Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

DC replacement with RODC and BranchCache

Posted on 2014-02-10
6
Medium Priority
?
1,015 Views
Last Modified: 2014-02-24
we have many AD sites and because of security reasons,i have to implement RODC on each site.
there already existing DCs which i have to decommission and remove and use RODC instead .
what could be a good strategy do achieve this?
same goes for branchcache: some sites have a weak connectivity,I´d like to deploy that for them.
are there any security concerns about branchcache which should be taken care of?
thank you for help
0
Comment
Question by:DukewillNukem
  • 3
  • 2
6 Comments
 
LVL 11

Expert Comment

by:Manjunath Sullad
ID: 39846768
What is the server OS ?

If its Windows Server 2012,

Hosted cache servers that are running Windows Server 2012 encrypt all data in the cache by default, so the use of additional encryption technologies is not required.

Please go through below link for more information.
https://social.technet.microsoft.com/wiki/contents/articles/14309.branchcache-frequently-asked-questions.aspx


RODC Recommendations :

http://technet.microsoft.com/en-us/library/cc771744(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/dd734758(v=ws.10).aspx
0
 

Author Comment

by:DukewillNukem
ID: 39846772
they`re all 2008 R2.luckily.
would you recommend to upgrade to 2012 first?
0
 
LVL 39

Expert Comment

by:Mahesh
ID: 39846781
1st off all you need to decommission existing R/W DC from branch
Then you can promote new RODC with either prestage method or normal method
Once RODC is promoted, you need to assign user account as RODC local administrator (Manager) from RODC server account properties so that user account can have delegated rights on RODC for normal server management

Also there are allowed password replication group on RODC, here you need to add branch users and computers so that there account password will get cached to RODC after 1st successful logon
Note that for 1st logon of any account, RODC must connect to R/W DC

If you want to remove cached passwords from RODC, then you must 1st remove those user \ computer from RODC allowed password replication group and then need to reset user \ computer password on R/W DC

In the event of link failure new users cannot logon through RODC and users whose password already got cached on RODC only can logon through RODC

Mahesh
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:DukewillNukem
ID: 39847063
Mahesh
this is not gonna be as easy as you describe: you say, "decommission existing R/W DC from branch
Then you can promote new RODC with either prestage method or normal method"
what would be the correct steps and in which order?
0
 
LVL 39

Accepted Solution

by:
Mahesh earned 1500 total points
ID: 39847138
Ok
You are concerning about downtime post decommissioning R/W DC, right ?

If you are willing to procure extra hardware, then you could install RODC 1st in branch.
Then demote existing R/W DC from branch.

My understanding is simply demote R/W DC 1st and promote it as RODC to save extra hardware.
Ensure that your AD ports are opened between main site DC and server designated as RODC, or this is major point of failure.
1st ensure that your domain and forest functional level is at least windows 2003, this is prerequisites for deploying RODC
Also if you have 2003 DC in domain, then logon to 2003 DC with domain admins and insert 2008 R2 DVD and navigate to below folder on DVD:
D:\support\adprep and run adprep /rodcprep
Then follow below steps to prestage RODC account in active directory in branch R/W DC followed by RODC installation on new \ separate server
Also in order to install RODC, you have to have at least one 2008 \ 2008 R2 \ 2012 R/W DC in main site
http://mizitechinfo.wordpress.com/2013/08/11/step-by-step-installing-and-configuring-a-rodc-in-windows-server-2012-r2/
Once you done that and successfully promoted RODC, configure necessary password replication policy
http://sportstoday.us/technology/active-directory-2008----configuring-read-only-domain-controllers-(part-2)---password-replication-policy-,-administering-rodc-credentials-caching,-administrative-role-separation.aspx

Now you can demote your R/W DC from branch
Once your demotion is completed repoint your RODC to another R/W DC in main site and restart the same
Now its time to test user login \ credential caching

Note that you cannot test RODC functionality when both R/W DC and RODC are alive in same site.
Hence you must demote R/W DC prior to start using RODC

Mahesh
0
 

Author Comment

by:DukewillNukem
ID: 39847171
yes,any downtime is not allowed. all our DCs are virtual,however.
we have all 2008 R2 DCs,so no problem.although,we still have 2003 functional levels.
ok,thx for the detailled info. i will do that in our test-environment first.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article covers how to install the Microsoft Windows Operating System (OS). What is covered in this article:  > Different Versions and Editions of the Windows OS  > Upgrading versus Fresh Installation of the OS           - Steps to take pr…
The way I use Experts Exchange to assist me in analyzing and diagnosing a problem is I first enter a Verbose Question at Experts Exchange like: Office 2007 will hang when opening and saving files I then launch WordPad (any text editor will do) an…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question