2013. december 17., kedd

Microsoft Windows Server: READ ONLY Domain Controllers ?! Nooooo

RODC? That's one of the biggest fallacy in the IT I've ever seen. For those who don't know: that's some kind of domain controller to be placed in a branch office. That's an office where security is in question, where servers can easily be stolen.
RODC's don't have writeable LDAP DB locally so they forward all the login requests to a RWDC. Do you see how supersecured they are?

Here is where the mystification begin: RODCs still have cached passwords locally so in case hackers gain direct access to the local system passwords - theoretically - could be compromised.
And the most biggest terrible security risk: passwords and accounts still CAN BE reset, re-enabled or in any way modified against an RODC. In this case an RODC stupidly forward the request to a RWDC and of course RWDC will automatically commit and redistribute the changes because of the confidential relationship between them.
In short: "When the password is changed or reset against an RODC, the RODC will forward the change to a W2K8 RWDC and after that it will automatically inbound replicate the password using the "Replicate Single Object" method assuming the account for which the password was reset/changed is still allowed to be cached/stored."
See more info for example at http://social.technet.microsoft.com/Forums/windowsserver/en-US/198e7c6a-0541-43cf-803f-1259e66fdd80/how-to-know-readonly-domain-controller