Read-Only Domain Controllers (RODCs)
and the Primary Read-Only Zone
When you promote a Read-Only Domain
Controller (RODC) and also select it to be a DNS server, it will perform
inbound replication of the DNS Zones (Either stored in the applications or
domain NCs) as any Writeable Domain Controller. But if you're familiar with
RODC basics you know they never perform outbound replication and the database
is mostly read-only (including the DNS records), Windows Server 2008 DNS
Introduce a new zone type called the Primary Read-Only Zone. The Administrator
of RODC can view contents of DNS but will unable to change it from a RODC.
Read-Only Domain Controllers (RODCs)
are not pointing the SOA to them self unlike Writable Domain Controllers
Writable Domain Controllers are
always pointing the SOA to them self, because they all host writable copies of
Active Directory-Integrated Zones, How ever RODCs doesn't host writable copies
of those and therefore points the SOA to an Writable Domain Controller using
the following SOA selection model.
- Trying to select a writable domain controller that is running Windows Server 2008 and is published as a NS for the zone
- If there are no Windows Server 2008 writable domain controllers that publish a NS for the zone a randomly NS server will be picked from the NS list. (Note: it hasn't to be a DC - just a NC server for the particular zone)
Note: The
current SOA target DC is maintained separately for each zone and re-selected
every 20 minutes (not configurable). The selection algorithm contains a random
component to try to spread load between writable domain controllers.
[2] Needs a clarification to another
difference, RODCs doesn't register NS records, so it makes [2] safe from
picking any RODC.
DNS Updates for clients having a
Read-Only Domain Controller (RODC) as preferred DNS server
When a client attempts a dynamic
update, it sends SOA query to its preferred DNS server. Typically, clients are
configured to use the DNS server in their branch site as their preferred DNS
server. The RODC should read its SOA record and at best effort return a
writable Windows Server 2008 domain controller to the client (Using the SOA
selection model above), the RODC waits a certain amount of time, as explained
below, and then it attempts to replicate the updated DNS record object in
Active Directory from the DNS server that it referred the client to through an
RSO operation back to the RODC, an RSO operation is an operational attribute
named replicateSingleObject that has existed in Active Directory since Windows
2000 and allows replication of a single object by using a LDAP modify operation
of the replicateSingleObject attribute, However the replicateSingleObject has been
updated in Windows Server 2008 to support replication of secrets to RODCs, More
information about the attribute and it's syntax can be found here:
http://msdn.microsoft.com/en-us/library/cc223306(PROT.13).aspx
How Read-Only Domain Controllers
perform RSO operations of DNS record updates
For the DNS server on the RODC to
perform an RSO operation of the DNS record update, a DNS server that runs
Windows Server 2008 must host writeable copies of the zone that contains the
record. That Windows Server 2008 DNS server must register a name server (NS)
resource record for the zone, with other words [1] must be used in the SOA
selection model above.
Note: The Windows Server 2003 Branch Office Guide recommended restricting name server (NS) record registration to a subset of the available DNS servers. If you followed those guidelines and you do not register at least one writable Windows Server 2008 DNS server as a name server for the zone, the DNS server on the RODC attempts to perform the RSO operation with a DNS server that runs Windows Server 2003 using [2] in the SOA selection model. That operation fails and generates a 4015 Error in the DNS event log of the RODC, and replication of the DNS record update will be delayed until the next scheduled replication cycle and RSO operation cannot be made by the RODC DNS against a Windows Server 2003 Domain Controller.
Note: The Windows Server 2003 Branch Office Guide recommended restricting name server (NS) record registration to a subset of the available DNS servers. If you followed those guidelines and you do not register at least one writable Windows Server 2008 DNS server as a name server for the zone, the DNS server on the RODC attempts to perform the RSO operation with a DNS server that runs Windows Server 2003 using [2] in the SOA selection model. That operation fails and generates a 4015 Error in the DNS event log of the RODC, and replication of the DNS record update will be delayed until the next scheduled replication cycle and RSO operation cannot be made by the RODC DNS against a Windows Server 2003 Domain Controller.
More specifically how the RSO
operation really works, the SOA query triggers the DNS server on the RODC to
put an entry in remotePollList, which is an internal queue on each DNS server.
The entry includes the following:
- The object to be replicated
- The source domain controller to replicate from
- A time stamp
The time stamp is set to a time in
the future that is equal to the current time plus a replication delay. The
replication delay is controlled by a registry setting named DsRemoteReplicationDelay.
By default, the value of this setting is 30 seconds.
The internal queue (remotePollList)
is processed at regular intervals. The queue-processing interval is controlled
by a registry setting named DSPollingInterval. By default, the value of
the interval is three minutes.
When the DNS server processes the
queue, it attempts to replicate only objects whose time stamp is less than
current time. Therefore, the delay between the time that the RODC refers the
client to an authoritative DNS server and then attempts to replicate in is
determined by the following:
- The next time that the DNS server processes the queue
- Whether the remote replication delay that is set on the entry in the queue has elapsed
If you use the default values for
the registry settings, the amount of time before the RODC attempts to replicate
the DNS update is a minimum of 30 seconds and a maximum of 210 seconds.
You can modify the values of these registry
settings to reduce the amount of time before the RODC attempts to replicate the
DNS update. The minimum value for the DsRemoteReplicationDelay setting
is 5 seconds. The minimum value for the DSPollingInterval setting is 30
seconds. If you use the minimum values, the amount of time before the RODC
attempts to replicate the DNS update is a minimum of 5 seconds and a maximum of
35 seconds.
Note:
Max number of RSO requests per 5 minutes cycle is 300 to prevent Denial of
Service attacks
Note:
DsPollingInterval controls all Active Directory polling, not just RODC RSO
handling. If you change this value, be aware that this change will affect more
than just RODC RSO operations. For example, this setting will affect how often
the DNS server polls Active Directory for new or updated resource records or
DNS zones.
The following table lists some
additional registry entries that are related to the RSO operations that are
performed for DNS updates on an RODC. These registry entries are stored in the
following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
Registry entry
|
Minimum value
|
Maximum value
|
Default value
|
EnableRSOForRODC
|
Either True or False
|
True
|
|
MaximumRodcRsoQueueLength
|
1
|
1000000
|
300
|
MaximumRodcRsoAttemptsPerCycle
|
1
|
1000000
|
100
|
DsRemoteReplicationDelay
|
5
|
3600
|
30
|
Published By
S.G.Godwin Dinesh.MCA
Sr.System Administrator
S.G.Godwin Dinesh.MCA
Sr.System Administrator
No comments:
Post a Comment