RODCs can be implemented on a full or core
installation of Windows Server 2008 or Windows Server 2008 R2. The
installation can be performed in a standard or in a staged manner.
Because RODCs are tailored toward branch office implementations where
physical security
and theft are a concern, it is a best practice to heighten security
even further by installing an RODC on a Server Core installation. A
Server Core installation minimizes surface attacks and provides the
maximum amount of protection in the event of a system breach.
The upcoming sections
include step-by-step procedures for installing an RODC on a full
installation of Windows Server 2008 R2, installing an RODC on a Windows
Server 2008 R2 Server Core installation, and performing a staged
installation. Before launching into the procedures, however, let us
examine the prerequisites associated with installing RODCs and
understanding the limitations associated with using an RODC.
Note
The following steps assume an
RODC install is being performed using Windows Server 2008 R2. However,
RODC functionality was first introduced in Windows Server 2008 and as
such the installation can also be completed using that version of
Windows Server.
Examining Prerequisite Tasks When Deploying an RODC
The following bullets list the items you should review and complete before installing RODCs:
Active Directory running on Windows Server 2003 or Windows Server 2008 R2 must already exist in the environment.
The Active Directory schema must support the Windows Server 2008 R2 server extensions.
The forest and domain functional level must be running Windows Server 2003 or higher.
At least one domain controller within the domain must be running Windows Server 2008 R2.
The PDC Emulator FSMO role must be running Windows Server 2008 R2.
A regular non-read-only (writable) domain controller must already exist within the Active Directory infrastructure.
The RODC cannot be the first domain controller within the Active Directory infrastructure.
If
the DNS service will be configured on a Server Core installation, a
non-read-only DNS server must be present within the domain.
Limitations Associated with Windows Server 2008 R2 RODCs
There are situations when
RODCs cannot be used. This is the case with bridgehead servers and
operations master role holders. For example, a Windows Server 2008 R2
bridgehead server is responsible for managing Active Directory
replication from a physical site. Because an RODC can only perform
inbound unidirectional replication, it cannot be designated as a bridgehead server because these servers must support both inbound and outbound replication.
An RODC also cannot
function as a Flexible Single Master Operations (FSMO) role holder. Each
FSMO role needs to write information to an Active Directory domain
controller. As an example, consider extending the Active Directory
schema for Microsoft Exchange Server 2007. The new schema extensions
would be written on a domain controller to support Exchange 2007. The
schema extensions would fail on an RODC because the domain controller is
not writable, which, of course, explains why an RODC cannot perform the
FSMO role.
To add to its
limitations, out-of-the-box RODCs cannot authenticate a smart card
logon. This is because the Enterprise Read-Only Domain Controller
(ERODC) group is not defined in the domain controller certificate
template by default. Because the ERODC is not associated with the
default group defined in the template, the RODC is not automatically
enrolled in the certificate process, which is a requirement for
authenticating smart card logons. Unlike the limitations of RODCs stated
in the previous two paragraphs, there is a way to work around this
particular drawback so an RODC can authenticate a smart card logon. The
following changes must be orchestrated in the certificate templates for
an RODC to support smart card logons:
ERODC group permissions for Enroll must be set to Allow on the Domain Controller certificate template.
ERODC
group permissions for Enroll and Autoenroll must be set to Allow on the
Domain Controller Authentication and Directory E-Mail Replication
certificate template.
The
Authenticated Users group permissions must be set to Allow Read on the
Domain Controller Authentication and Directory E-Mail Replication
certificate template.