Read-Only Domain Controllers (RODCs) and Powershell
A feature of Active Directory from Windows Server 2008 onwards is Read-Only Domain Controllers (RODCs). As the name suggests they are Domain Controllers that host read-only copies of the AD database and SYSVOL. RODCs only cache the credentials of selected objects which make them very useful for branch offices where the level of on-site security may be less than desirable.
The concept is that if a RODC is compromised you only have to reset the passwords of the accounts whose passwords are cached on said RODC. To take full advantage of this concept you should ensure that only necessary credentials are cached on a branch RODC (i.e. Accounts for computers and users based at the branch).
It is important to note that you must cache both the computer and user account for a user to be able to successfully logon to the computer in the event that the RODC cannot communicate with a writeable DC.
Out of the box a RODC will not cache credentials for any object. It's standard practice to create a group, add the objects at the branch site and add the group to the password replication policy. Typically you will have OUs in your AD structure for each site, but you cannot add an OU to the replication policy, nor can you add a dynamic security group (which is more than a little annoying).
This can be overcome with a Powershell script to keep objects within selected OUs synchronised with security groups that you can add to the password policies of RODCs within your environment.
Here's an example Powershell script that you can use with little modification: RODC Account Sync Script
See Also:
Technet - Administering the Password Replication Policy
comments powered by Disqus