Computer Technos

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Tuesday, 21 February 2012

Limitations Associated with Windows Server 2008 R2 RODCs

Posted on 08:27 by Unknown
There are situations when RODCs cannot be used. This is the case with bridgehead servers and operations master role holders. For example, a Windows Server 2008 R2 bridgehead server is responsible for managing Active Directory replication from a physical site. Because an RODC can only perform inbound unidirectional replication, it cannot be designated as a bridgehead server because these servers must support both inbound and outbound replication.

An RODC also cannot function as a Flexible Single Master Operations (FSMO) role holder. Each FSMO role needs to write information to an Active Directory domain controller. As an example, consider extending the Active Directory schema for Microsoft Exchange Server 2007. The new schema extensions would be written on a domain controller to support Exchange 2007. The schema extensions would fail on an RODC because the domain controller is not writable, which, of course, explains why an RODC cannot perform the FSMO role.

To add to its limitations, out-of-the-box RODCs cannot authenticate a smart card logon. This is because the Enterprise Read-Only Domain Controller (ERODC) group is not defined in the domain controller certificate template by default. Because the ERODC is not associated with the default group defined in the template, the RODC is not automatically enrolled in the certificate process, which is a requirement for authenticating smart card logons. Unlike the limitations of RODCs stated in the previous two paragraphs, there is a way to work around this particular drawback so an RODC can authenticate a smart card logon. The following changes must be orchestrated in the certificate templates for an RODC to support smart card logons:

. ERODC group permissions for Enroll must be set to Allow on the Domain Controller certificate template.

. ERODC group permissions for Enroll and Autoenroll must be set to Allow on the Domain Controller Authentication and Directory E-Mail Replication certificate template.

. The Authenticated Users group permissions must be set to Allow Read on the Domain Controller Authentication and Directory E-Mail Replication certificate template.

Source of Information : Sams - Windows Server 2008 R2 Unleashed
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in Windows Server 2008 | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Windows 7 Shortcut Keys
    Longtime users of Windows have probably grown accustomed to navigating around the Windows user interface using the keyboard. This especially...
  • Windows on Mac: Virtualization Solutions
    If you’d prefer to join the ever-increasing ranks of Mac switchers—you traitor, you—you can still run Windows and, more important, Windows a...
  • Customizing Library Folders in Windows 7
    In your library folders, you can customize view options based on the contents. In the toolbar of the Pictures and Music library folders, Win...
  • Windows 7 BitLocker Drive Encryption
    In Windows Vista, you had the BitLocker Drive Encryption feature that allowed you to encrypt the content of entire volumes. In Windows 7, Mi...
  • Using Windows 7’s Performance Options
    While all the performance tools are available individually throughout the system, Windows 7 introduces a nice list of available tools, if yo...
  • Windows 7 - Installing and Configuring a Printer
    If your printer is already installed and operational at this point, you can skip this section and skim ahead for others that may be of inter...
  • Considering Centralized versus Group Sharing
    One of the most important preparation steps for your server is determining how to store the data you create. The two common methods are cent...
  • Berkeley Motes
    The Berkeley motes are a family of embedded sensor nodes sharing roughly the same architecture. Let us take the MICA mote as an example. The...
  • Using Windows 7 Ease of Access Tools
    If you have difficulty using a mouse or typing, have slightly impaired vision, or are deaf or hard of hearing, you can adjust the appearance...
  • Troubleshooting Boot and Startup Problems - Driver Loading in Safe Mode
    How does Windows know which device drivers and services are part of standard and networking-enabled safe mode? The answer lies in the HKLM\S...

Categories

  • Access 2010
  • BlackBerr
  • BlackBerry
  • Computer Science
  • Cyber Security
  • Exchange Server 2010
  • File Utilities
  • Foursquare
  • Google
  • Hardware
  • Internet
  • iPad
  • Linux
  • Lync Server
  • Microsoft Virtualization
  • Mobile Web
  • Networking
  • News
  • Security
  • Server Architectures
  • Smartphone
  • Ubuntu Linux
  • Windows
  • Windows 7
  • Windows Home Server
  • Windows Security
  • Windows Server 2008
  • Windows Server 2008 Hyper-V
  • Windows XP
  • Wireless

Blog Archive

  • ▼  2012 (66)
    • ►  August (5)
    • ►  July (9)
    • ►  June (9)
    • ►  May (8)
    • ►  April (9)
    • ►  March (9)
    • ▼  February (8)
      • Examining BitLocker’s Drive Encryption
      • Understanding BitLocker Drive Encryption
      • Limitations Associated with Windows Server 2008 R2...
      • Examining Prerequisite Tasks When Deploying an RODC
      • Understanding When to Leverage RODCs
      • Organizations’ Branch Office Concerns and Dilemmas
      • Understanding Read-Only Domain Controllers (RODCs)
      • Optimizing Windows Server 2008 R2 for Branch Offic...
    • ►  January (9)
  • ►  2011 (85)
    • ►  December (5)
    • ►  November (6)
    • ►  October (7)
    • ►  September (8)
    • ►  August (9)
    • ►  July (9)
    • ►  June (7)
    • ►  May (7)
    • ►  April (4)
    • ►  March (6)
    • ►  February (8)
    • ►  January (9)
  • ►  2010 (230)
    • ►  December (13)
    • ►  November (3)
    • ►  October (2)
    • ►  September (10)
    • ►  August (31)
    • ►  July (32)
    • ►  June (23)
    • ►  May (2)
    • ►  April (21)
    • ►  March (32)
    • ►  February (28)
    • ►  January (33)
  • ►  2009 (119)
    • ►  December (33)
    • ►  November (31)
    • ►  October (35)
    • ►  September (20)
Powered by Blogger.

About Me

Unknown
View my complete profile