Solved

DC replacement with RODC and BranchCache

Posted on 2014-02-10
6
896 Views
Last Modified: 2014-02-24
we have many AD sites and because of security reasons,i have to implement RODC on each site.
there already existing DCs which i have to decommission and remove and use RODC instead .
what could be a good strategy do achieve this?
same goes for branchcache: some sites have a weak connectivity,I´d like to deploy that for them.
are there any security concerns about branchcache which should be taken care of?
thank you for help
0
Comment
Question by:DukewillNukem
  • 3
  • 2
6 Comments
 
LVL 11

Expert Comment

by:Manjunath Sullad
ID: 39846768
What is the server OS ?

If its Windows Server 2012,

Hosted cache servers that are running Windows Server 2012 encrypt all data in the cache by default, so the use of additional encryption technologies is not required.

Please go through below link for more information.
https://social.technet.microsoft.com/wiki/contents/articles/14309.branchcache-frequently-asked-questions.aspx


RODC Recommendations :

http://technet.microsoft.com/en-us/library/cc771744(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/dd734758(v=ws.10).aspx
0
 

Author Comment

by:DukewillNukem
ID: 39846772
they`re all 2008 R2.luckily.
would you recommend to upgrade to 2012 first?
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39846781
1st off all you need to decommission existing R/W DC from branch
Then you can promote new RODC with either prestage method or normal method
Once RODC is promoted, you need to assign user account as RODC local administrator (Manager) from RODC server account properties so that user account can have delegated rights on RODC for normal server management

Also there are allowed password replication group on RODC, here you need to add branch users and computers so that there account password will get cached to RODC after 1st successful logon
Note that for 1st logon of any account, RODC must connect to R/W DC

If you want to remove cached passwords from RODC, then you must 1st remove those user \ computer from RODC allowed password replication group and then need to reset user \ computer password on R/W DC

In the event of link failure new users cannot logon through RODC and users whose password already got cached on RODC only can logon through RODC

Mahesh
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:DukewillNukem
ID: 39847063
Mahesh
this is not gonna be as easy as you describe: you say, "decommission existing R/W DC from branch
Then you can promote new RODC with either prestage method or normal method"
what would be the correct steps and in which order?
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39847138
Ok
You are concerning about downtime post decommissioning R/W DC, right ?

If you are willing to procure extra hardware, then you could install RODC 1st in branch.
Then demote existing R/W DC from branch.

My understanding is simply demote R/W DC 1st and promote it as RODC to save extra hardware.
Ensure that your AD ports are opened between main site DC and server designated as RODC, or this is major point of failure.
1st ensure that your domain and forest functional level is at least windows 2003, this is prerequisites for deploying RODC
Also if you have 2003 DC in domain, then logon to 2003 DC with domain admins and insert 2008 R2 DVD and navigate to below folder on DVD:
D:\support\adprep and run adprep /rodcprep
Then follow below steps to prestage RODC account in active directory in branch R/W DC followed by RODC installation on new \ separate server
Also in order to install RODC, you have to have at least one 2008 \ 2008 R2 \ 2012 R/W DC in main site
http://mizitechinfo.wordpress.com/2013/08/11/step-by-step-installing-and-configuring-a-rodc-in-windows-server-2012-r2/
Once you done that and successfully promoted RODC, configure necessary password replication policy
http://sportstoday.us/technology/active-directory-2008----configuring-read-only-domain-controllers-(part-2)---password-replication-policy-,-administering-rodc-credentials-caching,-administrative-role-separation.aspx

Now you can demote your R/W DC from branch
Once your demotion is completed repoint your RODC to another R/W DC in main site and restart the same
Now its time to test user login \ credential caching

Note that you cannot test RODC functionality when both R/W DC and RODC are alive in same site.
Hence you must demote R/W DC prior to start using RODC

Mahesh
0
 

Author Comment

by:DukewillNukem
ID: 39847171
yes,any downtime is not allowed. all our DCs are virtual,however.
we have all 2008 R2 DCs,so no problem.although,we still have 2003 functional levels.
ok,thx for the detailled info. i will do that in our test-environment first.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
LPT Port to USB Printer Windows 7 23 796
The Seagate HDD which holds the Virtual machine got corrupted. 2 59
Exchange 2010 DAG backup 11 126
Windows 2012 Remote Apps Question 2 118
Have you ever had a hard drive that you can't boot into, but need to change the registry? Here is the solution! This article guides you through accessing and editing a registry of a non-primary drive. To read registry information on a non-prim…
INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question