Shulou(Shulou.com)06/02 Report--

Elden has said before that WSFC supports deployment in RODC scenarios. Although deployment can be completed, the configuration process is very troublesome. Today, let's take a challenge.

So, what is RODC? to put it simply, RODC is the working form of a domain controller. Domain controllers are divided into two working forms, one is RWDC, writable DC is our commonly used traditional DC, each DC can provide complete active directory management and control function, we can modify content on any RWDC, and the modified content will be synchronized to all other DC

RODC is different. RODC is a new working form of DC introduced by Microsoft in 2008. Through this function, we can make the domain controller work in a read-only way. RODC, like other DC, will have all objects and attributes in the active directory. Users, computers, and applications can read and query the data in the active directory through RODC, but can not write information directly through RODC. All the writing requirements for the active directory will be carried out on RWDC. Copying to RODC,RODC after RWDC writing is completed will not copy the content back to RWDC.

The client can log in to RODC,RODC and handle authentication and login requests, but in fact, every user's login request will be forwarded to RWDC,RWDC by RODC, and the credentials will be transferred back to RODC. The client can log in normally, and the credentials will be cached in RODC. Next time, RODC will not need to go to RWDC for verification. Through this mechanism, we can ensure the security of RODC as much as possible. The domain control itself does not store the original data of the credentials, but only stores the cache of the credentials. Once the RODC server is lost and is infected by a virus, the administrator can delete the computer objects of the RODC directly on the RWDC, so that all the RODC credentials cached will not be used.

From the above description, we can see that RODC mainly has the characteristics of read-only active directory database, one-way active directory replication, secure and controllable credential cache management, etc. Based on these characteristics, RODC is very suitable for some scenarios, for example, branches that lack professionals, branches with security risks, and some branches may have no professional and technical staff to manage AD. But the branch office also has the need to use the active directory, at this time, you can deploy a RODC,RODC in the branch office and do not need too much management after it is installed. Because RODC does not provide write function, it can also prevent the misoperation of lawbreakers or junior personnel, resulting in the loss of active directory data. All writes will be completed by RWDC, copied back to RODC, and cannot be written, and the function that can be modified is very limited. The risk of misoperation is solved to a great extent. RODC one-way replication, set up RODC, do not need RODC to write data back to RWDC,RODC, you only need to accept the data copied to it by RWDC, but also reduce part of the bandwidth expenses.

To sum up, RODC mainly has the following functions

1. Read-only active directory database: RODC provides the same active directory database as other RWDC content. Users, computers, and applications can read query data from RODC, but cannot modify RODC. If the application wants to modify active Directory, please redirect to another RWDC.

two。 Read-only DNS zone: DNS server can be installed on RODC to provide DNS query function for clients, but RODC does not support updating DNS records directly. In fact, a transponder is created on RODC. All changes to the domain DNS zone will be forwarded to DNS of RWDC, and the changed data will be copied back to RODC next time.

3. One-way replication: RODC only needs to copy data from RWDC and does not need to copy data back to RWDC, which reduces the risk of misoperation and saves part of the replication bandwidth.

4. Administrator permission delegation: by default, only domain admins and enterprise admins group members can install and manage RODC, but RODC supports permission delegation, and you can delegate a user with ordinary permissions as RODC administrator. In the future, this user can perform installation and management operations on RODC.

5. Credential cache: by default, the newly installed RODC only saves its own computer credentials and KRBTGT credentials, where KRBTGT credentials are used for RWDC to verify RODC identity. Except for these two accounts, RODC does not save any user and computer account passwords. Normally, if a user wants to log in through RODC for the first time, he can log in only if RWDC is online, and RODC forwards the login request to RWDC,RWDC to return credentials. Users can log in normally, and RODC caches a copy at the same time. If you work according to this default, the next time RWDC loses contact, only users who have logged in normally before can log in on RODC. Users who have not successfully logged in before will not get credentials to log in. In addition to this default credential caching mechanism, RODC also provides a default caching mechanism. We can cache the credentials of some users or computers to RODC in advance, so that even if these RWDC loses contact, these users and computers can log in normally. Finally, even if the RODC is * * or lost, as long as the RODC computer object is deleted in RWDC, all previously cached credentials will be invalidated.

For us WSFC, the core is most concerned about this credential caching feature, because when we create WSFC, we need to write CNO objects to the cluster, and then write VCO objects. In fact, WSFC clusters not only create VCO CNO objects, but also need to write a lot of additional properties during the creation process. In the case of RODC, the default cluster creation must not be successful.

The reason is that writing AD data directly is not supported in the RODC environment, so we need to preset CNO/VCO computer objects and properties on the RWDC and cache the credentials to RODC in advance, so that the RODC environment can be used normally when creating clusters.

For other read-only DNS, there will be DNS transponders to help us create CNO records, and one-way replication is fine. CNO,VCO only needs to be preset and created so that the cluster can operate in the RODC environment. If you do not change it, you no longer need to write AD attributes.

Starting with WSFC 2012, Microsoft began to support the deployment of the RODC model, which will be used in subsequent versions.

The operation flow is as follows

1. Cache cluster create account to RODC

two。 Preset CNO computer objects and disable

3. Give the cluster creation account full control over CNO

4. Modify CNO computer properties

5. Cache CNO to RODC

6. Preset VCO computer objects and disable

7. Give the CNO computer account full control over VCO

8. Modify VCO computer properties

9. Cache VCO to RODC

1. Add the cluster creation account to the Allow RODC Password Replication Group group, and the credentials of users and computers that join the group will be cached to RODC

two。 Default CNO computer object and disable, note that the CNO object here must be disabled, otherwise create a cluster error later!

3. Give the cluster creation account full control over CNO

4. Modify the CNO machine properties as follows, and if we do not modify them in advance, these properties will be the CNO properties that need to be modified during the cluster creation process to distinguish them from ordinary computers.

5. Cache CNO to RODC to add CNO computer objects to the Allow RODC Password Replication Group group

The experimental environment is as follows

DC01&iscsi

Lan:10.0.0.2 255.0.0.0

Iscsi:30.0.0.2 255.0.0.0

DC02

Lan:10.0.0.3 255.0.0.0

HV01

MGMET:10.0.0.12 255.0.0.0 DNS 10.0.0.3

ISCSI:30.0.0.12 255.0.0.0

CLUS:18.0.0.12 255.0.0.0

HV02

MGMET:10.0.0.13 255.0.0.0 DNS 10.0.0.3

ISCSI:30.0.0.13 255.0.0.0

CLUS:18.0.0.13 255.0.0.0

The current DC02 is RODC

Use cluadmin to log in to each cluster node and add failover clustering function

Connect storage for each cluster node

To create a cluster, be sure to accurately enter the preset CNO name

If everything goes well in the preset process, the cluster will be created normally in the next step and there will be no error.

The CNO object is normally enabled.

CNO DNS records are also created

But in fact, you can see that only RWDC is the name server for the oa.com zone, so the update requests for the DNS zone will be forwarded to RWDC by the forwarder, and the record will be copied to RODC after the RWDC update is completed.

After the cluster is created, the next step is to run the application on the cluster. It should be noted that in the cluster under the RODC working mode, each cluster application needs to be processed in advance through preset object-preset replication before the cluster can create the upper application normally.

6. Preset VCO computer objects and disable

7. Give the CNO computer account full control over VCO

8. Modify the properties of the VCO computer as follows, the same as the properties that CNO needs to modify

9. Cache VCO to RODC to add VCO computer objects to the Allow RODC Password Replication Group group

Add the upper DTC application to the cluster normally, and enter the preset VCO name accurately

Application added successfully

The VCO object is activated normally

VCO DNS records were added

At this point, we have completed the creation of the cluster under the RODC and the construction of the upper application, and we have successfully challenged ~ in fact, it is not very complicated after we understand it.

So far, Lao Wang talked about the traditional AD dependency model, how the traditional AD dependency model handles CNO VCO presets, how to restore CNO VCO object deletion, WSFC2016 workgroup deployment model, WSFC2016 multi-domain deployment model, WSFC 2012 AD-free deployment model, WSFC 2012 RODC deployment model, almost all the common deployment types, we have also migrated from MSCS 2003 to WSFC2016. In fact, many Microsoft solutions are not as simple as they seem, and there are many internal scenarios and functions to play with, such as the deployment model of the cluster. now there are so many models to choose from, know more, and think more. when the scene comes, we can choose a better solution, that's all, hope to bring harvest for the friends we see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.