Branch offices and Longhorn

A few of the longhorn technologies seem great for branch offices which we can assume to lack physical security and the high levels of management required for enterprise class service integrity.  if we string together Secure Startup (lack of security), read-only Domain Controllers (lack of service integrity, but resiliance to network outages) and Lonhorn Core (minimum attack surface and maximum up-time) we start to see the beginings of a good solution.

Here is a bit more on read-only domain controllers:

Read-only

An RODC holds all the Active Directory® directory service objects and attributes that a full domain controller holds, but clients are not able to write changes directly to the RODC. This means that changes that are made at branch locations cannot pollute or corrupt the forest. Local applications requesting Read access to the directory are satisfied, while Lightweight Directory Application Protocol (LDAP) applications requesting Write access are referred to a full domain controller at a hub location.

Unidirectional Replication

Because no changes are written directly to the RODC and therefore do not originate locally, full domain controller replication partners do not have to pull changes from the RODC. This reduces bridgehead load in the hub as well as the effort it takes to monitor replication.

RODC unidirectional replication applies to both Active Directory and File Replication service (FRS) replication. The RODC performs normal inbound replication for Active Directory and FRS changes.

Credential Caching

Credential caching is the storage of user or computer credentials. Credentials consist of a small, well-defined set of approximately 10 encryption keys that are associated with each user or principal.

By default an RODC will not store user or computer credentials except for its own computer account and a special krbtgt account. The RODC is advertised as the Key Distribution Center (KDC) for the branch office. The RODC uses a different krbtgt account and password than the KDC on a full domain controller uses when it signs or encrypts ticket-granting ticket (TGT) requests. This makes it possible for the RODC to identify authentication requests and forward them to a full, writable domain controller.

When the RODC processes a successful authentication request, it attempts to contact and pull the user’s credentials from a full domain controller at the hub location. The full domain controller acknowledges the request based on the special krbtgt account of the RODC. The credential-caching policy that is enforced at the full domain controller determines if a user’s or computer’s credentials can be replicated from the full domain controller to the RODC. If the credential-caching policy allows it, the full domain controller replicates down the credentials. After a user’s credentials are cached on the RODC, the RODC can service that user’s logon requests directly until the credentials change.

Credential caching limits the potential exposure of users’ credentials in the branch office because typically only a small subset of the user base will have their credentials cached on any given RODC. Thus, in the event that the RODC is stolen, only those credentials that are cached can potentially be cracked.

Steve Richards

I'm retired from work as a business and IT strategist. now I'm travelling, hiking, cycling, swimming, reading, gardening, learning, writing this blog and generally enjoying good times with friends and family

Leave a Reply

Your email address will not be published. Required fields are marked *