Configuring RODC


IT Certification

As mentioned earlier, RODC does not store user credentials on it by default. However, you can configure it to cache the user credentials. You can also configure RODC to disallow users’ credentials from caching on an RODC.

 

Configuring an RODC-Specific Password Replication Policy to cache the credentials
of Users and computers

To proceed with the configuration of Password Replication Policy to cache the
credentials of Users and computers, you should:
  1. Create Users: Jack Hay, Ed Young and Sam Jones on the domain controller.
  2. Create a group called Branch office users on the domain controller
  3. Add Jack Hay to the Branch Office Users group, as shown in Figure 4-16:
    Figure 4-16
  4. Add the DNSAdmins group to the Denied RODC password replication group,
    as shown in Figure 4-17

    Figure 4-17
  5. Add Branch Office Users group in the Allowed RODC Password Replication
    groupThe Denied RODC password replication group and Allowed RODC Password
    Replication group are the two domain local security groups in Windows Server 2008
    User’s container of AD DS that helps in configuring Password Replication Policy.

    The Allowed RODC Password Replication group does not contain any members by
    default because RODC does not cache any credentials by default. However, you can add
    members to this group to allow caching of credentials on RODC.

    The Denied RODC password replication group should be configured with users or
    groups whose credentials you want to ensure that RODC should never cache. By default
    this group contains security sensitive accounts that are members of groups such as
    Domain Admins, Enterprise Admins, and Group Policy Creator Owners.

    After performing the above given tasks, you need to configure the password replication
    policy so that the credentials of users logging of the Allowed RODC Password
    Replication group can automatically be replicated to the RODC so that they can log in
    through the RODC also.

Configuring Password Replication Policy

To configure the password replication policy, you need to:
  1. Select Domain Controllers node under the domain name to view the domain
    controllers running in the domain, as shown in Figure 4-18.

    Figure 4-18
  2. Right-click the Read Only domain controller from the left panel and then select
    Properties from the menu that appears, as shown in Figure 4-19.

    Figure 4-19

    The Properties window of the RODC appears, as shown in Figure 4-20.

  3. Click Password Replication Policy tab.The tab displays the list of accounts that that are defined in the Allowed List and the
    Denied List on the RODC by default. We now need to add Branch office Users group to
    the allowed list so that when the users of this group log on to RODC, their credentials are
    cached.
  4. Click Add.
    Figure 4-20

    The Add Groups, Users and Computers window appears, as shown in Figure 4-21.

  5. Select Allow passwords for the account to replicate to this RODC option and
    click OK.

    Figure 4-21
  6. Provide Branch Office Users group name in the Select Users, Computers, or
    Groups window that appears and click OK, as shown in Figure 4-22.

    Figure 4-22

    The credential caching through password replication policy is successfully configured on
    the RODC. You need to now monitor credential caching to verify that RODC is caching
    the credentials.

Monitor Credential Caching

By default, the RODC caches only the credentials of the krbtgt account and the computer
account of the RODC itself. To monitor RODC for credential caching, you need to:
  1. Log on to the RODC with Jack Hay account (The member of Branch Office Users
    account) and then Log out.
  2. Log on to the RODC with Ed Young account (User on domain controller but not a
    member of Branch Office Users group) and then Log out.You can now check whether the credentials of Branch Office User are cached on the
    RODC or not.
  3. Log on to the Domain controller
  4. Click Start-> Settings->Control Panel->Administrative Tools-> Active
    Directory Users and Computers.
  5. Select Domain Controllers node under the domain name and then right-click the
    Read Only domain controller from the left panel
  6. Select Properties from the menu that appears
  7. Click Password Replication Policy tab in the Properties window
  8. Click Advanced.The Advanced Password Replication Policy for the RODC window appears, as shown
    in Figure 14.
  9. Click Accounts whose passwords are stored on this Read-only Domain
    Controller option in the Display users and computers that meet the following
    criteria drop-down list.
  10. Verify that the Jack Hay account appears in the list but not the account of Ed
    Young. This is because Jack Hay is the member of Branch Office Users group,
    which is the group that is configured on RODC for the caching of credentials. The
    credentials of Ed Young are not cached because this user is not the member of
    Branch Office Users group, as shown in Figure 4-23.

    Figure 4-23
  11. Click Accounts that have been authenticated to this Read-only Domain
    Controller option in the Display users and computers that meet the following
    criteria drop-down list, as shown in Figure 4-24.

    Figure 4-24
  12. Verify that the account entries for both Jack Hay and Ed Young appear in the list.
    This is because; this list displays the list of accounts that have been authenticated
    by the RODC and not the accounts that have been cached.

Prepopulate the password cache for the RODC

The Prepopulating of password cache on the RODC allows you to configure RODC to
cache account credential for user accounts that must be cached but the users have not yet
logged on to the RODC. Prepopulating of password cache on the RODC ensures that the
user is allowed to log in to the network in the branch office, even when the WAN link is
failed between the main office and the branch office.

You can prepopulate the cache only for accounts that are configured to be cached in the
Password Replication Policy.

To prepopulate the password cache for an RODC, you need to:
  1. Log on to the Domain controller
  2. Click Start-> Settings->Control Panel->Administrative Tools-> Active
    Directory Users and Computers.
  3. Select Domain Controllers node under the domain name and then right-click the
    Read Only domain controller from the left panel
  4. Select Properties from the menu that appears
  5. Click Password Replication Policy tab in the Properties window
  6. Click Advanced.The Advanced Password Replication Policy for the RODC window appears.
  7. Click Prepopulate PasswordsThe Select User and Computers window appears, as shown in Figure 4-25.
  8. Type or browse the name of the user whose credentials you want to prepopulate in
    the cache for the RODC in the Enter the object names to select field, and click
    OK.

    Figure 4-25

    The Prepopulate Passwords window appears displaying the name of the selected user,
    as shown in Figure 4-26.

  9. Click Yes.
    Figure 4-26

    The Prepopulate Passwords window starts displaying the progress of the task, as shown
    in Figure 4-27.

    Figure 4-27

    The Prepopulate Password Success window appears

  10. Click OK.
  11. Click Accounts whose passwords are stored on this Read-only Domain
    Controller option in the Display users and computers that meet the following
    criteria drop-down list, as shown in Figure 4-28:

    Figure 4-28

    Verify that the list shows account for Sam Jones, whose credentials have been
    prepopulated on the RODC.

In an Active Directory domain all the domain controllers are equivalent and can perform all the functions. However, in a multidomain environment, where multimaster replication needs to be performed, certain changes cannot be performed on all the domain controllers. For example the schema master changes should not be performed as multimaster replication. Rather these changes must be performed as single master operation.

In Active Directory environment where domain controllers play a single master role are called operations masters. The single master operation roles can be transferred on any domain controller in a domain and are therefore called flexible single master operations (FSMO). At any given time only one role can be assigned/ performed to/by a domain controller.

There are total five types of FSMO roles, out of which three are domain level roles and two are forest wide roles. All the five operations master roles are automatically configured on the first domain controller that is configured in a forest. The domain level operations master roles are configured in each domain and are also assumed by the first domain controller in each of the additional domains created in the forest. These roles are:

The forest wide roles can be implemented on one domain controller per forest. These roles are:

The automatic assignment of roles on the first domain controller in a forest overburdens the first domain controller. To avoid this overburden, you can transfer the operation master roles to other domain controllers in the domain\forest. The placement of each operation master role is important and requires a careful planning.

Placing Operations Masters

Identify Operation Masters

To identify the operation masters that are running on a server, you need to:
  1. Open Active Directory Users and Computers snap-in by clicking Start- >Administrative Tools-> Active Directory Users and Computers.
  2. Right-click the domain name (inscription.com) node and select Operations Masters option from the menu that appears, as shown in Figure 3-26.
Figure 3-26

The Operations Masters dialog box appears displaying the operations masters’ role in each tab of the dialog box, as shown in Figure 3-27.

Figure 3-27

Beside this, you can use the Netdom tool to see the server on which all the five FSMO server roles are installed in just one go.

You need to type netdom query fsmo on the command prompt to see the results, as shown in Figure 3-28.

Figure 3-28

Transfer an Operation Master Role

To transfer an operation master role, you need to take the operations master offline, transfer the role to another domain controller and then bring it online. To transfer the operations master role, you need to:

  1. Open Active Directory Users and Computers snap-in by clicking Start- >Administrative Tools-> Active Directory Users and Computers.
  2. Right-click the domain name (inscription.com) node and select Change Domain Controller option from the menu that appears.The Change Directory Server window appears, as shown in Figure 3-29. The window allows you to select the domain controller on which you want to transfer the role.
  3. Select the domain controller from the list and click OK.
    Figure 3-29
  4. Right-click the domain name (inscription.com) node and select Operations Masters option from the menu that appears.
  5. Click the tab of the role that you want to transfer. For example click on PDC tab.
  6. Click Change. Confirm the transfer by clicking Yes on the confirmation dialog box that appears.The role is successfully transferred.
  7. Click OK and then click Close.
  8. Shut down and Restart the server.