answersLogoWhite

0

Windows Server 2008

Released in February 2008, Windows Server 2008 is a Microsoft operating system that shares the same code as Windows Vista. Ask questions about its features and system requirements here.

500 Questions

How many partitions can be active at any given point in time?

User Avatar

Asked by Wiki User

Ultimately, it can be limitless, but most hard drives will restrict you to 10. (being 0-9)

There are alternate methods used to create many more, but the more partitions you have, the more long term damage it can do to your hard drive. I wouldn't recommend doing more than 5 on a 500GB.

Which is the maximum amount of RAM supported by windows server 2008 R2 standard edition?

User Avatar

Asked by Wiki User

32-bit versions of Windows 2000 support up to 4 GB of RAM minus space used by devices in the address space on non-PAE capable systems. On PAE-capable systems, Windows 2000 can support, depending on the version, up to 64 GB of RAM.

How do you create a new application partition?

User Avatar

Asked by Wiki User

When you create an application directory partition, you are creating the first instance of this partition. You can create an application directory partition by using the create ncoption in the domain management menu of Ntdsutil. When creating an application directory partition using LDP or ADSI, provide a description in the description attribute of the domain DNS object that indicates the specific application that will use the partition. For example, if the application directory partition will be used to store data for a Microsoft accounting program, the description could be Microsoft accounting application. Ntdsutil does not facilitate the creation of a description. To create or delete an application directory partition 1. Open Command Prompt. 2. Type:

ntdsutil 3. At the ntdsutil command prompt, type:

domain management 4. At the domain management command prompt, do one of the following: · To create an application directory partition, type:

create ncApplicationDirectoryPartitionDomainControllerAnswer:

Start >> RUN>> CMD >> type there "NTDSUTIL" Press Enter Ntdsutil: domain management Press Enter Domain Management: Create NC dc=, dc=, dc=com <> Use the DnsCmd command to create an application directory partition. To do this, use the following syntax: DnsCmd ServerName /CreateDirectoryPartition FQDN of partition To create an application directory partition that is named CustomDNSPartition on a domain controller that is named DC-1, follow these steps: # Click Start, click Run, type cmd, and then click OK. # Type the following command, and then press ENTER:dnscmd DC-1 /createdirectorypartition CustomDNSPartition.contoso.com When the application directory partition has been successfully created, the following information appears: DNS Server DC-1 created directory partition: CustomDNSPartition.contoso.com Command completed successfully.

Configure an additional domain controller that is acting as a DNS server to host the new application directory partition that you created. To do this, use the following syntax with the DnsCmd command: DnsCmd ServerName /EnlistDirectoryPartition FQDN of partition To configure the example domain controller that is named DC-2 to host this custom application directory partition, follow these steps: # Click Start, click Run, type cmd, and then click OK. # Type the following command, and then press ENTER:dnscmd DC-2 /enlistdirectorypartition CustomDNSPartition.contoso.com The following information appears: DNS Server DC-2 enlisted directory partition: CustomDNSPartition.contoso.com Command completed successfully.

How do you fix your computer which boots up but then displays a black screen with active mouse cursor?

User Avatar

Asked by Janpuncher

Not much information to start with, but this is a start that most people could do.

Start with the basics;

- boot in safemode and run a chkdsk from prompt

- run a virus scan

- if an application was installed before the hang, uninstall in safemode

- try a system restore to a date prior to the problem

- boot from CD and run a recovery

- restore from backup (if you backed up your system)

- if you have an image, revert back to it.

What is the Active Directory component that contains a reference to all objects within Active Directory called?

User Avatar

Asked by Wiki User

The GLobal Catalogue has a reference to all objects within Active Directory. Its is know as GC

What are the five FSMO roles in Active Directory forest with one parent and two child domains?

User Avatar

Asked by Wiki User

There are five roles:

They are further classified in two

1. Forest Roles
  • Schema Master - As name suggests, the changes that are made while creation of any object in AD or changes in attributes will be made by single domain controller and then it will be replicated to another domain controllers that are present in your environment. There is no corruption of AD schema if all the domain controllers try to make changes. This is one of the very important roles in FSMO roles infrastructure.
  • Domain Naming Master - This role is not used very often, only when you add/remove any domain controllers. This role ensures that there is a unique name of domain controllers in environment.
2. Domain Roles
  • Infrastructure Master - This role checks domain for changes to any objects. If any changes are found then it will replicate to another domain controller.
  • RID Master - This role is responsible for making sure each security principle has a different identifier.
  • PDC emulator - This role is responsible for Account policies such as client password changes and time synchronization in the domain

What is a collection of computers that all utilize a central directory service for authentication and authorization and is usually associated with Active Directory?

User Avatar

Asked by Wiki User

It depends on your setup. If this all of the computers are networked in a workgroup environment, then you need to have a locally stored profile on each computer that redirects to the master fileserver. The SAM will be the database in this case

If you have a domain environment, then just join all of the computers into the domain and they should be able to log on to any computer on the network.The AD will take care of security nad NTDS.DIT will be database in this case

What happens when a domain controller that holds a FSMO role fails and will not returned to the network?

User Avatar

Asked by Wiki User

yes and it is recommended that the roles should be seized and transferred to a healthy DC

They way to transfer is as follows

1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.

C:\WINDOWS>ntdsutil

ntdsutil:

1. Type roles, and then press ENTER.

ntdsutil: roles

fsmo maintenance:

Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.

1. Type connections, and then press ENTER.

fsmo maintenance: connections

server connections:

1. Type connect to server <servername>, where <servername> is the name of the server you want to use, and then press ENTER.

server connections: connect to server server100

Binding to server100 ...

Connected to server100 using credentials of locally logged on user.

server connections:

1. At the server connections: prompt, type q, and then press ENTER again.

server connections: q

fsmo maintenance:

1. Type seize <role>, where <role> is the role you want to seize. For example, to seize the RID Master role, you would type seize rid master:

Options are:

Seize domain naming master

Seize infrastructure master

Seize PDC

Seize RID master

Seize schema master

1. You will receive a warning window asking if you want to perform the seize. Click on Yes.

fsmo maintenance: Seize infrastructure master

Attempting safe transfer of infrastructure FSMO before seizure.

ldap_modify_sW error 0x34(52 (Unavailable).

Ldap extended error message is 000020AF: SvcErr: DSID-03210300, problem 5002 (UNAVAILABLE)

, data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holde

r could not be contacted.)

)

Depending on the error code this may indicate a connection,

ldap, or role transfer error.

Transfer of infrastructure FSMO failed, proceeding with seizure ...

Server "server100" knows about 5 roles

Schema - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

RID - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

fsmo maintenance:

Note: All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server.

1. Repeat steps 6 and 7 until you've seized all the required FSMO roles.

2. After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool.

Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest

How do you set up a desktop PC as a server?

User Avatar

Asked by Wiki User

if you have windows xp on your old computer just use remote desktop... then you dont have to spend any money...

(there is alot more to servers than just remote desktop)

Buy a server OS (the cheapest standard 'server 2008' starts at $999.00)

Format the HD in your comp

Install the new server OS

Download and install new drivers, might have to buy a few new parts because some parts werent designed to be used in servers. No big deal, can get whatever you need at newegg.com or your local PCWorld.

After about 2 - 3 hours of work you can enjoy your new server... :)

How can you downgrade a computer running Windows Server 2008 to Windows Server 2003 R2?

User Avatar

Asked by Wiki User

Hi, You cannot downgrade an operating system. You will have to nuke the hard drive and reload from the beginning. This is a tough one to do because you have to back-up everything you want to keep and make sure you have all the drivers for everything in your computer. Let me know if you have any questions. -Nitin Answer: Answer:

1: What you will receive: One copy of the applicable Windows Server downgrade software and associated product key. 2: The Downgrade Media Kit is not a new license for Windows Server. It may only be run under a valid license per the terms of those license terms. For example, a copy of Windows Server 2003 R2 Enterprise Edition may be run under a Windows Server 2008 license as permitted by the Downgrade rights described in that license. Check the applicable license terms for specific information regarding the rights for the license. 3: Transfer rights apply to the original license you purchased. 4: Only 1 downgrade media kit per license. 5: The terms of this offer may be changed at any time without notice including, without limitation, the expiration date. 6: There is a fee for this upgrade to cover materials, shipping, handling, and fulfillment overhead. The fee will vary depending on your location. The amount will be presented to you prior to final submission of your order. At that time, you will have the opportunity to opt out before final order submission. The fee is non-refundable. 7: OEM Customers: If you acquired your license with a new server from a server manufacturer, the downgrade software acquired through this program may not be supported by your OEM. Contact your server manufacturer for its support policy for running downgrade software on their server hardware.

Why is dns a requirement for active directory to work?

User Avatar

Asked by Wiki User

DNS is extremely important to all aspects of proper Active Directory operation. Any time a client makes a request for a domain service, it must find a domain controller to service that request, which is where DNS comes in to play.

There are two types of DNS queries: recursive and iterative.

When a DNS client requests DNS information, it uses a recursive query to do so.

In a recursive query, the DNS client sends its query to the first DNS server that it has been configured for in its TCP/IP configuration. It then sits and waits for the server to return an answer. If the server returns a positive response, the client will then go to the IP address returned by the server.

Why does Windows Server 2008 come in different versions?

User Avatar

Asked by Wiki User

Just as with consumer-oriented versions of Windows, Windows Server comes in several different varieties to accommodate features useful to different types of users. Large businesses are willing to pay dearly for operating systems that support dozens of processors and thousands of users, but a small business would be loathe to pay the same price when all they want is to run a small volume web server. By creating multiple versions with different feature sets, Microsoft is able to maximize their profits by gaining both types of customers.

What is the server used to run PHP in Windows?

User Avatar

Asked by Wiki User

One of the Windows Server operating systems.

PHP can be installed with Microsoft's IIS web server as an ISAPI filter, or you can install the WAMP server under Windows that contains the Apache web server, the PHP interpreter, and mySQL.

There are others as well, such as the Xitami web server, etc., that work equally well with PHP under windows.

Talk about all the AD-related roles in Windows Server 2008 R2?

User Avatar

Asked by Wiki User

Windows Server 2008 has five Active directory related roles. below are the list

1. Active Directory Domain Services (Identity): AD DS it provides the functionality of an identity and access (IDA) solution for enterprise networks. It also provides the mechanisms to support, manage, and configure resources in distribution network environments.

2. Active Directory Lightweight Directory Services (Applications): AD LDS formerly known as Active directory application mode (ADAM), provides support for directory-enabled applications.

3. Active Directory Certificate Services (Trust): AD CS to set up a certificate authority for issuing digital certificates as a part of a public key infrastructure (PKI) that binds the identity of a person, device or service to corresponding private key. Certificates can be used to authenticate users and computers, provide web-based authentication, support smart card authentication, and support application, including secure wireless n/w, vpn, Ipsec, EFS, and more.

4. Active Directory Rights management Services (Integrity): AD RMS is an information-protection technology that enables you to implement persistent usage policy templates (for documents) that define allowed and unauthorized use whether online, offline, inside, or outside the firewall.

5. Active Directory Federation Services (Partnership): AD FS enable an organization to extend IDA across multiple platforms, including both window and non-windows environments, and to project identity and access rights across security boundaries to trusted partners.

What are the differences between power user and administrator on Windows XP Pro?

User Avatar

Asked by Wiki User

Members of the Administrator group have total control over the computer and everything on it. The user named Administratoris the default account within this group. The domain account of each faculty or staff member with a Windows 2000 computer is part of the Administrator group on his or her computer. == * Create, modify, and access local user accounts * Install new hardware and software * Upgrade the operating system * Back up the system and files * Claim ownership of files that have become damaged * Do anything a Power User can ---- The Power User class can perform any task except for those reserved for Administators. They are allowed to carry out functions that will not directly affect the operating system or risk security. All domain accounts are part of the Power Users group on public Windows 2000 computers. == * Create local user accounts * Modify user accounts which they have created * Change user permissions on users, power users, and guests * Install and run applications that do not affect the operating system * Customize settings and resources on the Control Panel, such as Printers, Date/Time, and Power Options * Do anything a User can == * Access other users' data without permission * Delete or modify user accounts they did not create Members of the Administrator group have total control over the computer and everything on it. The user named Administrator is the default account within this group. The domain account of each faculty or staff member with a Windows 2000 computer is part of the Administrator group on his or her computer. == * Create, modify, and access local user accounts * Install new hardware and software * Upgrade the operating system * Back up the system and files * Claim ownership of files that have become damaged * Do anything a Power User can ---- The Power User class can perform any task except for those reserved for Administators. They are allowed to carry out functions that will not directly affect the operating system or risk security. All domain accounts are part of the Power Users group on public Windows 2000 computers. == * Create local user accounts * Modify user accounts which they have created * Change user permissions on users, power users, and guests * Install and run applications that do not affect the operating system * Customize settings and resources on the Control Panel, such as Printers, Date/Time, and Power Options * Do anything a User can == * Access other users' data without permission * Delete or modify user accounts they did not create

A provides a two-way transitive trust relationship between all domains within two forest?

User Avatar

Asked by Wiki User

Tree-Root Trust or cross forest trust (windows server 2008 active directory)

What is the active directory clients rely on in dns to locate active directory resources such as domain controllers and global catalog servers?

User Avatar

Asked by Wiki User

SRV Resource Records

When a Windows 2000-based domain controller starts up, the Net Logon service uses dynamic updates to register SRV resource records in the DNS database, as described in "A DNS RR for specifying the location of services (DNS SRV)

The SRV record is used to map the name of a service (in this case, the LDAP service) to the DNS computer name of a server that offers that service. In a Windows 2000 network, an LDAP resource record locates a domain controller.

A workstation that is logging on to a Windows 2000 domain queries DNS for SRV records in the general form:

_Service ._ Protocol . DnsDomainName

Active Directory servers offer the LDAP service over the TCP protocol; therefore, clients find an LDAP server by querying DNS for a record of the form:

_ldap._tcp. DnsDomainName

_msdcs Subdomain

There are possible implementations of LDAP servers other than Windows 2000-based domain controllers. There are also possible implementations of LDAP directory services that employ Global Catalog servers but are not servers that are running Windows 2000. To facilitate locating Windows 2000-based domain controllers, in addition to the standard _ Service ._ Protocol . DnsDomainName format, the Net Logon service registers SRV records that identify the well-known server-type pseudonyms "dc" (domain controller), "gc" (Global Catalog), "pdc" (primary domain controller, and "domains" (globally unique identifier, or GUID) as prefixes in the _msdcs subdomain. This Microsoft-specific subdomain allows location of domain controllers that have Windows 2000-specific roles in the domain or forest, as well as the location by GUID when a domain has been renamed. To accommodate locating domain controllers by server type or by GUID (abbreviated "dctype"), Windows 2000-based domain controllers register SRV records in the following form:

_ Service ._ Protocol . DcType ._msdcs. DnsDomainName

The addition of the _msdcs subdomain means that two sets of DNS names can be used to find an LDAP server: DnsDomainName is used to find an LDAP server or Kerberos server that is running TCP (or, in the case of a Kerberos server, either TCP or the User Datagram Protocol [UDP]), and the subdomain _msdcs. DnsDomainName is used to find an LDAP server that is running TCP and also functioning in a particular Windows 2000 role. The name "_msdcs" is reserved for locating domain controllers. The single keyword "_msdcs" was chosen to avoid cluttering the DNS namespace unnecessarily. Other constant, well-known names (pdc, dc, and gc) were kept short to avoid exceeding the maximum length of DnsDomainName.

Why are the modifications necessary to DNS for accommodating Read Only Domain Controllers?

User Avatar

Asked by Wiki User

"Because the DNS server that runs on an RODC cannot directly register client updates, it has to refer the client to a DNS server that hosts a primary or Active Directory-integrated copy of the zone file. This server is sometimes referred to as a "writable DNS server." When a client presents a Find Authoritative Query, which is the precursor to an update request, the DNS server on the RODC uses the domain controller Locator to find domain controllers in the closest site.

The RODC then compares the list of domain controllers that is returned with the list of name server (NS) resource records that it has. The RODC returns to the client the NS resource record of a writable DNS server that the client can use to perform the update. The client can then perform its update.

If no domain controller in the closest site matches an entry in the list of NS records for the zone, the RODC attempts to discover any domain controller in the forest that matches an entry in the list.

Suppose that a new client is introduced to a site that has a DNS server running only on an RODC. In this case, the RODC DNS server tries to replicate the DNS record that the client has tried to update on the writable DNS server. This occurs approximately five minutes after the RODC provides a response to the original Find Authoritative Query.

If the DNS client on the RODC attempts a DNS update, a writable domain controller running Windows Server 2008 is returned so that the RODC can perform the update."

thamilselvan@hp.com

AD DS: Read-Only Domain Controllers

A read-only domain controller (RODC) is a new type of domain controller in the Windows Server® 2008 operating system. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed. An RODC hosts read-only partitions of the Active Directory® Domain Services (AD DS) database.

Before the release of Windows Server 2008, if users had to authenticate with a domain controller over a wide area network (WAN), there was no real alternative. In many cases, this was not an efficient solution. Branch offices often cannot provide the adequate physical security that is required for a writable domain controller. Furthermore, branch offices often have poor network bandwidth when they are connected to a hub site. This can increase the amount of time that is required to log on. It can also hamper access to network resources.

Beginning with Windows Server 2008, an organization can deploy an RODC to address these problems. As a result, users in this situation can receive the following benefits:

* Improved security

* Faster logon times

* More efficient access to resources on the network

What does an RODC do?

Inadequate physical security is the most common reason to consider deploying an RODC. An RODC provides a way to deploy a domain controller more securely in locations that require fast and reliable authentication services but cannot ensure physical security for a writable domain controller.

However, your organization may also choose to deploy an RODC for special administrative requirements. For example, a line-of-business (LOB) application may run successfully only if it is installed on a domain controller. Or, the domain controller might be the only server in the branch office, and it may have to host server applications.

In such cases, the LOB application owner must often log on to the domain controller interactively or use Terminal Services to configure and manage the application. This situation creates a security risk that may be unacceptable on a writable domain controller.

An RODC provides a more secure mechanism for deploying a domain controller in this scenario. You can grant a nonadministrative domain user the right to log on to an RODC while minimizing the security risk to the Active Directory forest.

You might also deploy an RODC in other scenarios where local storage of all domain user passwords is a primary threat, for example, in an extranet or application-facing role.

Who will be interested in this feature?

RODC is designed primarily to be deployed in remote or branch office environments. Branch offices typically have the following characteristics:

* Relatively few users

* Poor physical security

* Relatively poor network bandwidth to a hub site

* Little knowledge of information technology (IT)

You should review this section, and the additional supporting documentation about RODC, if you are in any of the following groups:

* IT planners and analysts who are technically evaluating the product

* Enterprise IT planners and designers for organizations

* Those responsible for IT security

* AD DS administrators who deal with small branch offices

Are there any special considerations?

To deploy an RODC, at least one writable domain controller in the domain must be running Windows Server 2008. In addition, the functional level for the domain and forest must be Windows Server 2003 or higher.

For more information about prerequisites for deploying an RODC,

What new functionality does this feature provide?

RODC addresses some of the problems that are commonly found in branch offices. These locations might not have a domain controller. Or, they might have a writable domain controller but not the physical security, network bandwidth, or local expertise to support it. The following RODC functionality mitigates these problems:

* Read-only AD DS database

* Unidirectional replication

* Credential caching

* Administrator role separation

* Read-only Domain Name System (DNS)

Read-only AD DS database

Except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the RODC. Changes must be made on a writable domain controller and then replicated back to the RODC.

Local applications that request Read access to the directory can obtain access. Lightweight Directory Application Protocol (LDAP) applications that request Write access receive an LDAP referral response. This response directs them to a writable domain controller, normally in a hub site.

RODC filtered attribute set

Some applications that use AD DS as a data store might have credential-like data (such as passwords, credentials, or encryption keys) that you do not want to be stored on an RODC in case the RODC is compromised.

For these types of applications, you can dynamically configure a set of attributes in the schema for domain objects that will not replicate to an RODC. This set of attributes is called the RODC filtered attribute set. Attributes that are defined in the RODC filtered attribute set are not allowed to replicate to any RODCs in the forest.

A malicious user who compromises an RODC can attempt to configure it in such a way that it tries to replicate attributes that are defined in the RODC filtered attribute set. If the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2008, the replication request is denied. However, if the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2003, the replication request can succeed.

Therefore, as a security precaution, ensure that forest functional level is Windows Server 2008 if you plan to configure the RODC filtered attribute set. When the forest functional level is Windows Server 2008, an RODC that is compromised cannot be exploited in this manner because domain controllers that are running Windows Server 2003 are not allowed in the forest.

You cannot add system-critical attributes to the RODC filtered attribute set. An attribute is system-critical if it is required for AD DS; Local Security Authority (LSA); Security Accounts Manager (SAM; and Microsoft-specific Security Service Provider Interfaces (SSPIs), such as Kerberos; to function properly. A system-critical attribute has a schemaFlagsEx attribute value equal to 1 (schemaFlagsEx attribute value & 0x1 = TRUE).

The RODC filtered attribute set is configured on the server that holds the schema operations master role. If you try to add a system-critical attribute to the RODC filtered set while the schema master is running Windows Server 2008, the server returns an "unwillingToPerform" LDAP error. If you try to add a system-critical attribute to the RODC filtered attribute set on a Windows Server 2003 schema master, the operation appears to succeed but the attribute is not actually added. Therefore, it is recommended that the schema master be a Windows Server 2008 domain controller when you add attributes to RODC filtered attribute set. This ensures that system-critical attributes are not included in the RODC filtered attribute set.

Unidirectional replication

Because no changes are written directly to the RODC, no changes originate at the RODC. Accordingly, writable domain controllers that are replication partners do not have to pull changes from the RODC. This means that any changes or corruption that a malicious user might make at branch locations cannot replicate from the RODC to the rest of the forest. This also reduces the workload of bridgehead servers in the hub and the effort required to monitor replication.

RODC unidirectional replication applies to both AD DS and Distributed File System (DFS) Replication of SYSVOL. The RODC performs normal inbound replication for AD DS and SYSVOL changes.

noteNote

Any other shares on an RODC that you configure to replicate using DFS Replication would be bidirectional.

RODCs also perform automatic load balancing of inbound replication connection objects across a set of bridgehead servers in a hub site.

Credential caching

Credential caching is the storage of user or computer credentials. Credentials consist of a small set of approximately 10 passwords that are associated with security principals. By default, an RODC does not store user or computer credentials. The exceptions are the computer account of the RODC and a special krbtgt account that each RODC has. You must explicitly allow any other credential caching on an RODC.

The RODC is advertised as the Key Distribution Center (KDC) for the branch office. The RODC uses a different krbtgt account and password than the KDC on a writable domain controller uses when it signs or encrypts ticket-granting ticket (TGT) requests.

After an account is successfully authenticated, the RODC attempts to contact a writable domain controller at the hub site and requests a copy of the appropriate credentials. The writable domain controller recognizes that the request is coming from an RODC and consults the Password Replication Policy in effect for that RODC.

The Password Replication Policy determines if a user's credentials or a computer's credentials can be replicated from the writable domain controller to the RODC. If the Password Replication Policy allows it, the writable domain controller replicates the credentials to the RODC, and the RODC caches them.

After the credentials are cached on the RODC, the RODC can directly service that user's logon requests until the credentials change. (When a TGT is signed with the krbtgt account of the RODC, the RODC recognizes that it has a cached copy of the credentials. If another domain controller signs the TGT, the RODC forwards requests to a writable domain controller.)

By limiting credential caching only to users who have authenticated to the RODC, the potential exposure of credentials by a compromise of the RODC is also limited. Typically, only a small subset of domain users has credentials cached on any given RODC. Therefore, in the event that the RODC is stolen, only those credentials that are cached can potentially be cracked.

Leaving credential caching disabled might further limit exposure, but it results in all authentication requests being forwarded to a writable domain controller. An administrator can modify the default Password Replication Policy to allow users' credentials to be cached at the RODC.

Administrator role separation

You can delegate local administrative permissions for an RODC to any domain user without granting that user any user rights for the domain or other domain controllers. This permits a local branch user to log on to an RODC and perform maintenance work on the server, such as upgrading a driver. However, the branch user cannot log on to any other domain controller or perform any other administrative task in the domain. In this way, the branch user can be delegated the ability to effectively manage the RODC in the branch office without compromising the security of the rest of the domain.

Read-only DNS

You can install the DNS Server service on an RODC. An RODC is able to replicate all application directory partitions that DNS uses, including ForestDNSZones and DomainDNSZones. If the DNS server is installed on an RODC, clients can query it for name resolution as they query any other DNS server.

However, the DNS server on an RODC is read-only and therefore does not support client updates directly. For more information about how DNS client updates are processed by a DNS server on an RODC,

What settings have been added or changed?

To support the RODC Password Replication Policy, Windows Server 2008 AD DS includes new attributes. The Password Replication Policy is the mechanism for determining whether a user's credentials or a computer's credentials are allowed to replicate from a writable domain controller to an RODC. The Password Replication Policy is always set on a writable domain controller running Windows Server 2008.

AD DS attributes that are added in the Windows Server 2008 Active Directory schema to support RODCs include the following:

* msDS-Reveal-OnDemandGroup

* msDS-NeverRevealGroup

* msDS-RevealedList

* msDS-AuthenticatedToAccountList

For more information about these attributes, see the RODC Planning and Deployment Guide (http://go.microsoft.com/fwlink/?LinkID=135993).

How should I prepare to deploy this feature?

The prerequisites for deploying an RODC are as follows:

* The RODC must forward authentication requests to a writable domain controller running Windows Server 2008. The Password Replication Policy is set on this domain controller to determine if credentials are replicated to the branch location for a forwarded request from the RODC.

* The domain functional level must be Windows Server 2003 or higher so that Kerberos constrained delegation is available. Constrained delegation is used for security calls that must be impersonated under the context of the caller.

* The forest functional level must be Windows Server 2003 or higher so that linked-value replication is available. This provides a higher level of replication consistency.

* You must run adprep /rodcprep once in the forest to update the permissions on all the DNS application directory partitions in the forest. This way, all RODCs that are also DNS servers can replicate the permissions successfully.
AD DS: Read-Only Domain Controllers

A read-only domain controller (RODC) is a new type of domain controller in the Windows Server® 2008 operating system. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed. An RODC hosts read-only partitions of the Active Directory® Domain Services (AD DS) database.

Before the release of Windows Server 2008, if users had to authenticate with a domain controller over a wide area network (WAN), there was no real alternative. In many cases, this was not an efficient solution. Branch offices often cannot provide the adequate physical security that is required for a writable domain controller. Furthermore, branch offices often have poor network bandwidth when they are connected to a hub site. This can increase the amount of time that is required to log on. It can also hamper access to network resources.

Beginning with Windows Server 2008, an organization can deploy an RODC to address these problems. As a result, users in this situation can receive the following benefits:

* Improved security

* Faster logon times

* More efficient access to resources on the network

What does an RODC do?

Inadequate physical security is the most common reason to consider deploying an RODC. An RODC provides a way to deploy a domain controller more securely in locations that require fast and reliable authentication services but cannot ensure physical security for a writable domain controller.

However, your organization may also choose to deploy an RODC for special administrative requirements. For example, a line-of-business (LOB) application may run successfully only if it is installed on a domain controller. Or, the domain controller might be the only server in the branch office, and it may have to host server applications.

In such cases, the LOB application owner must often log on to the domain controller interactively or use Terminal Services to configure and manage the application. This situation creates a security risk that may be unacceptable on a writable domain controller.

An RODC provides a more secure mechanism for deploying a domain controller in this scenario. You can grant a nonadministrative domain user the right to log on to an RODC while minimizing the security risk to the Active Directory forest.

You might also deploy an RODC in other scenarios where local storage of all domain user passwords is a primary threat, for example, in an extranet or application-facing role.

Who will be interested in this feature?

RODC is designed primarily to be deployed in remote or branch office environments. Branch offices typically have the following characteristics:

* Relatively few users

* Poor physical security

* Relatively poor network bandwidth to a hub site

* Little knowledge of information technology (IT)

You should review this section, and the additional supporting documentation about RODC, if you are in any of the following groups:

* IT planners and analysts who are technically evaluating the product

* Enterprise IT planners and designers for organizations

* Those responsible for IT security

* AD DS administrators who deal with small branch offices

Are there any special considerations?

To deploy an RODC, at least one writable domain controller in the domain must be running Windows Server 2008. In addition, the functional level for the domain and forest must be Windows Server 2003 or higher.

For more information about prerequisites for deploying an RODC,

What new functionality does this feature provide?

RODC addresses some of the problems that are commonly found in branch offices. These locations might not have a domain controller. Or, they might have a writable domain controller but not the physical security, network bandwidth, or local expertise to support it. The following RODC functionality mitigates these problems:

* Read-only AD DS database

* Unidirectional replication

* Credential caching

* Administrator role separation

* Read-only Domain Name System (DNS)

Read-only AD DS database

Except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the RODC. Changes must be made on a writable domain controller and then replicated back to the RODC.

Local applications that request Read access to the directory can obtain access. Lightweight Directory Application Protocol (LDAP) applications that request Write access receive an LDAP referral response. This response directs them to a writable domain controller, normally in a hub site.

RODC filtered attribute set

Some applications that use AD DS as a data store might have credential-like data (such as passwords, credentials, or encryption keys) that you do not want to be stored on an RODC in case the RODC is compromised.

For these types of applications, you can dynamically configure a set of attributes in the schema for domain objects that will not replicate to an RODC. This set of attributes is called the RODC filtered attribute set. Attributes that are defined in the RODC filtered attribute set are not allowed to replicate to any RODCs in the forest.

A malicious user who compromises an RODC can attempt to configure it in such a way that it tries to replicate attributes that are defined in the RODC filtered attribute set. If the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2008, the replication request is denied. However, if the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2003, the replication request can succeed.

Therefore, as a security precaution, ensure that forest functional level is Windows Server 2008 if you plan to configure the RODC filtered attribute set. When the forest functional level is Windows Server 2008, an RODC that is compromised cannot be exploited in this manner because domain controllers that are running Windows Server 2003 are not allowed in the forest.

You cannot add system-critical attributes to the RODC filtered attribute set. An attribute is system-critical if it is required for AD DS; Local Security Authority (LSA); Security Accounts Manager (SAM; and Microsoft-specific Security Service Provider Interfaces (SSPIs), such as Kerberos; to function properly. A system-critical attribute has a schemaFlagsEx attribute value equal to 1 (schemaFlagsEx attribute value & 0x1 = TRUE).

The RODC filtered attribute set is configured on the server that holds the schema operations master role. If you try to add a system-critical attribute to the RODC filtered set while the schema master is running Windows Server 2008, the server returns an "unwillingToPerform" LDAP error. If you try to add a system-critical attribute to the RODC filtered attribute set on a Windows Server 2003 schema master, the operation appears to succeed but the attribute is not actually added. Therefore, it is recommended that the schema master be a Windows Server 2008 domain controller when you add attributes to RODC filtered attribute set. This ensures that system-critical attributes are not included in the RODC filtered attribute set.

Unidirectional replication

Because no changes are written directly to the RODC, no changes originate at the RODC. Accordingly, writable domain controllers that are replication partners do not have to pull changes from the RODC. This means that any changes or corruption that a malicious user might make at branch locations cannot replicate from the RODC to the rest of the forest. This also reduces the workload of bridgehead servers in the hub and the effort required to monitor replication.

RODC unidirectional replication applies to both AD DS and Distributed File System (DFS) Replication of SYSVOL. The RODC performs normal inbound replication for AD DS and SYSVOL changes.

noteNote

Any other shares on an RODC that you configure to replicate using DFS Replication would be bidirectional.

RODCs also perform automatic load balancing of inbound replication connection objects across a set of bridgehead servers in a hub site.

Credential caching

Credential caching is the storage of user or computer credentials. Credentials consist of a small set of approximately 10 passwords that are associated with security principals. By default, an RODC does not store user or computer credentials. The exceptions are the computer account of the RODC and a special krbtgt account that each RODC has. You must explicitly allow any other credential caching on an RODC.

The RODC is advertised as the Key Distribution Center (KDC) for the branch office. The RODC uses a different krbtgt account and password than the KDC on a writable domain controller uses when it signs or encrypts ticket-granting ticket (TGT) requests.

After an account is successfully authenticated, the RODC attempts to contact a writable domain controller at the hub site and requests a copy of the appropriate credentials. The writable domain controller recognizes that the request is coming from an RODC and consults the Password Replication Policy in effect for that RODC.

The Password Replication Policy determines if a user's credentials or a computer's credentials can be replicated from the writable domain controller to the RODC. If the Password Replication Policy allows it, the writable domain controller replicates the credentials to the RODC, and the RODC caches them.

After the credentials are cached on the RODC, the RODC can directly service that user's logon requests until the credentials change. (When a TGT is signed with the krbtgt account of the RODC, the RODC recognizes that it has a cached copy of the credentials. If another domain controller signs the TGT, the RODC forwards requests to a writable domain controller.)

By limiting credential caching only to users who have authenticated to the RODC, the potential exposure of credentials by a compromise of the RODC is also limited. Typically, only a small subset of domain users has credentials cached on any given RODC. Therefore, in the event that the RODC is stolen, only those credentials that are cached can potentially be cracked.

Leaving credential caching disabled might further limit exposure, but it results in all authentication requests being forwarded to a writable domain controller. An administrator can modify the default Password Replication Policy to allow users' credentials to be cached at the RODC.

Administrator role separation

You can delegate local administrative permissions for an RODC to any domain user without granting that user any user rights for the domain or other domain controllers. This permits a local branch user to log on to an RODC and perform maintenance work on the server, such as upgrading a driver. However, the branch user cannot log on to any other domain controller or perform any other administrative task in the domain. In this way, the branch user can be delegated the ability to effectively manage the RODC in the branch office without compromising the security of the rest of the domain.

Read-only DNS

You can install the DNS Server service on an RODC. An RODC is able to replicate all application directory partitions that DNS uses, including ForestDNSZones and DomainDNSZones. If the DNS server is installed on an RODC, clients can query it for name resolution as they query any other DNS server.

However, the DNS server on an RODC is read-only and therefore does not support client updates directly. For more information about how DNS client updates are processed by a DNS server on an RODC,

What settings have been added or changed?

To support the RODC Password Replication Policy, Windows Server 2008 AD DS includes new attributes. The Password Replication Policy is the mechanism for determining whether a user's credentials or a computer's credentials are allowed to replicate from a writable domain controller to an RODC. The Password Replication Policy is always set on a writable domain controller running Windows Server 2008.

AD DS attributes that are added in the Windows Server 2008 Active Directory schema to support RODCs include the following:

* msDS-Reveal-OnDemandGroup

* msDS-NeverRevealGroup

* msDS-RevealedList

* msDS-AuthenticatedToAccountList

For more information about these attributes, see the RODC Planning and Deployment Guide (http://go.microsoft.com/fwlink/?LinkID=135993).

How should I prepare to deploy this feature?

The prerequisites for deploying an RODC are as follows:

* The RODC must forward authentication requests to a writable domain controller running Windows Server 2008. The Password Replication Policy is set on this domain controller to determine if credentials are replicated to the branch location for a forwarded request from the RODC.

* The domain functional level must be Windows Server 2003 or higher so that Kerberos constrained delegation is available. Constrained delegation is used for security calls that must be impersonated under the context of the caller.

* The forest functional level must be Windows Server 2003 or higher so that linked-value replication is available. This provides a higher level of replication consistency.

* You must run adprep /rodcprep once in the forest to update the permissions on all the DNS application directory partitions in the forest. This way, all RODCs that are also DNS servers can replicate the permissions successfully.

Because the DNS server that runs on an RODC cannot directly register client updates, it has to refer the client to a DNS server that hosts a primary or Active Directory-integrated copy of the zone file. This server is sometimes referred to as a "writable DNS server." When a client presents a Find Authoritative Query, which is the precursor to an update request, the DNS server on the RODC uses the domain controller Locator to find domain controllers in the closest site.

The RODC then compares the list of domain controllers that is returned with the list of name server (NS) resource records that it has. The RODC returns to the client the NS resource record of a writable DNS server that the client can use to perform the update. The client can then perform its update.

If no domain controller in the closest site matches an entry in the list of NS records for the zone, the RODC attempts to discover any domain controller in the forest that matches an entry in the list.

Suppose that a new client is introduced to a site that has a DNS server running only on an RODC. In this case, the RODC DNS server tries to replicate the DNS record that the client has tried to update on the writable DNS server. This occurs approximately five minutes after the RODC provides a response to the original Find Authoritative Query.

If the DNS client on the RODC attempts a DNS update, a writable domain controller running Windows Server 2008 is returned so that the RODC can perform the update."