Is there a way to change the RODC behavior and "force" him to update Domain-Wide SRV records vs. just the site-specific ones?
Thank you - Gabriele.
Domain-Wide SRV registration for RODC
- 171 Views
- Last Post 29 September 2015
Rodc site specific records are registered through an Rwdc.
Yes it is possible to have an rodc update domain wide srv records by changing its behavior. From a security perspective that is far from recommended! Don't do it.
It is also not recommended to have a decentralized dc, especially if it is an rodc, register domain wide srv records. If you have a central rodc, why is it not a rwdc?
Remember that an rodc can only authenticate users/computer for which the password is stored on the rodc. If not it will still forward authentication to a rwdc.
Allowing an rodc to register/update domain wide srv records......
In other words, many reasons not to do it, not one reason to do it
Met vriendelijke groet / Kind regards,
Jorge de Almeida Pinto
(+++Sent from my mobile device +++)
(Apologies for any typos)
I think I found it, RegisterSiteSpecificDnsRecordsOnlyhttps://support.microsoft.com/en-us/kb/977510http://blogs.technet.com/b/instan/archive/2009/03/24/troubleshooting-rodc-s-troubleshooting-rodc-location-in-the-dmz.aspx Although it’s reasonably not recommended and I see your point, there might exist specific requirements that can be accommodated by this configuration.Mitigation can be applied by setting up LDAPSrvPriority and group based PRP to limit “RODC password caching” to certain objects only. Cheers – Gabriele.