Domain-Wide SRV registration for RODC

  • 157 Views
  • Last Post 29 September 2015
gabriel/tfi posted this 26 September 2015

Hi All,

Is there a way to change the RODC behavior and "force" him to update Domain-Wide SRV records vs. just the site-specific ones?

Thank you - Gabriele.

show

Order By: Standard | Newest | Votes
ZJORZ posted this 26 September 2015

Rodc site specific records are registered through an Rwdc.



Yes it is possible to have an rodc update domain wide srv records by changing its behavior. From a security perspective that is far from recommended! Don't do it.



It is also not recommended to have a decentralized dc, especially if it is an rodc, register domain wide srv records. If you have a central rodc, why is it not a rwdc?


Remember that an rodc can only authenticate users/computer for which the password is stored on the rodc. If not it will still forward authentication to a rwdc.



Allowing an rodc to register/update domain wide srv records......


In other words, many reasons not to do it, not one reason to do it



Met vriendelijke groet / Kind regards,


Jorge de Almeida Pinto



E-Mail: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx


Tel.: +31-(0)6-26.26.62.80



(+++Sent from my mobile device +++)


(Apologies for any typos)








show

gabriel/tfi posted this 29 September 2015

I think I found it, RegisterSiteSpecificDnsRecordsOnlyhttps://support.microsoft.com/en-us/kb/977510http://blogs.technet.com/b/instan/archive/2009/03/24/troubleshooting-rodc-s-troubleshooting-rodc-location-in-the-dmz.aspx Although it’s reasonably not recommended and I see your point, there might exist specific requirements that can be accommodated by this configuration.Mitigation can be applied by setting up LDAPSrvPriority and group based PRP to limit “RODC password caching” to certain objects only. Cheers – Gabriele. 

show

Close