Longhorn Server Revealed: Active Directory Enhancements

Computerworld - Longhorn Server, due to be released later this year, is a major revision of Microsoft Corp.'s flagship server operating system. In this article, I’ll take a look at the most significant enhancements to Active Directory in Longhorn Server and how they will impact your business.

Read-Only Domain Controllers

Think back to the days of Windows NT 4.0, where there was one king of the hill, the primary domain controller (PDC), and then any number of subservient princes below that king on the same hill -- the backup domain controllers, or BDCs. It was easy to see the flow of information: Changes were made to the master copy of the domain security information on the PDC, and from there it flowed outward, unidirectionally, to the BDCs.

When Active Directory came around, however, this distinction was eliminated, and in practice a domain controller (DC) was equal to any other domain controller, without any designation of primary, backup, and so on. (Well, in actuality, some DCs are a little more equal than others when you factor operations master roles into the equation, but that’s not relevant to this discussion.)

While this new design increases the fault-tolerance and distributed-deployment capabilities of the operating system, it can be a problem if a domain controller anywhere on the network pushes corrupt or otherwise incorrect data to other DCs. How would you prevent that?

This is a problem particularly in branch-office scenarios. Since the designated administrator in a branch office needs domain administrator credentials to administer the DC in his office; this actually gives him the right to administer any DC, not just the one he’s responsible for looking after. It’s not the best security situation.

While this equality of domain controllers is still the case in Longhorn Server’s Active Directory implementation, there is now the concept of a read-only domain controller. A read-only domain controller (RODC) is just that. It receives information replicated to it from full domain controllers, but it doesn’t permit any changes to be made to its own copy of the directory database, and thus no information can be replicated back to the full DCs in the domain of which it’s a member.

This is a great win for branch offices whose companies are large enough to have a comprehensive Active Directory structure. Now you don’t have to deploy a full-blown domain controller to your remote locations -- you can simply place a RODC there.

The benefits are significant and include:

• You reduce the risk of someone attacking a branch office location and sending poisoned data throughout the entire Active Directory database.
  
• The RODC caches only the credentials of local users, not those of other Active Directory domain accounts, which reduces the possibility that accounts can be cracked from a stolen branch office domain controller.
  
• The RODC never caches administrator credentials, so the keys to the kingdom are more fully protected.
  
• The Kerberos authentication tickets issued by the RODC will be valid only for systems within its scope, so it can’t issue falsified tokens to get nefarious users onto the full network.
  
• The RODC is a Server Core-designated role, which means there’s hardly any need for administration locally. No graphical user interface also means a smaller attack surface. (See my Longhorn Server Beta 2 article on this site for more details.)