Read Only Domain Controller forest and domain functional level?

Varez IT

Good evening everyone!

I am in the process of studying for the MCITP certification, exam 70-640, and I have a question. If I wanted to implement Read Only Domain Controllers (RODC) wouldn't my forest and domain functional levels have to be Windows Server 2008 because RODC's are new to Windows Server 2008?

One of the questions from my exam guide states that the forest and domain functional level can be Windows Server 2003.

Am I wrong or missing some information? Or, is this a type in this exam guide?

Thank you!

ptilsen

The study guide is correct. You simply need to have a Windows Server 2008 domain controller to use RODC. You must also run adprep /rodcprep. Per Technet:
AD DS: Read-Only Domain Controllers

Are there any special considerations?

To deploy an RODC, at least one writable domain controller in the domain must be running Windows Server 2008. In addition, the functional level for the domain and forest must be Windows Server 2003 or higher.

The article does, however, go on to point out a flaw with RODC in a forest functional level of 2003:

RODC filtered attribute set
Some applications that use AD DS as a data store might have credential-like data (such as passwords, credentials, or encryption keys) that you do not want to be stored on an RODC in case the RODC is compromised.

For these types of applications, you can dynamically configure a set of attributes in the schema for domain objects that will not replicate to an RODC. This set of attributes is called the RODC filtered attribute set. Attributes that are defined in the RODC filtered attribute set are not allowed to replicate to any RODCs in the forest.

A malicious user who compromises an RODC can attempt to configure it in such a way that it tries to replicate attributes that are defined in the RODC filtered attribute set. If the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2008, the replication request is denied. However, if the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2003, the replication request can succeed.

Therefore, as a security precaution, ensure that forest functional level is Windows Server 2008 if you plan to configure the RODC filtered attribute set. When the forest functional level is Windows Server 2008, an RODC that is compromised cannot be exploited in this manner because domain controllers that are running Windows Server 2003 are not allowed in the forest.

The details in the Technet article are important to know, but out of scope of the 70-640 exam, to my knowledge. You should simply know the server, domain control, domain functional, and forest functional requirements to do features introduced in Server 2008 and Server 2008 R2 (RODC, online authoritative restores, AD Recycle Bin, NTDS.dit online defrag, etc.).

cyberguypr

The 2003+ requirement is right.

Prerequisites for Deploying a Read-Only Domain Controller (RODC)

"Ensure that the forest functional level is Windows Server 2003 or higher, so that linked-value replication (LVR) is available. This provides a higher level of replication consistency. The domain functional level must be Windows Server 2003 or higher, so that Kerberos constrained delegation is available. If the forest functional level is Windows Server 2003, the domain functional level of all domains in the forest is Windows Server 2003 or higher. "

Varez IT

Thank you for replying to my question. It has proven to be helpful!