Limitations Associated with Windows Server 2008 R2 RODCs

There are situations when RODCs cannot be used. This is the case with bridgehead servers and operations master role holders. For example, a Windows Server 2008 R2 bridgehead server is responsible for managing Active Directory replication from a physical site. Because an RODC can only perform inbound unidirectional replication, it cannot be designated as a bridgehead server because these servers must support both inbound and outbound replication.

An RODC also cannot function as a Flexible Single Master Operations (FSMO) role holder. Each FSMO role needs to write information to an Active Directory domain controller. As an example, consider extending the Active Directory schema for Microsoft Exchange Server 2007. The new schema extensions would be written on a domain controller to support Exchange 2007. The schema extensions would fail on an RODC because the domain controller is not writable, which, of course, explains why an RODC cannot perform the FSMO role.

To add to its limitations, out-of-the-box RODCs cannot authenticate a smart card logon. This is because the Enterprise Read-Only Domain Controller (ERODC) group is not defined in the domain controller certificate template by default. Because the ERODC is not associated with the default group defined in the template, the RODC is not automatically enrolled in the certificate process, which is a requirement for authenticating smart card logons. Unlike the limitations of RODCs stated in the previous two paragraphs, there is a way to work around this particular drawback so an RODC can authenticate a smart card logon. The following changes must be orchestrated in the certificate templates for an RODC to support smart card logons:

. ERODC group permissions for Enroll must be set to Allow on the Domain Controller certificate template.

. ERODC group permissions for Enroll and Autoenroll must be set to Allow on the Domain Controller Authentication and Directory E-Mail Replication certificate template.

. The Authenticated Users group permissions must be set to Allow Read on the Domain Controller Authentication and Directory E-Mail Replication certificate template.

Source of Information : Sams - Windows Server 2008 R2 Unleashed

No comments:

Incremental-only backup

The incremental-only approach to backup makes a single full backup copy and thereafter makes incremental backup copies to capture newly writ...