In this article, we are going to have how to set up a read-only domain controller (RODC).
This type of controller, as the name suggests, is read-only, so it can not change user attributes or even add objects.
There are several implementation scenarios for this type of domain controller, here are two that I have already used:
- On remote sites to optimize the process while keeping some security.
- In DMZ for services requiring authentication.
In addition to the Active Directory, DNS services are installed read-only.
Another advantage of the RODC controller is that it retains its local user base (SAM) which makes it possible to put a user of a remote site Administrator on the server in case it is necessary to intervene on the machine.
- Be in an Active Directory domain with a domain and drill functional level in 2003 or later.
- Configure the Active Directory site if necessary.
- Configure a fixed IP to the server and tell it in DNS an existing domain controller
- Configure the ports of the software and hardware firewalls to ensure communication between the RODC controller and other DCs.
The role installation is identical to a standard domain controller, the read-only option is made at the time of its configuration.
Configuring the read-only domain controller (RODC)
Now the domain controller role is installed on the server, it must be promoted domain controller, it is in this part that we will indicate that it is RODC.
At this time of the configuration, it is necessary to indicate the elements whose passwords are replicated on this controller, by default a group to name “Group of replication whose password RODC is authorized” is created in which one will put the users that we want to replicate the password. In this lab, I left this group. In production if you have several remote sites and therefore several RODC controllers, you will have to create one group per site. There is no need to replicate the passwords of users of site B on site C for example. It is also possible to specify objects (users or groups) that we do not want to replicate the password, such as administrator accounts, this increases the security in case the RODC controller is compromised. Click Next 1 to validate the options.
Domain Controller Administration (RODC)
In this part, we will see how to administrate the RODC controller.