Read Only Domain Controller (RODC)

What is a Read Only Domain Controller (RODC)?

An RODC improves security

An RODC contains a read‑only copy of the AD DS database.  If an RODC is compromised, the potential loss of information is much less than with a full read/write domain controller. By default, an RODC does not cache any user passwords. This improves security.

When should you use a RODC?

There are several reasons to consider an RODC instead of a regular domain controller.

• Security. A site where there isn't a physically secure facility to house the server, and there is few, if any, local IT staff to support and monitor the server.
• Users and Services. You would like users to be provided services and authentication locally, rather than have to contact a domain controller in the data center.
• Network Latency. Users typically connect to multiple services during a workday. So, service ticket activity happens regularly. Authentication and service ticket activity over a WAN link between a branch office and a hub site can result in slow or unreliable performance.

What is the most common scenario for an RODC?

The most common scenario for using an RODC is a branch office.

Data Center	Branch Office
Writable domain controller Specifies the password replication policy	Read-only domain controller Caches passwords, if allowed Contains all domain objects Has a subset of the object attributes Authentication is through the data center Has a local Administrator group

Windows Server: Active Directory and its Fundamentals

Active Directory
Microsoft developed a directory service for a Microsoft Domain network and this directory service is referred to as Active Directory. It is included in most Windows Server Operating Systems as a set of processes and services.
Active Directory uses Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft's version of Kerberos, and DNS.


To understand above sentences we need to understand what Directory Service, Microsoft Domain, Domain Controller is. Lets find out what it is.

Directory Service
To administer, manage, locate and organize everyday items and network resources we require a share information infrastructure. Everyday items and network resources can include any or all of files, folders, users, groups, printers, volumes, devices, telephone numbers and other objects. 
Directory Service is a service or infrastructure to map the names of network resources to their respective network addresses. It is a critical component of a network operating system. Such service is provided by a server and that server is known as directory server. Each network resources is called object.
What directory service does is, it defines a namespace for the network. Namespace assigns a name, called unique identifier, to each of above mentioned objects. Directories have a set of rules determining how network resources are named and identified; basic requirement is that the identifiers need to be unique and unambiguous.
When user uses a directory services there is no need for user to remember the physical address of a network resource. User can locate the resource using name. However, some directory services may include access control mechanism which could limit the accessibility and availability of directory information to authorized users.


Microsoft Domain
Microsoft domain is a computer network in which all user accounts, computers, printers and other security principals are registered with a central database located on one or more clusters of central computers known as domain controllers. Authentication takes place on domain controllers.
Each user who uses computers within a domain receives a unique user account that can be assigned access to resources within the domain. Active directory is the Windows component in charge of maintaining that central database.

Domain Controller
On Microsoft Servers, a domain controller (DC) is a server computer that responds to security authentication requests (logging in, checking permissions, etc.) within a Windows domain.
In other words, a server running Active Directory Domain Services (AD DS) is called a domain controller. It authenticates and authorizes all users and computers in a Windows Domain type network. It assigns and enforces security policies for all computers and installing or updating software.


Example: 
When a user logs into a computer that is part of windows domain, Active Directory is the one that checks thus submitted password and determines whether the user is a system administrator or normal user. Also, it allows management and storage of information at admin level and provides authentication and authorization mechanisms.

Lightweight Directory Access Protocol (LDAP)
The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

Windows Server: Active Directory and its Fundamentals

Active Directory
Microsoft developed a directory service for a Microsoft Domain network and this directory service is referred to as Active Directory. It is included in most Windows Server Operating Systems as a set of processes and services.
Active Directory uses Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft's version of Kerberos, and DNS.


To understand above sentences we need to understand what Directory Service, Microsoft Domain, Domain Controller is. Lets find out what it is.

Directory Service
To administer, manage, locate and organize everyday items and network resources we require a share information infrastructure. Everyday items and network resources can include any or all of files, folders, users, groups, printers, volumes, devices, telephone numbers and other objects. 
Directory Service is a service or infrastructure to map the names of network resources to their respective network addresses. It is a critical component of a network operating system. Such service is provided by a server and that server is known as directory server. Each network resources is called object.
What directory service does is, it defines a namespace for the network. Namespace assigns a name, called unique identifier, to each of above mentioned objects. Directories have a set of rules determining how network resources are named and identified; basic requirement is that the identifiers need to be unique and unambiguous.
When user uses a directory services there is no need for user to remember the physical address of a network resource. User can locate the resource using name. However, some directory services may include access control mechanism which could limit the accessibility and availability of directory information to authorized users.

 

Microsoft Domain
Microsoft domain is a computer network in which all user accounts, computers, printers and other security principals are registered with a central database located on one or more clusters of central computers known as domain controllers. Authentication takes place on domain controllers.
Each user who uses computers within a domain receives a unique user account that can be assigned access to resources within the domain. Active directory is the Windows component in charge of maintaining that central database.

Domain Controller
On Microsoft Servers, a domain controller (DC) is a server computer that responds to security authentication requests (logging in, checking permissions, etc.) within a Windows domain.
In other words, a server running Active Directory Domain Services (AD DS) is called a domain controller. It authenticates and authorizes all users and computers in a Windows Domain type network. It assigns and enforces security policies for all computers and installing or updating software.

 

Example: 
When a user logs into a computer that is part of windows domain, Active Directory is the one that checks thus submitted password and determines whether the user is a system administrator or normal user. Also, it allows management and storage of information at admin level and provides authentication and authorization mechanisms.

Lightweight Directory Access Protocol (LDAP)
The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

What is Domain Controller and Active Directory

What is a Domain Controller?

Each employees in A's office has a key to the building. One weekend A forgets her key. The security officer then authenticated her as an employee and lets her in.

You can think domain controller similar to the security officer of above situation. There are many computer in office and each requires users to login with their credentials. If there are hundreds of computers then from the perspective of an Information Technology (IT) professional, it is difficult to manage the authentication of each individual machine. To simply the task what can be done is to configure one computer to manage the authentication of all the others. Now all office computers be connected to this main computer to form a network. The main computer is known as the domain controller, while the other computers it authenticates are known as clients. In such set up, the client computers are said to be on the Windows domain. Now the IT person finds that the login credentials will not have to be managed on each individual computer. instead, the user names and login credentials of all authenticated users in the office can be managed much more easily through one machine, the domain controller.

Active Directory

Active Directory is the central database on a domain controller where the login credentials of all client computers, printers, and other shared resources in the network are stored. When someone tries to login, their login credentials must match those saved in Active Directory. If the login credentials do not match, the user will be denied access. All client computers on the domain share this common Active Directory. Only an administrator or IT professional has authority to add computers or shared resources to the domain, further strengthening security.

Active Directory and Domain Controller

What is Active Directory Domain Services (AD DS)?

Active Directory Domain Services (AD DS) is a scalable, secure, and manageable infrastructure for user and resource management. AD DS is a Windows Server role that's installed and hosted on a server known as a domain controller. AD DS uses Lightweight Directory Access Protocol (LDAP) to access, search, and change the directory service. LDAP is a based on the X.500 standard and TCP/IP.  

AD DS provides a centralized system for managing users, computers, and other resources on the network. AD DS features a centralized directory, single sign-on access, integrated security, scalability, and a common management interface.

What is a domain controller?

A domain controller hosts the AD DS role

A domain controller is a server that has the AD DS role installed and has been promoted to a domain controller. By default, it's configured to store a copy of the AD DS directory database. All domain controllers, except Read Only Domain Controllers (RODCs), store a read/write copy of the AD DS database.

Replication keeps the domain controllers in sync

Domain controllers use a multi-master replication process; for most operations, data can be changed on any domain controller, except on RODCs. The AD DS replication service then synchronizes the changes that are made to the AD DS database to other domain controllers in the domain.  

You should always have at least two domain controllers

As a best practice, an AD DS domain should have at least two domain controllers. This makes the AD DS database more available, and spreads the authentication load during peak sign-in times.

Microsoft INF200.1x, Windows Server 2012 Fundamentals: Infrastructure - Physical Component - Domain Controller

What is Active Directory Domain Services (AD DS)?

Active Directory Domain Services (AD DS) is a scalable, secure, and manageable infrastructure for user and resource management. AD DS is a Windows Server role that's installed and hosted on a server known as a domain controller. AD DS uses Lightweight Directory Access Protocol (LDAP) to access, search, and change the directory service. LDAP is a based on the X.500 standard and TCP/IP.

AD DS provides a centralized system for managing users, computers, and other resources on the network. AD DS features a centralized directory, single sign-on access, integrated security, scalability, and a common management interface.

What is a domain controller?

A domain controller hosts the AD DS role

A domain controller is a server that has the AD DS role installed and has been promoted to a domain controller. By default, it's configured to store a copy of the AD DS directory database. All domain controllers, except Read Only Domain Controllers (RODCs), store a read/write copy of the AD DS database.

Replication keeps the domain controllers in sync

Domain controllers use a multi-master replication process; for most operations, data can be changed on any domain controller, except on RODCs. The AD DS replication service then synchronizes the changes that are made to the AD DS database to other domain controllers in the domain.  

You should always have at least two domain controllers

As a best practice, an AD DS domain should have at least two domain controllers. This makes the AD DS database more available, and spreads the authentication load during peak sign-in times.

What is a Read Only Domain Controller (RODC)?

An RODC improves security

An RODC contains a read‑only copy of the AD DS database.  If an RODC is compromised, the potential loss of information is much less than with a full read/write domain controller. By default, an RODC does not cache any user passwords. This improves security.

When should you use a RODC?

There are several reasons to consider an RODC instead of a regular domain controller.

• Security. A site where there isn't a physically secure facility to house the server, and there is few, if any, local IT staff to support and monitor the server.
• Users and Services. You would like users to be provided services and authentication locally, rather than have to contact a domain controller in the data center.
• Network Latency. Users typically connect to multiple services during a workday. So, service ticket activity happens regularly. Authentication and service ticket activity over a WAN link between a branch office and a hub site can result in slow or unreliable performance.

What is the most common scenario for an RODC?

The most common scenario for using an RODC is a branch office.

Data Center	Branch Office
Writable domain controller Specifies the password replication policy	Read-only domain controller Caches passwords, if allowed Contains all domain objects Has a subset of the object attributes Authentication is through the data center Has a local Administrator group