Domain-Wide SRV registration for RODC

  • Last Post 29 September 2015
gabriel/tfi posted this 26 September 2015

Hi All,

Is there a way to change the RODC behavior and "force" him to update Domain-Wide SRV records vs. just the site-specific ones?

Thank you - Gabriele.


Order By: Standard | Newest | Votes
ZJORZ posted this 26 September 2015

Rodc site specific records are registered through an Rwdc.

Yes it is possible to have an rodc update domain wide srv records by changing its behavior. From a security perspective that is far from recommended! Don't do it.

It is also not recommended to have a decentralized dc, especially if it is an rodc, register domain wide srv records. If you have a central rodc, why is it not a rwdc?

Remember that an rodc can only authenticate users/computer for which the password is stored on the rodc. If not it will still forward authentication to a rwdc.

Allowing an rodc to register/update domain wide srv records......

In other words, many reasons not to do it, not one reason to do it

Met vriendelijke groet / Kind regards,

Jorge de Almeida Pinto

E-Mail: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx

Tel.: +31-(0)6-

(+++Sent from my mobile device +++)

(Apologies for any typos)


gabriel/tfi posted this 29 September 2015

I think I found it, RegisterSiteSpecificDnsRecordsOnly Although it’s reasonably not recommended and I see your point, there might exist specific requirements that can be accommodated by this configuration.Mitigation can be applied by setting up LDAPSrvPriority and group based PRP to limit “RODC password caching” to certain objects only. Cheers – Gabriele.