Windows Insider

RODC in the USA

You can use Windows Server 2008 to build a hack-resistant, read-only DC.

• By Greg Shields
• 09/01/2007

If all your Domain Controllers (DCs) reside within the protective confines of your secured data center, then you probably don't have to think about them all that much. They perform their daily duties on the speedy local area network with relatively few problems. You only have to concern yourself when it's time for their monthly patch installation and those rare times when they stop functioning.

If your DCs are spread across the country, however, you've got a bigger problem. Managing branch offices with unsecured data centers or no data center at all means your DCs probably sit under someone's desk. Prior to Windows Server 2008, those DCs also contained full read/write copies of your Active Directory database. If some scofflaw picks up a forgotten DC in a backwater branch office, your entire AD domain is compromised.

That was the case until Windows Server 2008. Windows Server 2008 introduces the concept of a Read-Only Domain Controller (RODC), which means you can store a read-only copy of your AD -- containing only a small subset of objects -- at those branch office locations. If the RODC is stolen, you're resetting dozens of objects instead of thousands.

The improved isolation of the new RODC role combined with the reduced attack surface of Windows Server 2008 Core further locks down those quasi-secured DCs all across the country. Without plowing through too much of the basics of Server Core itself, let's take some time to outline a minimal step-by-step guide to help you build your own Server 2008 Core RODC.

Serving Up Server Core
Obviously, the first thing that has to happen is installing Server Core itself. To do this, drop the media CD into the drive of the soon-to-be-DC and boot the machine. Choose to install the software, enter your product ID and select "Windows Longhorn SERVER STANDARDCORE" at the prompt.

Although both core and non-core versions of the operating system are available on the same CD, you can only install one at a time. You'll be asked to approve the license agreement and to select the hard drive to install the software. After a few reboots, the installation will complete with the typical "Press Control + Alt + Delete to Log In" screen. Enter "administrator" for your initial username and no password to log on.

Once you're logged in, you'll be presented with Server Core's rather spartan shell. This is little more than a blue screen overlaid with a command prompt. There's no Start bar. There are no Computer or Network icons. There's nothing outside of this single command prompt window.

The next few steps involve changing the initial blank administrator password, connecting the server to the network (where it self-activates) and joining it to a domain. All of these configurations happen at the command line.

Step 1: Once you're logged in, change the initial administrator password using the command net user administrator {new password}. You can also hit Control+Alt+Delete to revert to the Windows Security screen and change the password there.

Step 2: Next, change the name of the machine to something meaningful. Use the command netdom renamecomputer %computername% /newname:{new computer name}. Then, restart the computer with the shutdown /r command.

Step 3: To change the IP configuration of the machine, use the command netsh interface ipv4 set address {interface name} static {ip address} {subnet mask}. To update the primary DNS server, use netsh interface ipv4 set dnsserver {interface name} static {ip address} primary. If you need to get your interface name, use netsh interface ipv4 show interfaces.

Step 4: You'll need to activate your installation with the command slmgr -ato. If you want to change product keys after installation, you can use the command slmgr -ipk {product key}.

Step 5: You can list the roles installed on the computer with the oclist command. The list of available, installed and not-yet-installed roles will appear. To install any of the roles not already installed, enter start /w ocsetup {role name}. You'll see that you can't install the Active Directory Domain Services (ADDS) role this way. To install ADDS, we need to use our old friend dcpromo.

Step 6: To begin the dcpromo process, create an unattended installation text file with Notepad. You'll find the contents of a sample text file at the end of this article. To use this text file in the dcpromo configuration, use the command dcpromo /unattend:{path to text file}. The text file you'll see at the end includes a configuration item ReplicaOrNewDomain, which is set to ReadOnlyReplica. This tells the dcpromo process to build the DC as an RODC.

Step 7: Once you've finished dcpromo and rebooted the machine, you now have a successful RODC installation. The last step in the process is enabling the users and/or groups that will have their account information stored on this RODC.

To do this, open Active Directory Users and Computers on Windows Server 2008 and navigate to the newly created RODC's computer object. View the properties on that object and select the Password Replication Policy tab. Here, you'll see the default users and groups whose password information is replicated to the RODC. To add a new user or group, select Add followed by "Allow passwords for the account to replicate to this RODC." Then, select the user or group to allow passwords. Similarly, you can choose to deny a user or groups from having their passwords replicated down to the RODC.

This completes the installation. You can see that Windows Server 2008 Core's limited capabilities, combined with the replication of only a limited set of passwords down to that DC, means a much better security posture for DCs at your branch offices.

Admins with centralized environments and DCs locked away behind closed doors may not need to worry too much about RODCs. For those of us with far-reaching networks, however, they can help us breathe a sigh of relief.

[This article was created using the beta 3 version of Windows Server 2008. Configuration steps for the final version may be somewhat different. --Ed.]