Read Only Domain Controllers in W2K8
royal
Member Posts: 3,352 ■■■■□□□□□□
Speaking of Read-Only Domain Controllers, there are several enhancements that they bring in Server 2008.
RODCs do not store user passwords and replication traffic is unidirectional. These two features alone significantly decrease the attack surface of your RODC as well as reducing bridgehead server traffic due to a writable domain controller not having to pull changes from a RODC. There is an exception to storing user passwords, however. A feature called password replication policy allows you to specify what users, groups, and computer accounts are allowed to be cached. This feature is specified in the Domain Controller Properties in Active Directory Users and Computers.
Prior to Windows Server 2008, you would have to grant a user rights which would give that user rights to manage other systems on the domain as well as other Domain Controllers; for example, the Domain Admins security group. With Server 2008, a new feature called Administrator Role Separation allows you to grant a specific user delegated local rights to administer a specified RODC. This allows more granular control over the administrative operations of a network infrastructure.
A RODC will also contain read-only dns zones which include application partitions which are replicated from other writable domain controllers. Clients who want to register in dns, will get a referral from the RODC for a writable DC. From there, the client will register its records on a writable DC. When the client completes this process, the RODC will then pull the updated record from the writable DC.
All in all, I'd say Server 2008 adds some really nice features.
1. Network Access Protection - A health policy system that enforces clients to meet specific criteria in order to connect to a server.
2. Restartable Active Directory Domain Services - Active Directory is now a service which will allow you stop Active Directory service and do a restore.
3. Newest Distributed File System (DFS) replication engine for SYSVOL (Requires Server 2008 DFL)
4. 256-bit Advanced Encryption Standard (AES) used for Kerberos encryption which replaces the previous 128-bit RC4 Standard (Requires Server 2008 DFL)
5. Server core is an installation option that installs Windows Longhorn Server as a barebones Operating System. It includes options to only install essential services such as Dynamic Hot Configuration Protocol (DHCP), Domain Name System (DNS), File Services, and Domain Controller Roles. All non-essential roles will not be an option in Server Core installations.
Instead of installing all the unneeded software, such as the GUI, the Windows Installer will only install the minimum amount of components needed to make Windows run. From here, users can then administer Windows Server from the command-line. You can then add software components to run your infrastructure. Examples of components could be: Internet Authentication Service (IAS), Routing and Remote Access (RRAS), Active Directory (AD), Domain Name System (DNS), etc.
6. Server 2008 comes wiht IIS 7.0. When IIS 7.0 is installed, it is installed as a bare component that does nothing. From there, you can install components which will allow you to have only what you need to do the job that you need. This decreases the attack surface of your system.
From playing with Server 2008, I can tell that the entire Operating System was designed in a modular fashion. For things you would normally go to add/remove Windows Components, you are now redirected to a new management tool called the Server Manager. You now manage roles through the Server Manager which gives you a much granular list of things to install. For example, I installed a CA and was given a lot of checkmarks of things I would or would not need. It is the modular architecture like this that helps decrease the attack surface of a Server 2008 system and helps make Windows a more secure Network Operating System.
RODCs do not store user passwords and replication traffic is unidirectional. These two features alone significantly decrease the attack surface of your RODC as well as reducing bridgehead server traffic due to a writable domain controller not having to pull changes from a RODC. There is an exception to storing user passwords, however. A feature called password replication policy allows you to specify what users, groups, and computer accounts are allowed to be cached. This feature is specified in the Domain Controller Properties in Active Directory Users and Computers.
Prior to Windows Server 2008, you would have to grant a user rights which would give that user rights to manage other systems on the domain as well as other Domain Controllers; for example, the Domain Admins security group. With Server 2008, a new feature called Administrator Role Separation allows you to grant a specific user delegated local rights to administer a specified RODC. This allows more granular control over the administrative operations of a network infrastructure.
A RODC will also contain read-only dns zones which include application partitions which are replicated from other writable domain controllers. Clients who want to register in dns, will get a referral from the RODC for a writable DC. From there, the client will register its records on a writable DC. When the client completes this process, the RODC will then pull the updated record from the writable DC.
All in all, I'd say Server 2008 adds some really nice features.
1. Network Access Protection - A health policy system that enforces clients to meet specific criteria in order to connect to a server.
2. Restartable Active Directory Domain Services - Active Directory is now a service which will allow you stop Active Directory service and do a restore.
3. Newest Distributed File System (DFS) replication engine for SYSVOL (Requires Server 2008 DFL)
4. 256-bit Advanced Encryption Standard (AES) used for Kerberos encryption which replaces the previous 128-bit RC4 Standard (Requires Server 2008 DFL)
5. Server core is an installation option that installs Windows Longhorn Server as a barebones Operating System. It includes options to only install essential services such as Dynamic Hot Configuration Protocol (DHCP), Domain Name System (DNS), File Services, and Domain Controller Roles. All non-essential roles will not be an option in Server Core installations.
Instead of installing all the unneeded software, such as the GUI, the Windows Installer will only install the minimum amount of components needed to make Windows run. From here, users can then administer Windows Server from the command-line. You can then add software components to run your infrastructure. Examples of components could be: Internet Authentication Service (IAS), Routing and Remote Access (RRAS), Active Directory (AD), Domain Name System (DNS), etc.
6. Server 2008 comes wiht IIS 7.0. When IIS 7.0 is installed, it is installed as a bare component that does nothing. From there, you can install components which will allow you to have only what you need to do the job that you need. This decreases the attack surface of your system.
From playing with Server 2008, I can tell that the entire Operating System was designed in a modular fashion. For things you would normally go to add/remove Windows Components, you are now redirected to a new management tool called the Server Manager. You now manage roles through the Server Manager which gives you a much granular list of things to install. For example, I installed a CA and was given a lot of checkmarks of things I would or would not need. It is the modular architecture like this that helps decrease the attack surface of a Server 2008 system and helps make Windows a more secure Network Operating System.
“For success, attitude is equally as important as ability.” - Harry F. Banks
Comments
-
BeaverC32 Member Posts: 670 ■■■□□□□□□□I realize this is an old post, but I think it needed a nice big thumbs-up!
Not being familiar with the new features of Server 2008, I found this to be a great rundown. Thanks for sharing.MCSE 2003, MCSA 2003, LPIC-1, MCP, MCTS: Vista Config, MCTS: SQL Server 2005, CCNA, A+, Network+, Server+, Security+, Linux+, BSCS (Information Systems)