Subtitles of the Movie

Now, in a couple of places in other videos I've mentioned Read-Only Domain Controllers. Now, this is one of the new additions to Windows Server 2008 and I want to talk a little bit about them here and make sure you understand what they're really for and then just kind of some intricacies about them that you need to be aware of. First of all, when exactly would we deploy a Read-Only Domain Controller? Microsoft's suggestion is that they designed these to be used when basically physical server security can not be guaranteed. Now, this usually goes hand in hand with poor network bandwidth or lower network bandwidth, but generally the bandwidth is not the real reason for doing a Read-Only Domain Controller. Think about a scenario here. That is where we've got a remote office. They may have poor bandwidth, OK, and that slows down logons and so forth to get back to a Writable Domain Controller. So the solution is to put a Fully-Writable Domain Controller out there in that location. The problem is it's away from our normal administrative duties. It's a branch office. We don't have a, you know, a full-time, for lack of a better term, serious administrator out there. We're using a knowledgeable user that's on-Site. So we don't want to put a Writable Domain Controller out there because somebody, because of the physical security aspect and the knowledge level aspect of our administrator, somebody might inadvertently cause some problems with Active Directory because if they go in there and change Active Directory, is a writable controller and it would replicate those changes throughout our Active Directory structure. So a Read-Only Domain Controller takes that risk away because it can't be changed. Now, usually you will see these around few users. We'll talk about why in just a minute and when the local admin has little knowledge of IT. OK? So there's our scenario when we would use these. Now, how is this actually different from a Domain Controller? Well, it's more secure in that you can't write, you can't make changes to Active Directory on it, but it is less functional. Now, it stores all of your Active Directory Objects and Attributes in a read-only state except passwords and again, since the assumption here is that this thing is not in as physically safe an environment, we don't want to store passwords on there that could possibly be cracked and then used to penetrate the network somewhere else. Also, obviously this can not accept changes to AD. Any changes to AD you have to connect to a Writable Domain Controller elsewhere on the network and then those changes get replicated back down to the Read-Only Domain Controller. Now, there is a technology employed here called Credential Caching and this is where the Read-Only Domain Controller can store user or computer credentials locally on the machine. Now, it's only going to hold approximately ten passwords at a time. Again, we don't want to put a bunch of passwords on this thing in a physically insecure location, have someone get into this box or maybe even just steal the box and then be able to try to penetrate and learn these passwords. So I'm only going to have about ten at a time on there and this feature is not enabled by default. You'll have to go in and explicitly allow a Domain Controller to do Credential Caching and then there will have to be permissions up in your Active Directory Network on a Writable Domain Controller to allow this to happen to this Read-Only Domain Controller. Now, there's something else that's really cool about these Read-Only Domain Controllers and that is the ability to do Administrator Role Separation. Let me talk about what that is. This is where we're going to delegate a Read-Only Domain Controller who has a local administrator role. And we're going to let them make changes, do administrative level type functionalities to the Read-Only Domain Controller, but they do not have any rights on our other Writable Domain Controllers and the domain. This just gives them rights just to the Read-Only Domain Controller. Now, this way they can go in and change device drivers or make, you know, minor configuration changes to the box to help everybody get what they need to get done, but again, it keeps them off of the rest of the network. Now, we can also install services like Read-Only DNS. So we can install the DNS Server Service on the Read-Only Domain Controller and then it can actually pull down the full zones and read from them and resolve names. Now, it can't do any updates. Any updates to DNS get sent back to a Writable Domain Controller and then get replicated back down to the Read-Only. Now deploying a Read-Only Domain Controller, there's some things you're going to have to do and I'm going to direct you back out to Microsoft's web site. Do a search on Read-Only Domain Controllers and look at this before you set it up. There's a little bit involved. First of all, you've have to have a Domain Controller already in your Active Directory Network and the Domain Controller that holds the PDC or the Primary Domain Controller Emulator Master Operation Role has to be a Windows Server 2008 box and then the Read-Only Domain Controller has to forward authentication requests to a Windows Server 2008 Domain Controller and the Domain Functional Level, which we discussed in a different video, must be Windows Server 2003 or higher. And then you'll have to run the Add Prep Utility with the switch RODC Prep once in the Active Directory forest and this is going to make changes to Active Directory and give permissions for DNS and some other things for the Domain Controller and to let the forest know that there's going to be a Domain Controller in there. You only run that once anywhere in the Active Directory forest or the Domain, the Read-Only Domain Controller that's going to reside. So again, I just wanted you to understand this thing. The main thing to remember about a Read-Only Domain Controller is it's not just for poor bandwidth. It's really designed for poor security in remote locations.