Loading...
 

SysAdmin Blog

hardcoding AD site selection on a member server

Alexander Bochmann Thursday 14 of February, 2013
With Windows Server 2008, Microsoft has introduced a Read-Only Domain Controller (RODC) role that adds an additional layer of security to protect an Active Directory infrastructure from member systems that are located in an not completely trusted environment (say, a DMZ or perimeter network). Configured correctly, using an RODC can prevent unauthorized changes to the ADS from a compromised member.

Microsoft has documented the whole RODC design and all configuration steps extensively in the Read-Only Domain Controller Planning and Deployment Guide.

Let's assume we have done all that, and end up with an RODC living happily in his small firewalled DMZ, waiting for other AD systems to use his services. We move a server from the main network to the same DMZ, assuming everything will just work. And then it doesn't:

Active Directory has the nifty concept of AD sites, which allows clients and member servers to find appropriate Domain Controllers that are assigned to a specific location, using DNS. As detailed in the Planning and Deployment Guide, an RODC will be placed in it's own site, with appropriate AD site links to allow access to specific writable DCs (and the appropriate firewall rules to permit just that communication).
A member server moved to the RODC DMZ will not be able to contact any of the Domain Controllers it knows of from it's old site though, which causes the usual site selection mechanism to fail. With no knowledge of the site membership, our server is unable to find an assigned RODC, and all AD services will fail.

So we need a way to bootstrap site selection without AD, and lo - Microsoft has provided a way to do just that: There's a Registry key to tell an AD member which site it is in. Unfortunately the information is somewhat hidden in a subsection of the Deploying RODCs in the Perimeter Network document...

The Registry entry is:

HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\SiteName (string)

The value of that key is the actual site name.

With that information, a DMZ system can create the appropriate DNS requests to find the DCs for it's site, and most things will be ok.
One of the things that needs additional work is DNS registration, though: As an Read-Only DC doesn't have the permission to update DNS entries through Active Directory, systems in an RODC site will need to send DNS updates to a writable Domain Controller. Microsoft has documented that part in DNS updates for clients that are located in an RODC site.