A domain controller holds a copy of the directory partition for the domain. It contains sensitive information such as user and computer accounts and the hash value of those accounts' passwords. Ideally, the servers running Active Directory Domain Services are in a secure location where only authorized users can access the servers. However, it's also necessary to keep the domain controllers close to the users to process logins locally and to process logins if a WAN connection should fail, that means keeping one or more domain controllers at remote locations.

The same physical security advice applies to remote locations. Keep the servers locked up safely where only authorized users can access the hardware. Unfortunately, that's not always possible. I've experienced this first-hand. Sometimes in small branch offices, there's no room with power and cooling to accommodate the hardware running domain services. In those cases, the local support staff may keep it at their desk or maybe a receptionist or office manager will take care of it. This presents a problem, how do we provide the speed and reliability of an on-premises

domain controller without the risk of limited physical security? That's where Read-Only Domain Controllers can help. A Read-Only Domain controller, as the name implies, has a Read-Only copy of the Active Directory Database partition. All Active Directory items are replicated to the Read-Only Domain Controller, with the exception of account passwords. Without the passwords, the database is much less useful for anyone who gains access to the domain controller with malicious intent. Domain controllers use a multi-master database that replicates changes between all domain controllers to keep them in sync.

A Read-Only Domain Controller does not make any changes to its local copy of the database. They use unidirectional replication. Changes are replicated to the database, but not from the Read-Only Domain Controller Database. That prevents any unauthorized changes from replicating back to the domain. Unidirectional replication applies to Active Directory Domain Services and replication of the sysvol folder; the folder that holds scripts, group policy and other files necessary for active directory.

So far, we outlined that changes to active directory replicate to the Read-Only Domain Controller. By default, that does not include password hashes. We also learned that one of the advantages of Read-Only Domain Controllers is it will process logins in the event of a WAN connection failure. But how can we process logins if the WAN connection is down and there are no password hashes? The short answer is it can't, at least not by default. We can set credentials in the domain that are allowed to replicate password hashes to the Read-Only Domain Controller with a Password Replication Policy.

Once the user logs in at the site with a Read-Only Domain Controller, the credentials are cashed and available in the event of a WAN outage. Any user logging into the location with a Read-Only Domain Controller should not have elevated privileges in the domain. The password replication policy should be limited to a small subset of users in the domain, reducing the impact of a breach should the domain controller become compromised.

We can also create Read-Only DNS zones on the Read-Only Domain Controller. A common method for implementing DNS with Windows AD is to integrate the DNS zone into AD. On a read only domain controller, that means the DNS server will have a Read-Only copy of the DNS zone. In this configuration, the clients using the Read-Only Domain Controller will not be able to update DNS directly. DNS entries will have to be manually added from the Read/Write Domain Controller. By default, the domain admin has local administrative rights to a domain controller.

With Read-Only Domain Controllers, it may be undesirable to supply domain admin credentials to users on site to take care of things such as gracefully shutting down or server maintenance. Instead, we delegate local administrative privileges to a user without giving them rights to the domain. This allows local users to perform tasks such as gracefully shutting down servers or updating drivers without granting them administrative access to the domain. Read-Only Domain Controllers give us the flexibility to provide essential active directory services to small and remote offices where it's not possible to physically secure hardware. Please join me in the upcoming demo, where we deploy a Read-Only Domain Controller and update the Password Replication Policy.