1
00:00:01,440 --> 00:00:04,680
Deploy Read‑Only Domain Controllers, RODCs.

2
00:00:04,680 --> 00:00:06,480
What is an RODC?

3
00:00:06,480 --> 00:00:06,760
Well,

4
00:00:06,760 --> 00:00:10,530
it's a domain controller that hosts a read‑only copy of the AD

5
00:00:10,530 --> 00:00:13,920
directory database and also read‑only DNS.

6
00:00:13,920 --> 00:00:15,870
So the idea here is security.

7
00:00:15,870 --> 00:00:20,110
You would consider deploying an RODC to branch offices that may have

8
00:00:20,110 --> 00:00:24,140
limited network connectivity and/or no local IT staff.

9
00:00:24,140 --> 00:00:27,920
So you're concerned that if there is a breach in that branch office,

10
00:00:27,920 --> 00:00:32,480
you may not have the eyeballs inspecting that server or those servers so much,

11
00:00:32,480 --> 00:00:35,010
so how can you harden the machine as much as possible?

12
00:00:35,010 --> 00:00:39,260
Well, if it has a read‑only AD database, then that means a couple things.

13
00:00:39,260 --> 00:00:43,290
One, it still will be able to process logons and it'll have a DNS zone,

14
00:00:43,290 --> 00:00:45,640
so again, name resolution should be fine,

15
00:00:45,640 --> 00:00:48,630
but if there's a new user let's say, how is that new user,

16
00:00:48,630 --> 00:00:51,790
especially if it's a new user to the organization and the branch,

17
00:00:51,790 --> 00:00:53,270
how will that happen, you know?

18
00:00:53,270 --> 00:00:56,590
Or if you make a host addition to the DNS zone,

19
00:00:56,590 --> 00:01:00,250
how in the world can you do that if the RODC cannot do a write?

20
00:01:00,250 --> 00:01:01,710
Well, it's replication.

21
00:01:01,710 --> 00:01:05,350
You're going to need to create the objects on a read‑write domain controller,

22
00:01:05,350 --> 00:01:08,930
and then we have uni‑directional replication to the RODC.

23
00:01:08,930 --> 00:01:11,840
You also can configure something on a read‑write domain

24
00:01:11,840 --> 00:01:14,130
controller called the filtered attribute set.

25
00:01:14,130 --> 00:01:14,750
In other words,

26
00:01:14,750 --> 00:01:19,550
you can specify that certain Active Directory attributes are secure.

27
00:01:19,550 --> 00:01:23,160
Maybe you've extended your schema and added a badge ID let's say,

28
00:01:23,160 --> 00:01:27,640
and maybe for security reasons a particular branch that has an RODC

29
00:01:27,640 --> 00:01:31,560
should never receive that particular new user property.

30
00:01:31,560 --> 00:01:34,240
The idea is you want to contain the blast radius.

31
00:01:34,240 --> 00:01:38,280
If a bad actor or group were to compromise that RODC.

32
00:01:38,280 --> 00:01:42,190
They're not going to be able to modify AD or DNS because they're read‑only.

33
00:01:42,190 --> 00:01:45,800
We have potentially some attributes coming from the domain or

34
00:01:45,800 --> 00:01:49,730
forest that are not being replicated to the RODC because we've

35
00:01:49,730 --> 00:01:52,060
marked them as the filtered attribute set,

36
00:01:52,060 --> 00:01:55,150
and then we have the ability to selectively cache credentials.

37
00:01:55,150 --> 00:01:57,930
So the idea is that you would allow credential caching on the

38
00:01:57,930 --> 00:02:01,370
RODC only from the users in that branch office.

39
00:02:01,370 --> 00:02:05,240
And again, worst‑case scenario, if the RODC were breached,

40
00:02:05,240 --> 00:02:08,250
the only accounts that would be compromised would be the ones

41
00:02:08,250 --> 00:02:11,250
that have cached credentials on the RODC.

42
00:02:11,250 --> 00:02:16,340
Now riding herd with the RODC, we have the concept of Install from Media or IFM,

43
00:02:16,340 --> 00:02:19,260
this is where you can deploy a domain controller without

44
00:02:19,260 --> 00:02:21,470
a live connection to a read‑write DC.

45
00:02:21,470 --> 00:02:26,360
Maybe you have an RODC deployed to an offline or secure network.

46
00:02:26,360 --> 00:02:27,120
What you can do,

47
00:02:27,120 --> 00:02:30,910
the process is you create your installation media on a writeable DC,

48
00:02:30,910 --> 00:02:34,880
transfer it to your offline server, what will become your RODC,

49
00:02:34,880 --> 00:02:38,100
install the AD DS role on that target server,

50
00:02:38,100 --> 00:02:42,180
and then when you promote the server to be a domain controller in the domain,

51
00:02:42,180 --> 00:02:45,750
you specify the IFM option and then point to your offline media.

52
00:02:45,750 --> 00:02:49,750
Now, eventually, that server will need to receive updates.

53
00:02:49,750 --> 00:02:50,750
The idea is that,

54
00:02:50,750 --> 00:02:53,970
especially when you're deploying a domain controller in a

55
00:02:53,970 --> 00:02:56,180
spot with limited network connectivity,

56
00:02:56,180 --> 00:03:00,790
that initial replication is going to be potentially a big one if you're

57
00:03:00,790 --> 00:03:03,880
in a mature domain environment with lots of objects,

58
00:03:03,880 --> 00:03:08,920
so you can save on all that replication traffic by doing an offline install

59
00:03:08,920 --> 00:03:12,800
for media to get the bulk of the directory on that machine.

60
00:03:12,800 --> 00:03:15,410
And then when you light up replication to it again,

61
00:03:15,410 --> 00:03:18,140
whether it's uni‑directional if it's an RODC,

62
00:03:18,140 --> 00:03:21,210
or bidirectional if it's a read‑write domain controller,

63
00:03:21,210 --> 00:03:24,740
it'll just be any updates that might have occurred to Active

64
00:03:24,740 --> 00:03:29,000
Directory since you created the media. See the idea?