Supporting remote branch offices while securing sensitive information is a difficult balancing act. Now, with the availability of Windows Server 2008, new technologies allow IT managers to deploy domain controllers (DCs) in unsecured locations safely, by encrypting drives, limiting the attack surface and separating server and Active Directory (AD) administrative privileges.
This article will instruct you on how to set up a Read Only Domain Controller (RODC) for a remote location, on Server Core with BitLocker providing extra security. In a production environment there are many factors related to these technologies (which are not discussed here) that you should consider carefully before deployment. For example, Exchange Server can’t as yet utilize RODCs. The instructions here require basic knowledge of AD and command-line administration and should be tried out in a test environment before deployment.
RODCs host a read-only copy of AD, containing all objects and associated attributes except passwords. Applications that require write access to AD are referred by the RODC to a writable DC across a wide area network (WAN), usually located at a central site. RODCs don’t cache passwords locally by default, but Password Replication Policy can be configured so that only users in the branch office have their passwords cached on the appropriate RODC, limiting exposure in case the machine is compromised or stolen.
If DNS is installed on an RODC, zone data is also read-only, and clients are provided with a referral DNS server by the RODC, to which they must make any updates. The updated record is then replicated back to the RODC.
Local server administrator privileges can be delegated to an AD user or group for support and maintenance purposes without granting administrative access to AD. This is known as Administrative Role Separation and contrasts from usual DCs, where users must be added to the Domain Admins group, which poses a security risk to AD.
Server Core is a slim-line version of Windows Server 2008, in which only the required operating system components are installed, reducing resource utilization and improving security by limiting the attack surface. The most important difference between Server Core and the full installation of Server 2008 is that there is no graphical user interface (GUI) in Server Core.
BitLocker is Microsoft’s disk encryption technology and is built in to Vista and Server 2008. Unlike the Encrypted File System (EFS), BitLocker is capable of encrypting the entire Windows partition. BitLocker encryption keys can be stored on a built-in Trusted Platform Module (TPM) chip or on a removable USB device.
The following procedure will prepare the server’s disk for installing Server Core to support BitLocker drive encryption. We’ll use the diskpart command to create a boot partition (s:) that contains unencrypted boot files, and a larger partition (c:) for Windows, which we’ll later encrypt. Save the diskpart.txt file  to a USB key before proceeding.
There must be at least one Windows Server 2008 DC that the RODC can use as a replication partner, and the forest and domain functionality levels should be set to a minimum of Windows Server 2003. In this example, ad.com is a 2008 domain and contains only Server 2008 DCs.
Figure 3 shows the currently unused RODC account in the Domain Controllers Organizational Unit (OU) in AD.
RODC hardware can be shipped to branch offices and AD installed by a nontechnical member of staff if necessary. Install From Media (IFM) has been improved so that passwords are removed for safer transportation.
dcpromo /unattend /UseExistingAccount:Attach /ReplicaDomainDNSName:ad.com /UserDomain:ad.com
/UserName:AD\user1 /password:* /safeModeAdminPassword:* /rebootOnCompletion:yes
Now ad.com is the fully qualified domain name for our domain, and user1 is a domain user with no domain administrator privileges. (Replace * with appropriate passwords.)
Now we’ll configure BitLocker to store its encryption key on a removable USB drive. If your server doesn’t support booting from a USB device, the following procedure can still be used, but you’ll have to enter a recovery password every time Server Core is rebooted. In practice, I don’t recommend using BitLocker in remote locations where there’s no technical support on hand without a built-in TPM chip to store the encryption key.
cscript manage-bde.wsf –on c: -rp –sk f: -s
Even if you don’t intend to use a USB key to boot the system, you must specify the –sk (startup key) switch and save a key. The –rp switch creates a recovery password that can be used to boot the server if the USB key is not available.
In your production environment, you should create a separate Group Policy Object for the BitLocker settings and apply it to only the relevant machines.
Using these three new technologies in Windows Server 2008 together provides solid security for domain controllers that cannot be physically secured. However, RODCs and BitLocker add a level of complexity that might require additional training for administrators and special deployment considerations, especially concerning applications that make use of AD, such as Exchange. Server Core requires that administrators be familiar with the command line. Although BitLocker can be configured without any special hardware, it’s more difficult to use and support if the server doesn’t include a Trusted Platform Module.
Russell Smith is an independent consultant based in the United Kingdom who specializes in Microsoft systems management.