Read only Domain Controllers in Windows Server 2008

May 13, 2008 Active Directory, Windows Server Operating Systems No Comments

The Domain Controller has been a cornerstone of Windows networking as far back as Windows NT. While the functionality of the Domain Controller has evolved from a primary and backup configuration in NT to the flexible single master of operations model used with Active Directory, the Domain Controller remains the central concept in Windows Server 2008.

In Windows Server 2008 however there have been enhancements made to the Domain Controller concept to allow read only Domain Controllers. These are Domain Controllers that contain a copy of Active Directory information but do not allow the information to be changed by the read only DC.

For example, suppose a company has a large corporate office where the network consists of three Domain Controllers, two member servers, and 100 client PCs and users. The company then decides to open a smaller office about thirty miles away where they will move a few staff members to expand the operation of the company. Because of the small size of the branch office, the company elects to place a read only Domain Controller (RODC) in the branch office to allow most of the AD information to be stored in the branch office without allowing changes made in the branch office to propagate back to the other DCs on the network.

Note: Password information cannot be stored on a RODC, which will increase security. When this information is needed for authentication it is requested from a writeable Domain Controller.

To configure a read only Domain Controller, simply check the read-only Domain Controller box displayed during the Domain Controller installation wizard.

Note: Updates to the directory partition received by an RODC must be pulled from a Domain Controller running Windows Server 2008 in the same domain. The domain and forest must be at least at the Windows Server 2003 functional level.

To configure a read only Domain Controller to also handle DNS for the remote site, you will also need to run the adprep /rodc command once per forest to allow DNS permissions to be updated across all DNS partitions in the forest.

When using DNS on a read only Domain Controller, be aware that this server cannot register name server resource records for any Integrated DNS zones which it hosts. In the event that a resource registration is requested a referral to another DNS server is returned, allowing the client to request this registration through a writeable Domain Controller.

Note: A read only Domain Controller cannot function as a Global Catalog server because the GC requires a writeable Domain Controller.

There are several restrictions that come into play when deploying Read Only Domain Controllers; however they can be deployed with little worry in offices which may not be as physically secure as needed for a completely writeable copy of Active Directory.

Restartable Active Directory Domain Services

May 6, 2008 Active Directory, Windows Server Operating Systems No Comments

Windows Server 2008 has introduced another new feature for this iteration of Active Directory, Restart-able Active Directory Domain Services. All DCs running Windows Server 2008 support restartable domain services.

Active Directory Domain Services will appear in the services applet on all Windows Server 2008 Domain Controllers in your Active Directory environment. The modes available for Active Directory Domain Services are:

  • Active Directory Started – In this state, the Active Directory services are running and will function similarly to Domain Controllers in Windows 2000 Server and Windows Server 2003. When in the started state, a Windows Server 2008 Domain Controller can provide authentication services for a domain.
  • Active Directory Stopped – In this state the Domain Controller cannot provide authentication and logon services for an Active Directory environment. While in a stopped state the Domain Controller behaves similarly to a Member Server or Server started in Directory Services Restore Mode (DSRM). The server will accept logins with cached credentials, smart cards, or biometrics like a member server, while also taking the its directory services database offline, like DSRM.
  • Directory Services Restore Mode – In this state the Domain Controller is in restore mode and behaves much like a Windows Server 2003 Domain Controller in Restore Mode. The Directory Services database is offline and maintenance, including an authoritative restore can be performed.

Stopping the Active Directory Services will allow maintenance tasks to be performed that would previously require the server to be restarted. This can save a great deal of time for administrators and other users in your environment. Other domain controllers within an environment will handle logon requests and other resource needs while a server’s Active Directory services are stopped. If your environment has only one Domain Controller, and no other methods of authentication are supported, an administrator could still logon using the Active Directory Restore Mode user account and password.

Other methods of authentication which will work when AD Domain Services are stopped are:

  • Cached Credentials
  • Smart Cards
  • Biometrics

Another thing to note, like any other Windows service, AD DS will stop dependent services when it is stopped. This includes the File Replication, Intersite Messaging, and Kerberos Key Distribution Center services. If these services are still running when Active Directory restarts, they will be restarted.

Note: When starting a Domain Controller, you cannot start Active Directory Domain Services in a stopped state. To stop this service, the Windows Server 2008 system must be started first ad then, using the services applet the AD DS service can be stopped.