For security reasons, you may also want to explicitly prohibit accessing read-only domain controllers (RODCs).
The default Windows Server 2008 Active Directory domain configuration delivers the Allowed RODC Password Replication Group (which I explained in my previous Windows Server 2008 tip) and the Denied RODC Password Replication Group; the latter group puts all of the higher-permission groups in this container to keep those credentials off of the RODC.
Figure A shows the default groups that are prohibited from authenticating exclusively against the RODC.
Figure A
Users can still authenticate to that site or against the RODC--just not exclusively. Take the example where the RODC is unable to contact a writeable domain controller. This situation requires all authentication activities to be handled directly by the RODC. The group membership (or any computers if present) enumerated in this group will be prohibited from logging on to the domain.
You can add or subtract from this group as you see fit, but it may be worth determining if it is really necessary for the higher-privileged groups to log on in the event that the writable domain controller is not available. An acceptable practice may be to create a security group of administrative aliases that are local administrators on all computer accounts on sites that are serviced by RODCs.
The higher-permission accounts can still log on to the RODC if a writeable domain controller is directly accessible. You can view the history of this by looking at the domain controller in Active Directory Users And Computers; to do so, follow these steps:
- Right-click and select Properties for each RODC.
- Click the Password Replication tab.
- Double-click the Allowed RODC Password Replication Group entry.
Figure B
In the example, Administrator has authenticated on the RODC; however, the user is not listed on the other option (Accounts Whose Passwords Are Stored On This Domain Controller).