During the past couple of months many people have asked me a lot of questions regarding the functionality of RODCs. It’s a relatively new concept and some information are not easily available as well. So I thought of recording them in this post so the information is easily available at a single place for everyone. The purpose of this post is to answer the questions to which the answers are not readily available out there. Therefore, the basic stuff are obviously not covered here except for a few of them like the first two. đ
What is a RODC?
A Windows domain controller that holds complete, read-only copies of the partitions of the Active Directory database and a read-only copy of the SYSVOL folder and its contents.
Why a RODC?
By selectively caching credentials, RODCs address some of the challenges that enterprises can encounter in branch office locations where physical security of the domain controllers cannot be guaranteed or where other applications must run on the domain controller and be maintained by a server administrator that is not a domain administrator.
Is RODC DNS different?
Yes. The DNS of a RODC is also read-only and it refers to a writable DNS server for any write requests that are directed to it. Afterwards the new information is replicated back to itself.
How does dynamic DNS work with RODC?
When a client attempts a dynamic update, it sends a Start of Authority (SOA) query to its preferred DNS server. Typically, clients are configured to use the DNS server in their branch site as their preferred DNS server. The RODC reads its SOA record and at best effort return a writable Windows Server 2008 domain controller to the client. The client makes the dynamic update at the writable DNS server returned. The RODC waits a time that is a minimum of 30 seconds and a maximum of 210 seconds and attempts to replicate the updated DNS record object in Active Directory from the DNS server that it referred the client to through a Replicate Single Object (RSO) operation back to itself.
How are the minimum and maximum waiting times calculated?
The SOA query triggers the DNS server on the RODC to put an entry in remotePollList, which is an internal queue on each DNS server. The entry includes the following:
- The object to be replicated
- The source domain controller to replicate from
- A time stamp
The time stamp is set to a time in the future that is equal to the current time plus a replication delay. The replication delay is controlled by a registry setting named DsRemoteReplicationDelay. By default, the value of this setting is 30 seconds. The internal queue (remotePollList) is processed at regular intervals. The queue-processing interval is controlled by a registry setting named DSPollingInterval. By default, the value of the interval is 3 minutes (180 seconds).
When the DNS server processes the queue, it attempts to replicate only objects whose time stamp is less than current time. Therefore, the delay between the time that the RODC refers the client to an authoritative DNS server and then attempts to replicate in is determined by the following:
- The next time that the DNS server processes the queue
- Whether the remote replication delay that is set on the entry in the queue has elapsed
If the default values for the registry settings are used then the amount of time before the RODC attempts to perform a RSO operation is a minimum of 30 seconds where the DsRemoteReplicationDelay has exceeded and a polling operation is executed, and a maximum of 210 (180+30) seconds where the DsRemoteReplicationDelay has exceeded and a polling operation is yet to be executed.
Can these values be changed for faster replication?
Yes. You can modify the values of these registry settings to reduce the amount of time before the RODC attempts to replicate the DNS update. The minimum value for the DsRemoteReplicationDelay setting is 5 seconds. The minimum value for the DSPollingInterval setting is 30 seconds. When the minimum values are used the amount of time before the RODC attempts to replicate the DNS update is a minimum of 5 seconds and a maximum of 35 seconds.
Will the changes affect other Active Directory operations of the RODC?
Yes. DsPollingInterval controls all Active Directory polling, not just RODC RSO handling. If you change this value, be aware that this change will affect more than just RODC RSO operations. For example, this setting will affect how often the DNS server polls Active Directory for new or updated resource records or DNS zones.
What is a RSO operation?
A RSO operation is an operational attribute named replicateSingleObject that has existed in Active Directory since Windows 2000 and allows replication of a single object by using a LDAP modify operation of the replicateSingleObject attribute. However the replicateSingleObject has been updated in Windows Server 2008 to support replication of secrets to RODCs.
Can a large number of RSO operations overload a domain controller?
No. The maximum number of RSO requests per 5 minutes cycle is limited to 300 to prevent Denial of Service attacks.
Do RODC’s register NS records?
No. RODC’s do not register Name Server (NS) records.
What is the SOA selection model for RODC’s?
- Try to select a writable domain controller that is running Windows Server 2008 and is published as a Name Server for the zone.
-
Pick a random NS from the NS list if there are no Windows Server 2008 writable domain controllers that have published a NS for the zone.
Can a RODC select another RODC as a SOA during the selection process?
No. Since RODCs do not register NS records they are not available for selection.
Are SOAs selected every time a DNS update operation is requested?
No. The current SOA target DC is maintained separately for each zone and re-selected every 20 minutes. The duration is not configurable.
Is the same SOA DC selected during each selection process?
No. The selection algorithm contains a random component to try to spread load between writable domain controllers.
Is there a tool to make the DNS related registry modifications in a RODC safely?
Yes. To modify any of the registry entries that are related to the RSO operations for DNS updates on an RODC, use the Dnscmd.exe command-line tool to set the appropriate parameter.
Example: “dnscmd <server>.<domain>.<com> /Config /DsRemoteReplicationDelay 10”
Can we make changes in the SYSVOL of a RODC?
Yes but the changes will be overwritten with the SYSVOL content from a writable domain controller during the next replication cycle. So it would be a useless task.
Do RODCs store any credentials at all?
Yes. It stores the credentials for its own computer account and the krbtgt account that is unique to it but nothing else.
Do RODCs use the normal krbtgt account of the domain for authentication services?
No. During the promotion of a RODC a separate krbtgt account is created on the domain for the use of that particular RODC only. This account is used for all authentication operations performed at this RODC.
Are RODCs advertised as Key Distribution Centers (KDCs)?
Yes but only for its own site.
If the credentials are not replicated then how can a user or computer authenticate for the first time with a RODC?
The first time an account attempts to authenticate to an RODC, the RODC sends the request to a writable domain controller. If the authentication is successful, the RODC also requests a copy of the appropriate credentials. The writable domain controller recognizes that the request is coming from an RODC and consults the Password Replication Policy that is in effect for that RODC to check if the requested credentials are allowed to be cached.
What is a “Password Replication Policy”?
The Password Replication Policy determines if a set of credentials are allowed to be replicated and stored on a particular RODC. If allowed, a writable domain controller sends the credentials to the RODC, and the RODC caches them. After the credentials are cached the next time that user or computer attempts to log on, the request is directly serviced by the RODC.
Do RODCs cache credentials for eternity?
No. The cached credentials are flushed once they are changed.
Can a non-domain administrator be made an administrator of a RODC?
Yes. This is known as “Administrative Role Separation”. A user can be given administrative access to a single RODC without giving administrative access to any other domain controllers.
What explicit access the “RODC admins” have on Active Directory?
None.
Do RODCs support DFS-n and DFS-R?
Yes.
How does DFS replication work in a RODC?
As for ADDS, the DFS replication of a RODC is also unidirectional in the inbound direction.
A RODC is a domain controller. Can a corruption or a potentially harmful change at a RODC damage the whole domain?
No. No changes at a RODC are replicated outbound.
Can a non-domain administrator promote a RODC?
Yes but the new RODC’s domain controller account should be created prior to the promotion by a domain administrator. Check Steps for Deploying a RODC for more information.
How do RODC’s handle password changes?
When a password change is requested by a user or computer in a RODC site the request is forwarded to a writable domain controller that runs Windows Server 2008 or later. The next steps are the same as would occur if the password change happened directly on the writable domain controller.
Can a cached password be cleared/flushed from a RODC?
No. There is no mechanism to erase passwords after they are cached on a RODC. If you want to clear a password that is stored on a RODC, the password should be reset at a writable domain controller.
Are there any advantages of hosting RODCs on Microsoft Azure?
Yes. Microsoft Azure does not charge for inbound network traffic. Since RODCs only perform inbound replications there will be no chargeback for network usage. Usage of other resources such as compute and storage will still be charged.
What will fail at a RODC site if a writable domain controller is not available?
- Access to Windows Management Instrumentation (WMI) filters by Group Policy.
- Failure to access WMI filters may prevent affected clients from applying intended Group Policy or cause those clients to improperly apply Group Policy.
- Application of Internet Protocol Security (IPsec) policies by IPsec clients.
- Time synchronization in Windows XP and Windows Server 2003.
- The Windows Time service (W32time) in Windows XP and Windows Server 2003 does not recognize an RODC.
- Domain joins.
- Password changes.
- Retrieval and creation of public key certificates.
- The Data Protection Application Programming Interface (DPAPI) on client computers that only have access to an RODC cannot decrypt master keys unless they have previously contacted a writable domain controller and retrieved a public key certificate. Clients that only have access to an RODC cannot decrypt master keys.
- Successful publishing of printers in ADDS.
- If an RODC services a client request to publish a printer, it forwards the request to a writable domain controller. The spooler attempts to read from the RODC immediately after the write. Since the information has not yet been replicated to the RODC, and spooler fails the publish operation. All spooler internal structures are updated, and the printer is marked as unpublished.
- Retrieval of printers published in ADDS.
- Active Directory Service Interfaces (ADSI) calls.
Sources:
- https://technet.microsoft.com/en-us/library/cc771030%28v=ws.10%29.aspx
- http://social.technet.microsoft.com/wiki/contents/articles/4031.how-read-only-domain-controllers-and-dns-works.aspx
- https://technet.microsoft.com/en-us/magazine/2006.11.futureofwindows.aspx
- https://technet.microsoft.com/en-us/library/cc754218%28v=ws.10%29.aspx
- https://technet.microsoft.com/en-us/library/cc725669%28WS.10%29.aspx