- Active Directory Administration Cookbook
- Sander Berkouwer
- 168字
- 2021-06-24 14:42:09
How it works...
Read-only domain controllers are different to normal domain controllers in the following ways:
- They allow read-only access to the Active Directory database and SYSVOL.
Read-only domain controllers refer to other domain controllers for write operations such as SYSVOL. - They allow read-only access to the DNS records. Read-only domain controllers refer to other domain controllers for DNS registration requests.
- They allow for scoped replication, so only the accounts that are needed are synchronized. This way, only privileged accounts and other sensitive accounts remain in the central datacenter.
- They allow for a quick change of passwords for synchronized users, when the read-only domain controller is stolen or otherwise compromised.
- They use their own dedicated account to encrypt their Kerberos tickets.
This prevents attackers from decrypting a Kerberos Ticket Granting Ticket (TGT), issued by a read-only domain controller, to obtain the secret of the Kerberos account (krbtgt).
Additionally, because no updates are expected from read-only domain controllers, normal domain controllers don't replicate from them.