|
For Exchange, there has been a lot around Exchange. At no
point though have I heard that they were even going to start consider supporting
Exchange with RODCs. I have hear a lot of absolutely we will not support
Exchange that way. If Exchange were supported, not to be a pain, but I can't
imagine what a horrible mess that would turn into to support. It isn't my
opinion that the Exchange team has been wonderfully good at writing code to
utilize AD as it is already and it is currently relatively
simple.
I agree on the naming with Guido. Though straw poll now for
the folks who plan on using RODCs, who plans to just tell them to cache all
passwords as necessary (excluding admin accounts of course)? Or to put it
another way, who plans to use RODCs and then actively try to manage where
passwords can be cached? I would not be surprised to hear that RODCs are going
out the door with the dial all the way to the right (or left if you prefer) and
everything but admin passwords are being cached. It still gives a ton of
benefit, i.e. someone screws with it and that can't (allegedly) get back to the
"real" directory and not all password hashes would be on all RODCs, it would be
based on who actually auth'ed at the local DC.
If I could do it dynamically, I would like to do something
like, if the user/computer has attempted to log into RODC(x) more than y times
in the last z days, then cache the password locally. If the user/computer hasn't
authed there in v times in the last w days, then remove them from the
policy for that RODC again.
My theory is that unless this management is extremely
simple and mostly automated, most folks won't use it because the security
concerns probably aren't all that high since most users won't be authenticating
(and therefore caching) their passwords on most RODCs.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, July 31, 2006 4:06 AM To: [email protected] Subject: RE: [ActiveDir] Read-Only Domain Controller and Server Core RODCs
do NOT replicate a subset of objects => right now they basically replicate
everything a normal DC has (i.e. the full domain NC, config and schema), less
the password hashes of any users. The OU
vs. group discussion was solely around configuring the so called “Password
Replication Policy” (bad name) for an RODC – and after discussing this here and
offline, doing various tests and elaborating about possible usage scenarios, I
agree that configuring this policy by OU doesn’t really give you enough
flexibility. I would actually love to configure it by an LDAP query
leveraging any appropriate attributes – but this is simply to resource intensive
during the authentication. Leveraging groups gives us the option to
automatically provision the memberships appropriately though. Don’t forget,
you’ll have to do this for users and computers. Why is
“Password Replication Policy” a bad name? Because that’s not what it does –
calling it “Password Caching Policy” would be more appropriate, as an RODC would
never store a users pwd-hash unless he has logged onto that RODC. Once the
pwd is changed, an RODC will NOT update the hash – it will only be updated the
next time a user uses that same RODC. I don’t mind this mechanism – it
provides an automatic “cleanup” mechanism and thus lowers the attack surface if
a policy allowed many RODCs to cache a users PWD. But the name “Replication
Policy” suggests that an RODC would actually replicate the new password when it
is changed on a WDC (writeable DC), which is confusing. Replicating
only parts of a tree (i.e. only specific OUs) would be a totally different
story, which I also hope to see in the future (but won’t be part of this version
of RODC). However, RODCs will also be able to replicate the GC partitions
(making them an ROGC) – but from what I understand this will only be sufficient
for authenticating, but not to be used as a GC for Exchange (I guess since
Exchange simply needs that writeable domain partition). So placing an ROGC in a
remote site will not be sufficient if you also have an Exchange server in that
site. Exchange
2007 edge servers is yet another different story – not sure if they can benefit
from RODCs. /Guido From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Paul Mayes Apologies
as I’m reading in digest. But I just wanted to chip something into this
surrounding OU’s versus groups as it was something that I’ve been thinking about
on my mind-numbing commute.
I
understood that RODC’s could be configured to be a read only subset of objects
(users) from the writeable AD, or that you could set them to cache which would
also be useful to catch user population at a given site if this was unknown. I
remember there being a long discussion at the back of DEC about people wanting
the subset replication to be based around OU’s rather than groups, and lots of
people being quite passionate about it. The thing that struck me was how would
you then deal with group membership where the group was sat in a totally
different part of the tree? Somehow you’ve got to get that closed set to work
with, which is very loosely linked to migration strategies. (Blimey I must have
paid attention on that migration course all of those years ago.). And then
you’ve got constraints on OU structures for if they are now partitions for
replication in some capacity.
How
wrong is this understanding?
If
it’s kind of right, then at some point in the future are we going to see
multiple domain partitions hosted on DC’s? ‘Cos that would be nice as well as
the ability to replicate subsets as read only. Where a GC could hold writeable
copies of domain partitions that weren’t from it’s particular domain in the
forest….. etc… mmm DC consolidation, the possibilities!
Then
going more OT. There were also rumblings about ROGC’s so that didn’t contain
sensitive info and could be used purely for email purposes without the baggage
of a full fat DC. Is this correct and how does this relate to Exchange 2007 and
it’s Edge servers, which from what I can gather are looking to suck bits of the
AD into an ADAM for kind of the same purpose as an ROGC would perform? I may be
totally babbling now.
RE: [ActiveDir] Read-Only Domain Controller and Server
Core
|
- RE: [ActiveDir] Read-Only D... Nathan Muggli
- RE: [ActiveDir] Read-O... joe
- RE: [ActiveDir] Re... Laura A. Robinson
- Re: [ActiveDir] Read-O... Al Mulnick
- RE: [ActiveDir] Read-O... joe
- RE: [ActiveDir] Re... David Adner
- RE: [ActiveDir] Read-O... joe
- Re: [ActiveDir] Read-O... Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- RE: [ActiveDir] Read-O... Grillenmeier, Guido
- RE: [ActiveDir] Re... Eric Fleischman
