Read-Only Domain Controller

For this post I would like to talk about one of the new features to Active Directory (AD) that ships as part of Windows Server 2008. While AD may be used for many things the main job that most organizations use it for is authentication. Because AD holds user account information including passwords security is a major concern for the boxes that are AD controllers. To help address security concerns for when an AD controller needs to be deployed to a locations outside of the main data center Windows Server 2008 now has a Read-Only Domain Controller role (RODC). So why is this important? In the old days you would either have to place a Domain Controller (DC) in remote location or have the users authenticate across a WAN to the DC. Both of these may cause some issues. Network bandwidth and performance if the DC is remote and you use a WAN to authenticate to the DC. Security and admin concerns if the DC is located at a remote site.

So welcome the RODC. It allows you to have a DC at a remote site so users can authenticate at the local site for better performance and less WAN traffic. So why is this so cool? Because except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the RODC. Changes must be made on a writable domain controller and then replicated back to the RODC. You can also delegate local administrative permissions for an RODC to any domain user without granting that user any user rights for the domain or other domain controllers. Ok if you are paying attention you saw that passwords are not stored on the RODC. So you are asking how it can authenticate a user. The answer is that the RODC will need to make a call to the writable DC to authenticate the user. After that the credentials are cached on the RODC, the RODC can then directly service that user's logon requests until the credentials change. This limits credential caching to only users who have authenticated to the RODC. So if someone were able to hack the RODC only those credentials that are cached can potentially be cracked.

So what does this mean for folks that devleops software? While maybe nothing. However if you do use authentication or any AD calls in your code you should make sure to test against an RODC. If you have local applications that request Read access to the directory they will obtain access because Lightweight Directory Application Protocol (LDAP) applications that request Write access receive an LDAP referral response. This response directs them to a writable domain controller. A key point to remember with this is that if you attempt to read this new information you just wrote to the DC from the RODC you may fail if it has not received the update through replication.

For more information on RODC see the following links:

Until next time, enjoy!

Skip to main content