say, if all applications \ infrastructure servers are centralized at Hub location (Main site) and in case of WAN link goes down branch users will not be able to access those applications, weather you put RODC at branches or not.
If you have placed ur applications on internet (Web Based) and if branch has internet connectivity, then they can access them even if wan link goes down.
As pointed out earlier by other experts AD integrated applications such as Exchange do frequent GC lookups with AD and it requires R/W DC.
You can query with 3rd party AD integrated application vendors about GC requirements.
RODC will help only in case you have file servers in branches and if link down, still they can access branch file servers with the help of RODC as Kerberos ticket must be presented to file server before you access it and same can be issued to clients by RODC to access file server since he can authenticate users through cached credentials.
But you can make branch file server data available offline, so incase you have link down  still they can work offline and as link restores, data will get synchronized with server data.

Lastly note that RODC is simply read only copy of AD database + DNS as well and your DHCP can't modify DNS records on RODC and also DNS dynamic update through DHCP will also not work unless you set DHCP credentials or DNSUpdateProxy group
Check below article for more info.
http://msmvps.com/blogs/acefekay/archive/2011/12/07/dns-on-a-read-only-domain-controller-rodc.aspx
 
Also check below thread on same topic
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_27321553.html
If you could put user base per site, it will help please

Hope that helps

Mahesh
0

Featured Post

Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following article is comprised of the pearls we have garnered deploying virtualization solutions since Virtual Server 2005 and subsequent 2008 RTM+ Hyper-V in standalone and clustered environments.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question