What You Need to Know about Read Only Domain Controllers to Pass the 70-640 Exam
The 70-640 exam is the Technology Specialist exam in configuring Active Directory in a Windows server 2008 environment. The exam itself covers the Windows server 2008 Active directory in advanced detail, including the management of GPOs, integrating a CA infrastructure, management of sites and services, up to the more detailed management of the FSMO roles and DNS. It also includes the configuration of a new feature to Windows Server 2008, Read Only Domain Controllers (RODC). In the same way that Windows NT4 used a singular primary, writable domain controller for writing data and used additional Backup Domain controllers (BDC) as read only boxes that allowed for domain login at additional sites, RODC is a read only domain controller for Windows server 2008. However, there is a lot more to their functionality than their predecessors offered. As this is a new feature for Windows Server 2008, the likelihood that you will be tested on RODC in the 70-640 exam is highly likely, so taking a little extra time to learn its features and the role it plays in the new server 2008 infrastructure is worth doing.
Before you start
I always mention that the need to get hands-on experience with any product you are studying is key to learning it properly, and Read Only Domain Controllers are no exception. You would need to build two servers (or virtual machines) within your domain, with one obviously being the RODC. From here you can test the replication cycle and view the other features of RODC’s first hand.
Why use a RODC
The main reason for using an RODC is mainly for security purposes, while also providing domain resiliency at remote offices. If a remote office has poor physical security or is only serving a small number of very non-IT minded staff, there is no good reason to have a fully writable domain controller onsite. When you take a moment to consider what is held on a domain controller—namely all of your Company user accounts, including your infrastructure accounts—if these were to be compromised, it would be a massive security risk to your network. Microsoft obviously realizes that this is a big issue for companies that often have small offices but also have domain requirements. Small networks often come with further downsides, such as poor WAN links. This is where a RODC can play a key role in securing remote offices and not putting a company’s security at risk if their server is stolen or hacked.
The main fact to remember about a RODC is that they are just that: read only. Although this sounds obvious, just take a moment to consider that the DNS (as mentioned later), SYSVOL, and Global Catalog are also read only and can only change once they have replicated with the writable DC. It is important to note that the replication is one directional and that all information that is written to the RODC is from a writable domain controller and changes are only made during the replication cycle.
Installing a RODC
As with any configuration-themed exam, you are expected to know how to manage a product end-to-end, including the installation. With regards to installing an RODC you will be expected to know the preparation steps, the installation itself, and any further configuration required. Also, you should make sure you know any alternative installation methods; although the exam won’t press you for this information in too much detail, you should be aware of the options available, as this is common testing ground.
One of the main preparation steps to note is the additional Adprep command: adprep /rodcprep. If you have installed any domain-based role in the past, you will be aware of the active directory preparation commands you must run on the forest, domain, and the schema; additionally, prepping the group policy engine is also required.
For your exam, you should make sure you understand the following commands and why they should be run prior to installation:
Adprep /forestprep Adprep /domainprep Adprep /domainprep /gpprep Adprep /rodcprep
The installation of the RODC requires this step in order to allow all other DNS servers in the forest to write to any RODC that is also a DNS server for its location.
As mentioned previously, you must have a writable domain controller for the RODC to replicate with, so you must specify this in the installation. From here you can setup the PRP (password replication policy); if you are following Microsoft best practice (which you always would, of course!) then you should delegate the administration of the RODC to a group, as this provides an extra level of security by removing the default domain admins group from being the administrator.
For your exam, you should also be aware that you can set up the installation of the RODC via an unattended installation or delegated installation (where two different people can be responsible for the installation at different times).
Replication and caching
As with any additional domain controller role, replication is the key to the successful transfer of information between servers. One of the best features of RODC is the way it stores user credentials… in as much as it doesn’t! The replication of user information is there, of course, and is presented to users as and when they need them to supply a domain login. However, the passwords are cached on the server, and only once the RODC has contacted a writable domain controller of authentication. This is where you should take note of a key term you will come across in your exam: the password replication policy (PRP). This feature is what dictates what can be written to an RODC, therefore limiting the amount of sensitive information available to a remote office. Also, by default, core roles such as the Domain admins are never allowed as part of the replication policy.
Once you have enabled the accounts that will be cached on the RODC, the users at that remote site can logon to the domain as before. Any additions in terms of users, group membership, or group policy will apply on the next replication cycle. You can prepopulate cached passwords on the RODC if you know that they are going to be required; for example, if you were running an application at the remote office that requires registering an SPN (service principle name), then this feature will allow it to register correctly. You can disable password caching to further limit access to the RODC, which is worth bearing in mind for the exam if this is listed as a requirement.
There are a couple of things to keep in mind in regards to the importance of replication when using a RODC: firstly without contact with a writable domain controller the RODC, cannot update itself and will start to cause issues such as password changes, group policy updates, and authenticating new users to the domain from the remote office. Also keep in mind that an RODC will only sync with a writable domain controller and not with other RODCs. Both of these points will be likely exam question areas, especially anything related to replication issues between sites that cause logon issues.
Read-only DNS
By the time you get to the 70-640 exam, you will know that DNS is a key part of a domain controller, and a RODC is no exception. However, in the same way that a RODC depends on a writable DC in order to replicate the required information, read only DNS also relies on the writable DNS server to update its records. This is another nice security feature, as it keeps the DNS from being polluted at the remote office, which can then cause name resolution issues throughout the entire estate. This is a point that you should take note of in your study material, as any DNS questions related to RODC will often be in relation to the read only DNS not being up to date, and therefore causing name login issues.
Administrator role separation
This is another handy feature of RODCs that is aimed at restricting the exposure of the Administrator roles within a remote office environment. As mentioned above, you can specify a group or user to be the local administrator of that RODC so that it can administered. This is an important part of the installation configuration, as none of the default core roles are replicated by default.
When you cover RODC in the 70-640 exam, you need to keep in mind that its sole purpose is to increase domain security. Whenever a question arises that makes reference to securing a remote office location that requires domain access or perhaps a remote office is giving you issues due to non-IT users editing the active directory, you should know that the RODC is the tool for the job. Also bear in mind that when discussing RODC administration and a question mentions issues with a new user having login issues or an expected group policy change not being applied, this is going to be related to replication.