Configuring RODC

As mentioned earlier, RODC does not store user credentials on it by default. However, you can configure it to cache the user credentials. You can also configure RODC to disallow users’ credentials from caching on an RODC.

 

Configuring an RODC-Specific Password Replication Policy to cache the credentials
of Users and computers

To proceed with the configuration of Password Replication Policy to cache the
credentials of Users and computers, you should:

1. Create Users: Jack Hay, Ed Young and Sam Jones on the domain controller.
2. Create a group called Branch office users on the domain controller
3. Add Jack Hay to the Branch Office Users group, as shown in Figure 4-16:
   

   

4. Add the DNSAdmins group to the Denied RODC password replication group,
   as shown in Figure 4-17

   

5. Add Branch Office Users group in the Allowed RODC Password Replication
   groupThe Denied RODC password replication group and Allowed RODC Password
   Replication group are the two domain local security groups in Windows Server 2008
   User’s container of AD DS that helps in configuring Password Replication Policy.

   The Allowed RODC Password Replication group does not contain any members by
   default because RODC does not cache any credentials by default. However, you can add
   members to this group to allow caching of credentials on RODC.

   The Denied RODC password replication group should be configured with users or
   groups whose credentials you want to ensure that RODC should never cache. By default
   this group contains security sensitive accounts that are members of groups such as
   Domain Admins, Enterprise Admins, and Group Policy Creator Owners.

   After performing the above given tasks, you need to configure the password replication
   policy so that the credentials of users logging of the Allowed RODC Password
   Replication group can automatically be replicated to the RODC so that they can log in
   through the RODC also.

Configuring Password Replication Policy

To configure the password replication policy, you need to:

1. Select Domain Controllers node under the domain name to view the domain
   controllers running in the domain, as shown in Figure 4-18.

   

2. Right-click the Read Only domain controller from the left panel and then select
   Properties from the menu that appears, as shown in Figure 4-19.

   

   The Properties window of the RODC appears, as shown in Figure 4-20.

3. Click Password Replication Policy tab.The tab displays the list of accounts that that are defined in the Allowed List and the
   Denied List on the RODC by default. We now need to add Branch office Users group to
   the allowed list so that when the users of this group log on to RODC, their credentials are
   cached.
4. Click Add.
   

   

   The Add Groups, Users and Computers window appears, as shown in Figure 4-21.

5. Select Allow passwords for the account to replicate to this RODC option and
   click OK.

   

6. Provide Branch Office Users group name in the Select Users, Computers, or
   Groups window that appears and click OK, as shown in Figure 4-22.

   

   The credential caching through password replication policy is successfully configured on
   the RODC. You need to now monitor credential caching to verify that RODC is caching
   the credentials.

Monitor Credential Caching

By default, the RODC caches only the credentials of the krbtgt account and the computer
account of the RODC itself. To monitor RODC for credential caching, you need to:

1. Log on to the RODC with Jack Hay account (The member of Branch Office Users
   account) and then Log out.
2. Log on to the RODC with Ed Young account (User on domain controller but not a
   member of Branch Office Users group) and then Log out.You can now check whether the credentials of Branch Office User are cached on the
   RODC or not.
3. Log on to the Domain controller
4. Click Start-> Settings->Control Panel->Administrative Tools-> Active
   Directory Users and Computers.
5. Select Domain Controllers node under the domain name and then right-click the
   Read Only domain controller from the left panel
6. Select Properties from the menu that appears
7. Click Password Replication Policy tab in the Properties window
8. Click Advanced.The Advanced Password Replication Policy for the RODC window appears, as shown
   in Figure 14.
9. Click Accounts whose passwords are stored on this Read-only Domain
   Controller option in the Display users and computers that meet the following
   criteria drop-down list.
10. Verify that the Jack Hay account appears in the list but not the account of Ed
    Young. This is because Jack Hay is the member of Branch Office Users group,
    which is the group that is configured on RODC for the caching of credentials. The
    credentials of Ed Young are not cached because this user is not the member of
    Branch Office Users group, as shown in Figure 4-23.

    

11. Click Accounts that have been authenticated to this Read-only Domain
    Controller option in the Display users and computers that meet the following
    criteria drop-down list, as shown in Figure 4-24.

    

12. Verify that the account entries for both Jack Hay and Ed Young appear in the list.
    This is because; this list displays the list of accounts that have been authenticated
    by the RODC and not the accounts that have been cached.

Prepopulate the password cache for the RODC

The Prepopulating of password cache on the RODC allows you to configure RODC to
cache account credential for user accounts that must be cached but the users have not yet
logged on to the RODC. Prepopulating of password cache on the RODC ensures that the
user is allowed to log in to the network in the branch office, even when the WAN link is
failed between the main office and the branch office.

You can prepopulate the cache only for accounts that are configured to be cached in the
Password Replication Policy.

To prepopulate the password cache for an RODC, you need to:

1. Log on to the Domain controller
2. Click Start-> Settings->Control Panel->Administrative Tools-> Active
   Directory Users and Computers.
3. Select Domain Controllers node under the domain name and then right-click the
   Read Only domain controller from the left panel
4. Select Properties from the menu that appears
5. Click Password Replication Policy tab in the Properties window
6. Click Advanced.The Advanced Password Replication Policy for the RODC window appears.
7. Click Prepopulate PasswordsThe Select User and Computers window appears, as shown in Figure 4-25.
8. Type or browse the name of the user whose credentials you want to prepopulate in
   the cache for the RODC in the Enter the object names to select field, and click
   OK.

   

   The Prepopulate Passwords window appears displaying the name of the selected user,
   as shown in Figure 4-26.

9. Click Yes.
   

   

   The Prepopulate Passwords window starts displaying the progress of the task, as shown
   in Figure 4-27.

   

   The Prepopulate Password Success window appears

10. Click OK.
11. Click Accounts whose passwords are stored on this Read-only Domain
    Controller option in the Display users and computers that meet the following
    criteria drop-down list, as shown in Figure 4-28:

    

    Verify that the list shows account for Sam Jones, whose credentials have been
    prepopulated on the RODC.

In an Active Directory domain all the domain controllers are equivalent and can perform all the functions. However, in a multidomain environment, where multimaster replication needs to be performed, certain changes cannot be performed on all the domain controllers. For example the schema master changes should not be performed as multimaster replication. Rather these changes must be performed as single master operation.

In Active Directory environment where domain controllers play a single master role are called operations masters. The single master operation roles can be transferred on any domain controller in a domain and are therefore called flexible single master operations (FSMO). At any given time only one role can be assigned/ performed to/by a domain controller.

There are total five types of FSMO roles, out of which three are domain level roles and two are forest wide roles. All the five operations master roles are automatically configured on the first domain controller that is configured in a forest. The domain level operations master roles are configured in each domain and are also assumed by the first domain controller in each of the additional domains created in the forest. These roles are:

• PDC (Primary Domain Controller) emulator: It services logon requests and processes all password updates.
• Relative ID (RID): It is responsible for assigning unique RIDs to all the domain controllers and maintaining the global RID pool for the domain.
• Infrastructure: It is responsible for maintaining a list of the security principals. It keeps the group-to-user references updated as group membership changes and then replicate them to other domain controllers.

The forest wide roles can be implemented on one domain controller per forest. These roles are:

• Schema operations: It is responsible to commit all the changes to the schema.
• Domain naming: It is responsible to control the addition and removal of domains to and from the forest.

The automatic assignment of roles on the first domain controller in a forest overburdens the first domain controller. To avoid this overburden, you can transfer the operation master roles to other domain controllers in the domain\forest. The placement of each operation master role is important and requires a careful planning.

Placing Operations Masters

• PDC Emulator: A PDC emulator processes all the logon requests in a domain and it must always be available. There can be only one PDC emulator in a domain. It should be placed at a location where password forwarding operations are most needed to avoid logon failures that may occur due to delays in password replication process. To achieve best performance, it should be placed on a dedicated domain controller that is well connected to other locations and that does not have other FSMO responsibilities.
• Relative ID (RID) Master: The RID master ensures that there is no overlapping in the assignment of RID of a domain because each domain has a unique RID. There can be only one RID master in a domain. The RID master can be placed with any other FSMO role on a domain controller because additional load on an RID master is quite insignificant. It can be placed with PDS Emulator role on a domain controller.
• Infrastructure Master: The Infrastructure master keeps the group-to-user references updated as group membership changes and then replicate them to other domain controllers. The Infrastructure master can be placed with any other FSMO role on a domain controller because additional load on an Infrastructure master is quite insignificant. However, the Infrastructure master role should not be placed on global catalog servers because GC servers can replicate information on any domain.
• Schema Operations Master: Only one schema operations master can exist in a forest. Schema master changes are not performed frequently and therefore the additional load placement on a server containing this role is insignificant. So, schema operations master role can be placed with other FSMO roles on a domain controller. However, this role must be placed in such a way so that it is available to all the administrators who need to make schema changes.
• Domain Naming Master: The Domain Naming Master controls the addition and removal of domains to and from the forest. Only one domain naming master can exist per forest. It should be placed on a global catalog server because the domain naming master needs to contact the global catalog server each time a new domain is created. While placing this role, you also need to ensure that it is accessible from any subnet in your network.

Identify Operation Masters

To identify the operation masters that are running on a server, you need to:

1. Open Active Directory Users and Computers snap-in by clicking Start- >Administrative Tools-> Active Directory Users and Computers.
2. Right-click the domain name (inscription.com) node and select Operations Masters option from the menu that appears, as shown in Figure 3-26.

The Operations Masters dialog box appears displaying the operations masters’ role in each tab of the dialog box, as shown in Figure 3-27.

Beside this, you can use the Netdom tool to see the server on which all the five FSMO server roles are installed in just one go.

You need to type netdom query fsmo on the command prompt to see the results, as shown in Figure 3-28.

Transfer an Operation Master Role

To transfer an operation master role, you need to take the operations master offline, transfer the role to another domain controller and then bring it online. To transfer the operations master role, you need to:

1. Open Active Directory Users and Computers snap-in by clicking Start- >Administrative Tools-> Active Directory Users and Computers.
2. Right-click the domain name (inscription.com) node and select Change Domain Controller option from the menu that appears.The Change Directory Server window appears, as shown in Figure 3-29. The window allows you to select the domain controller on which you want to transfer the role.
3. Select the domain controller from the list and click OK.
   

   

4. Right-click the domain name (inscription.com) node and select Operations Masters option from the menu that appears.
5. Click the tab of the role that you want to transfer. For example click on PDC tab.
6. Click Change. Confirm the transfer by clicking Yes on the confirmation dialog box that appears.The role is successfully transferred.
7. Click OK and then click Close.
8. Shut down and Restart the server.