Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

DC replacement with RODC and BranchCache

Posted on 2014-02-10
6
Medium Priority
?
981 Views
Last Modified: 2014-02-24
we have many AD sites and because of security reasons,i have to implement RODC on each site.
there already existing DCs which i have to decommission and remove and use RODC instead .
what could be a good strategy do achieve this?
same goes for branchcache: some sites have a weak connectivity,I´d like to deploy that for them.
are there any security concerns about branchcache which should be taken care of?
thank you for help
0
Comment
Question by:DukewillNukem
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 11

Expert Comment

by:Manjunath Sullad
ID: 39846768
What is the server OS ?

If its Windows Server 2012,

Hosted cache servers that are running Windows Server 2012 encrypt all data in the cache by default, so the use of additional encryption technologies is not required.

Please go through below link for more information.
https://social.technet.microsoft.com/wiki/contents/articles/14309.branchcache-frequently-asked-questions.aspx


RODC Recommendations :

http://technet.microsoft.com/en-us/library/cc771744(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/dd734758(v=ws.10).aspx
0
 

Author Comment

by:DukewillNukem
ID: 39846772
they`re all 2008 R2.luckily.
would you recommend to upgrade to 2012 first?
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 39846781
1st off all you need to decommission existing R/W DC from branch
Then you can promote new RODC with either prestage method or normal method
Once RODC is promoted, you need to assign user account as RODC local administrator (Manager) from RODC server account properties so that user account can have delegated rights on RODC for normal server management

Also there are allowed password replication group on RODC, here you need to add branch users and computers so that there account password will get cached to RODC after 1st successful logon
Note that for 1st logon of any account, RODC must connect to R/W DC

If you want to remove cached passwords from RODC, then you must 1st remove those user \ computer from RODC allowed password replication group and then need to reset user \ computer password on R/W DC

In the event of link failure new users cannot logon through RODC and users whose password already got cached on RODC only can logon through RODC

Mahesh
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:DukewillNukem
ID: 39847063
Mahesh
this is not gonna be as easy as you describe: you say, "decommission existing R/W DC from branch
Then you can promote new RODC with either prestage method or normal method"
what would be the correct steps and in which order?
0
 
LVL 38

Accepted Solution

by:
Mahesh earned 1500 total points
ID: 39847138
Ok
You are concerning about downtime post decommissioning R/W DC, right ?

If you are willing to procure extra hardware, then you could install RODC 1st in branch.
Then demote existing R/W DC from branch.

My understanding is simply demote R/W DC 1st and promote it as RODC to save extra hardware.
Ensure that your AD ports are opened between main site DC and server designated as RODC, or this is major point of failure.
1st ensure that your domain and forest functional level is at least windows 2003, this is prerequisites for deploying RODC
Also if you have 2003 DC in domain, then logon to 2003 DC with domain admins and insert 2008 R2 DVD and navigate to below folder on DVD:
D:\support\adprep and run adprep /rodcprep
Then follow below steps to prestage RODC account in active directory in branch R/W DC followed by RODC installation on new \ separate server
Also in order to install RODC, you have to have at least one 2008 \ 2008 R2 \ 2012 R/W DC in main site
http://mizitechinfo.wordpress.com/2013/08/11/step-by-step-installing-and-configuring-a-rodc-in-windows-server-2012-r2/
Once you done that and successfully promoted RODC, configure necessary password replication policy
http://sportstoday.us/technology/active-directory-2008----configuring-read-only-domain-controllers-(part-2)---password-replication-policy-,-administering-rodc-credentials-caching,-administrative-role-separation.aspx

Now you can demote your R/W DC from branch
Once your demotion is completed repoint your RODC to another R/W DC in main site and restart the same
Now its time to test user login \ credential caching

Note that you cannot test RODC functionality when both R/W DC and RODC are alive in same site.
Hence you must demote R/W DC prior to start using RODC

Mahesh
0
 

Author Comment

by:DukewillNukem
ID: 39847171
yes,any downtime is not allowed. all our DCs are virtual,however.
we have all 2008 R2 DCs,so no problem.although,we still have 2003 functional levels.
ok,thx for the detailled info. i will do that in our test-environment first.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes how to set permissions to allow a limited-permissions user to start and stop a particular System Service.   It is always best to give users only the permissions that they need to perform their job, so tweaking particular permi…
Microsoft has released remote PowerShell capabilities to all commercial Office 365 customers. So you can be controlled via PowerShell and not from the Office 365 admin center Download Windows PowerShell Module for Lync Online http://www.micros…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question