Using a Read-Only Domain Controller to Prevent Disaster

If you have branch offices, you probably have domain controllers located on your branch office networks. The unfortunate thing about branch office networks is that their level of physical security isn’t what you typically find at the main office network. At the main office, the datacenter is protected with two factor authentication, sophisticated alarm systems, and industrial level climate controls. At the branch office, it’s not unusual to find the branch office domain controller under the secretary’s desk or in the lunch room. If someone where to break into the branch office, they could steal the domain controller and perform an offline attack on the AD database.

The problem of physical security is further exacerbated by the fact that often the domain controller is used for other purposes, such as a file server or an Exchange Server. This means that in order for users to perform maintenance on the file or mail server, they need to have domain administrator rights to log on to the domain controller. This gives the inexpert user access to the AD tools, such as Active Directory Users and Computers and Active Directory Sites and Services. The inexpert user can then accidentally delete any object in the AD database.

What’s the solution to this AD problem? The Windows Server 2008 read-only domain controller (RODC). A RODC contains only a read-only copy of the AD, so that users logging onto the RODC can only read information in the AD but cannot change anything. When AD replication takes place, it only take place in one direction — from the writable domain controller to the read-only domain controller.

In addition, the RODC doesn’t contain account information for all the users in the Active Directory. The RODC can be configured to cache or not cache log on credentials for users at the branch office who use that domain controller for log on. In most cases, you will want to enable caching of credentials, so that users can log on when the Internet or WAN link connection goes down. Now, even with cached credentials, if the machine is stolen, an offline attack will only yield the credentials of the users at the branch office, and it’s very unlikely that domain or enterprise administrators will have logged on using the branch office domain controller.

For even further control, should the domain or enterprise admin become aware that the branch office domain controller is stolen, a list of cached accounts is available to him on the writable domain controller at the main office. The domain or enterprise admin can then delete those accounts or reset the passwords from the main office. So even if the offline attack is successful, the results will be of no value to the attacker because the account have changed.

Another nice feature of the RODC is administrative role separation. You can configure the RODC to allow a user to log on using administrator privileges to install drivers, etc., but not allow them to access to any Active Directory components. Also, when you install the DNS service on the RODC, you have a read-only DNS server so the inexpert user can’t make changes in your domain DNS.

I highly recommend the RODC for all branch offices and any other locations where physical security is an issue or you need to enable inexpert users access to a domain controller. For more information about the Windows Server 2008 RODC, check out:



Thomas W Shinder, M.D.

Email: [email protected]
MVP – Microsoft Firewalls (ISA)

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top