Information Technology Reference
In-Depth Information
18. In the Summary window, click Next to start the installation. When the installation is com-
pleted, click Finish . When you're prompted to restart the computer, click Restart Now .
19. Close any open windows, and stay logged on for the next activity.
If theft of the RODC is a likely risk, you can take further precautions to
secure its sensitive data by using BitLocker Drive Encryption, which is
installed as a server role in Server Manager. With BitLocker, you can secure
data on the volume containing the Windows OS and Active Directory as
well as on additional volumes.
RODC Replication
Replication on an RODC is unidirectional, meaning the Active Directory database is replicated
from a writeable DC to an RODC, but data is never replicated from an RODC to another DC.
RODCs can replicate only with Windows Server 2008 writeable DCs. Unidirectional replication
provides an extra level of security for networks with branch office locations. Even if a server is
compromised and someone is able to make malicious changes to Active Directory on the RODC,
the changes can't be propagated to DCs in the rest of the network.
To increase security of the Active Directory data stored on an RODC, administrators can
configure a filtered attribute set , which specifies domain objects that aren't replicated to RODCs.
The type of data to filter usually includes credential information that might be used by applica-
tions using Active Directory as a data store. Any data that might be considered security sensitive
can be filtered, except objects required for system operation. Filtered attribute sets are config-
ured on the schema operations master.
RODC placement in your site topology is important to ensure that replication occurs
between an RODC and a Windows Server 2008 DC. A writeable Windows Server 2008 DC is
usually placed in the site nearest in the replication topology to the RODC's site. The nearest site
is defined as the site with the lowest cost site link. If this placement isn't possible, you must create
a site link bridge between the RODC site and a site with a Windows Server 2008 writeable DC.
12
Credential Caching
By default, neither user nor computer passwords are stored on an RODC. This arrangement
makes the RODC more secure, in case an attacker tries to crack locally stored passwords.
However, it also negates some advantages of having a domain controller on the local network.
If the RODC caches no passwords, each user and computer authentication must be referred to
a writeable DC, most likely located across a WAN link. To prevent this problem, credential
caching can be enabled for a user account on an RODC. The user's password is retrieved from
a writeable DC the first time the user logs on, and thereafter, the password is retrieved from the
RODC.
Credential caching is controlled by the Password Replication Policy (PRP), accessed in the
Properties dialog box of the RODC computer account. A PRP lists users and groups along with
a setting of Allow or Deny (see Figure 12-13). Account Operators, Administrators, Backup
Operators, and Server Operators are built-in domain local groups added to the PRP with the
Deny setting by default. Passwords of these groups' members aren't stored on the RODC. If a
user is a member of a group with the Allow setting and a group with the Deny setting, the Deny
setting takes precedence.
The PRP also contains groups named Allowed RODC Password Replication Group and
Denied RODC Password Replication Group. These two groups are added to the PRP of all
RODCs. These groups have no members initially, but administrators can add users or groups to
these groups to control password caching on all RODCs centrally. Generally, groups or users
with permission to sensitive information should be added to the Denied RODC Password
Replication Group. Users who frequently visit the locations where RODCs are deployed might
be candidates for membership in the Allowed RODC Password Replication Group.
Besides the default groups added to the PRP for all RODCs, an administrator can customize
each RODC's PRP. For example, a group can be created for all users located at a branch office,
and this group can be added to the PRP of the RODC at the branch office with an Allow setting.
 
Search WWH ::




Custom Search