Solved

DC replacement with RODC and BranchCache

Posted on 2014-02-10
6
821 Views
Last Modified: 2014-02-24
we have many AD sites and because of security reasons,i have to implement RODC on each site.
there already existing DCs which i have to decommission and remove and use RODC instead .
what could be a good strategy do achieve this?
same goes for branchcache: some sites have a weak connectivity,I´d like to deploy that for them.
are there any security concerns about branchcache which should be taken care of?
thank you for help
0
Comment
Question by:DukewillNukem
  • 3
  • 2
6 Comments
 
LVL 11

Expert Comment

by:Manjunath Sullad
ID: 39846768
What is the server OS ?

If its Windows Server 2012,

Hosted cache servers that are running Windows Server 2012 encrypt all data in the cache by default, so the use of additional encryption technologies is not required.

Please go through below link for more information.
https://social.technet.microsoft.com/wiki/contents/articles/14309.branchcache-frequently-asked-questions.aspx


RODC Recommendations :

http://technet.microsoft.com/en-us/library/cc771744(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/dd734758(v=ws.10).aspx
0
 

Author Comment

by:DukewillNukem
ID: 39846772
they`re all 2008 R2.luckily.
would you recommend to upgrade to 2012 first?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39846781
1st off all you need to decommission existing R/W DC from branch
Then you can promote new RODC with either prestage method or normal method
Once RODC is promoted, you need to assign user account as RODC local administrator (Manager) from RODC server account properties so that user account can have delegated rights on RODC for normal server management

Also there are allowed password replication group on RODC, here you need to add branch users and computers so that there account password will get cached to RODC after 1st successful logon
Note that for 1st logon of any account, RODC must connect to R/W DC

If you want to remove cached passwords from RODC, then you must 1st remove those user \ computer from RODC allowed password replication group and then need to reset user \ computer password on R/W DC

In the event of link failure new users cannot logon through RODC and users whose password already got cached on RODC only can logon through RODC

Mahesh
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:DukewillNukem
ID: 39847063
Mahesh
this is not gonna be as easy as you describe: you say, "decommission existing R/W DC from branch
Then you can promote new RODC with either prestage method or normal method"
what would be the correct steps and in which order?
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39847138
Ok
You are concerning about downtime post decommissioning R/W DC, right ?

If you are willing to procure extra hardware, then you could install RODC 1st in branch.
Then demote existing R/W DC from branch.

My understanding is simply demote R/W DC 1st and promote it as RODC to save extra hardware.
Ensure that your AD ports are opened between main site DC and server designated as RODC, or this is major point of failure.
1st ensure that your domain and forest functional level is at least windows 2003, this is prerequisites for deploying RODC
Also if you have 2003 DC in domain, then logon to 2003 DC with domain admins and insert 2008 R2 DVD and navigate to below folder on DVD:
D:\support\adprep and run adprep /rodcprep
Then follow below steps to prestage RODC account in active directory in branch R/W DC followed by RODC installation on new \ separate server
Also in order to install RODC, you have to have at least one 2008 \ 2008 R2 \ 2012 R/W DC in main site
http://mizitechinfo.wordpress.com/2013/08/11/step-by-step-installing-and-configuring-a-rodc-in-windows-server-2012-r2/
Once you done that and successfully promoted RODC, configure necessary password replication policy
http://sportstoday.us/technology/active-directory-2008----configuring-read-only-domain-controllers-(part-2)---password-replication-policy-,-administering-rodc-credentials-caching,-administrative-role-separation.aspx

Now you can demote your R/W DC from branch
Once your demotion is completed repoint your RODC to another R/W DC in main site and restart the same
Now its time to test user login \ credential caching

Note that you cannot test RODC functionality when both R/W DC and RODC are alive in same site.
Hence you must demote R/W DC prior to start using RODC

Mahesh
0
 

Author Comment

by:DukewillNukem
ID: 39847171
yes,any downtime is not allowed. all our DCs are virtual,however.
we have all 2008 R2 DCs,so no problem.although,we still have 2003 functional levels.
ok,thx for the detailled info. i will do that in our test-environment first.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
This is a fairly complicated script that will install the required prerequisites to install SCCM 2012 R2 on a server.  It was designed under the functional model in order to compartmentalize each step required, reducing the overall complexity.  The …
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now