The Read-only Domain Controller is one of the new and most existing features of Windows Server 2008. So is Server Core. Combining these two features opens up a whole new world of possibilities for your Active Directory environment. Show
Server Core Domain Controllers are the high-performance low-maintenance brothers of Domain Controllers running on full installations of Windows Server 2008. I've already showed you a long time ago how to install Server Core Domain Controllers. (the post that started the Server Core frenzy on my blog over a year ago) Now I feel it's time to show you how to add Server Core Read-only Domain Controllers to your existing Windows Server 2008 domain. This blogpost contains the following information:
ReasoningReasons to install additional Domain ControllersJoe explains the importance of Active Directory in simple words:
Microsoft advices to use at least two Domain Controllers for each domain. When you only use one Domain Controller and this Domain Controller fails, you can't do anything. Although you might be able to restore the Domain Controller, when you use a dedicated Backup media server, you might have trouble authenticating the Backup Service Account… Using two Domain Controllers might not even be sufficient in some scenarios. These scenarios might include Identity Management solutions (synchronizing with other directory services) and Infrastructure Master / Global Catalog combinations in multi-site situations. Large Microsoft Exchange Server implementations might require multiple Global Catalog servers as well. See the Infrastructure Planning & Design TechCenter for Active Directory for more information. Reasons to install Read-only Domain ControllersWindows Server 2008 brings a new kind of Active Directory Domain Controller to the table. The Read-only Domain Controller. It is not aimed at providing additional fault-tolerance for your Active Directory forest, but is an additional Domain Controller typically aimed at Branch Office and DMZ one-way-sync situations. These situations typically include:
Branch officesThe classic dilemma regarding Active Directory Domain Controllers in Branch Offices was to place a (writable) Domain Controller in the Branch Office or increase bandwidth to the central Domain Controllers to facilitate authentication. Branch Offices also typically have specific needs. Most of the time central restrictions don't get taken very seriously and the only real restriction seems to be budget. This results in the kitchen cupboard servers most of us will have encountered. (along with the coffee machine hooked up to the same UPS?) The Read-only Domain Controllers functionality offers branch offices fast authentication, while being more secure than writable Domain Controllers, mitigating the risks when the box gets compromised or stolen. DMZA Perimeter Network, also known as a DMZ, is a security measure. It is a highly restricted and heavily monitored piece of network. It is mainly used for Internet-facing servers that in one way or another need information from networks, that are considered 'internal'. (to give you an idea: typical servers placed in DMZ's are webservers, Exchange 2003 front-end servers, Exchange 2007 Edge Transport servers and ISA servers.) This information might be related to authentication towards your 'internal' Active Directory and surely this might posses a security threat. The classic dilemma was to Create a separate Active Directory Forest for your domain (with two Active Directory Domain Controllers, naturally) or rely on the appliances, configuration and monitoring skills to keep things safe. The Read-only Domain Controller functionality offers a one-way replication method for selected information from your internal network to the DMZ, with limited risk towards your internal network when the box gets compromised. Reasons to install Server Core RODCsRead-only Domain Controllers prohibit (most) branch office IT personnel to alter Active Directory information while having console access. One of the benefits of Server Core is the same persons don't have a point-and-click interface. The possibility to wreak havoc is multiple times smaller compared to a Full Installation of Windows Server 2008. Another benefit might be the additional performance a Server Core Domain Controller offers in comparison to a Full Installation Domain Controller. Offering the same performance, while placing slimmer boxes, that cost less is appealing in branch office situations. (especially when deploying a large amount of branch offices) PreparationsAt least one Windows Server 2008 Domain ControllerRead-only Domain Controllers can replicate with Windows Server 2003 Domain Controllers, but updates to the domain partitions won't get replicated. For this reason Microsoft advices to replicate Read-only Domain Controllers with Windows Server 2008 Domain Controllers. Let's assume you already upgraded your Windows Server 2003 Domain Controllers to Windows Server 2008 or have recently implemented an Active Directory forest using Windows Server 2008. Jorge and I have posted information on how to transition your Active Directory forest and how to implement new Windows Server 2008 Domain Controllers, so you shouldn't have any problems creating writable Windows Server 2008 Domain Controllers. More info:
Microsoft states you will need to make at least one Windows Server 2008 Domain Controller a DNS Server for your Active Directory Integrated DNS Zone, if you want your Read-Only Domain Controller to act as a DNS Server for your Active Directory Integrated DNS Zones. Domain and Forest functional levelsThe good news is despite having to implement at least one Windows Server 2008 Domain Controller, you do not need to raise the domain forest functional level or the forest functional level to Windows Server 2008. The forest functional level needs to be at least Windows Server 2003 though. RODCPrepFurthermore you should run adprep /rodcprep before you begin implementing Read-only Domain Controllers. This command will update your Active Directory and prepare it for the first Read-only Domain Controller. Perform this action on the Domain Controller holding the Domain Naming Master Flexible Single Master Operations (FSMO) role. Note: Adprep .exe is located on the Windows Server 2008 DVD in the subfolder SOURCES\ADPREP. RODC Compatibility PackWhile Windows Server 2008 and Windows Vista understand the Read-only Domain Controller functionality out of the box, some Microsoft products do not. For these products Microsoft released the RODC compatibility pack for down-level clients. Typical symptoms for Windows XP and Windows Server 2003 are described in Microsoft Knowledgebase article 944043. Active Directory sitesWhen installing Read-Only Domain Controllers for new remote locations, prepare Active Directory sites and corresponding IP subnets. ExampleIn this blogpost I'm using an example environment and an example Read-Only Domain Controller implementation. The example is pretty simple. Below are its characteristics:
A new site named "Remote location" has been defined, along with a corresponding IP range. The server that will become the Read-Only Domain Controller has been given an IP address in the range of the "Remote location". The new Read-only Domain Controller in our example will be the only Domain Controller in the remote location and will become a DNS server and Global Catalog. Our Server Core Read-only Domain Controller comes prepared with a dedicated E:\ partition to place the Active Directory database, transaction logs and system volume (SYSVOL) onto. ScriptingOn both Full Installations and Server Core Installations of Windows Server 2008 you can script the Promotion of a (member) server to a Domain Controller using dcpromo.exe. By appending command line switches to dcpromo.exe you can script the command. A full overview of all the dcpromo.exe command line switches can be found on this page on Microsoft TechNet. To script the Read-only Domain Controller (RODC) promotion for our example you could use the following command: dcpromo.exe /unattend /UserDomain:DOMAIN /UserName:Administrator AnswerfileAs an alternative to installing your Read-only Domain Controller with a script you can use an answerfile. This might certainly be a way to make the promotion process less error-prone , but shows your password to everyone who has access to the file before execution. Note: To use an answerfile with dcpromo.exe use any of the below two commands: dcpromo.exe /unattend:C:\dcpromo.txt or dcpromo.exe /answer:C:\dcpromo.txt The contents of the Answerfile for our example should look like below:
More examples of answerfiles can be found in Microsoft Knowledgebase article 947034, which shows how to use unattended mode to install and remove Active Directory Domain Services on Windows Server 2008-based Domain Controllers. Staged DeploymentAlthough the Graphical User Interface (GUI) for dcpromo.exe is not available on a Server Core installation you can use it partially to create Server Core Domain Controllers if you prefer it. Through the Graphical User Interface on a Domain Controller on a Full Installation of Windows Server 2008 you can perform the first step of a Staged Deployment. A Staged Deployment includes the following two steps:
Preparing the RODC accountTo pre-create a Read-only Domain Controller within a Staged Deployment perform the following steps:
Attaching a server to the accountThe second step of a Staged Deployment consists of attaching a server to the pre-created Read-only Domain Controller account. In this case I will be using an answer file, which is the most likely way to help your local Server Core admin out. Tip!
Instruct the local Administrator for the site in which you intend to place the Read-only Domain Controller to create an answerfile containing the above text. When necessary refer to the Getting installation files onto Server Core for more information. Instruct the administrator to perform the following command: dcpromo.exe /UseExistingAccount:attach /unattend:C:\dcpromo.txt Where C:\dcpromo.txt represents the location of the answerfile. Installation from MediaA consideration in multi-site Active Directory environments with little available bandwidth is to use Install from Media (IFM) media when you promote a Domain Controller. Using this kind of media prevents the new Domain Controller to replicate the Active Directory database from another Domain Controller during promotion. Just like a Staged Deployment Installation from Media is also a two step process:
Preparing the mediaTo create media for the promotion of a Read-only Domain Controller you can logon to a Windows Server 2008 Domain Controller using an account with administrative permissions and perform the following actions:
Installing the Domain Controller using the mediaWith the media you created in step 1 you can promote the Read-only Domain Controller. Using the Media will considerably reduce the amount of traffic. Traffic will occur of course and the amount of replication traffic depends on the amount of changes to the Active Directory in the time between creation of the media and promotion of the Domain Controller. After you have created the media you can ship it or take it to the location of the Read-only Domain Controller and transfer the files onto it. Note: To promote the Domain Controller you can use any of the three methods above on the side of the Read-only Domain Controller. To show you the appropriate switches a choose to use scripting. This resulted in the following command: dcpromo.exe /adv /unattend /UserDomain:DOMAIN In my case I transferred the files to the C:\InstallationMedia folder on the Server Core box, but running it from a CD, DVD or memory stick would also suffice. ConcludingThere are four ways to promote your Server Core box to a Read-Only Domain Controller. Depending on your needs you can use the most appropriate method:
Further ReadingYou lose AD, you can’t do anything… WebcastsLazy Admin – Creating a Read Only DC (using an answerfile) What Active Directory replication method makes use of remote differential compression RDC?DFS Replication uses a compression algorithm known as remote differential compression (RDC). RDC detects changes to the data in a file and enables DFS Replication to replicate only the changed file blocks instead of the entire file.
What type of application can be installed automatically when the user logs on to a computer in the domain?IST 165 Midterm. What type of Active Directory replication takes place between domain controllers in the same site?Intrasite replication takes place between servers in a site using RPCs, while intersite replication is mail based and takes place over a Directory Replication Connector (DRC) between bridgehead servers in separate sites.
What is the primary container object for organizing and managing resources in a domain?Organizational Units (OU) - a container used to organize objects within the domain into logical administrative groups that mirror the function business structure of an organization.
|