Time
1 hour 40 minutes
Difficulty
Beginner
CEU/CPE
3

Video Description

Managing Read Only Domain Controller Credentials This lesson covers managing read only domain controller credentials. Read only domain controllers only replicate via communicating with a writeable domain controller that is read only. A read only domain controller has limited capabilities as it is read-only. To make sure users can authenticate, we need to manage information via the writeable domain controller. In this lab-based lesson, participants learn step by step instructions in how to manage read-only domain controller credentials and can follow along with the instructor as he goes through the steps on the screen.

Video Transcription

00:04
read. Only domain controllers are managed a little bit differently in our standard doing. Controllers remember our standard rideable domain controllers half a replication amongst themselves. And they do this automatically read only demand control is, on the other hand, actually only replicate by communicating with a rideable domain controller at or above the level of the operative system that is on the redolent of a controller.
00:24
So, in other words,
00:26
really, debate controller
00:27
has limited capabilities that we actually need to deal with. So it hence the term retold.
00:33
Remember that database that it's gonna work off of for active directory is read only copy. What now is read only want to make sure that our users
00:41
can successfully authenticate against the relay domain controller.
00:45
To do that, we actually need to manage information through our rideable domain controller. So here we are on our
00:51
master to be a controller or just say, one of our debate controllers so outside.
00:55
We need to
00:56
go through a few steps to actually get set up for this. First we need to do is get our
01:00
after director uses the computers, so go ahead. Open up
01:03
Actor director uses the computer's counsel
01:06
off of our server manager.
01:07
You can create your own environment here. If you want that, have your own embassies
01:11
and we need to actually
01:14
drill down in our infrastructure. Here, take a look at a few things.
01:18
First we want to do is make sure that
01:19
we actually are properly set up here. So we actually have to be in control. Is information here and uses. We'll go look at
01:26
So first thing we're gonna do here is look at our users and we have
01:30
and allowed our O. D C Password Replication group.
01:34
If you double click on that by default, it will have dough members.
01:38
So that's the way it's supposed to be.
01:41
And remember, we actually installed the ROTC. There was
01:44
certain groups who actually made members of
01:47
the Deny group. So without Willis will be here includes things like administrators to make. Controllers are eau de ces, et cetera.
01:55
So good
01:56
clothes out of that. We know that set up. So
01:59
now we actually what to say
02:00
take a look at creating a group of security group to put into the allowed. So we're basically want to populate this with security groups. So let's start with, For example,
02:08
that's their research is off site. It's a really campus is gonna open up research here,
02:14
and first thing we'll do is create a security group for this purpose. So we're gonna right click on research there,
02:21
like I do
02:22
a quick God
02:23
group
02:24
and were given a name. It's called it Says, uh, how about
02:30
research
02:31
R o D c?
02:34
So we're gonna do research already, See,
02:37
had
02:38
noticed the good neighbors previous two thousand's pre populated for us. And we want to go ahead and keep that
02:43
scope as global we could do to a local or we could be universal. But for the purpose of what we're doing here, which is gonna go ahead and leave is global. And obviously it's a security group, not a distribution group.
02:53
You go ahead, click out. Okay,
02:54
so now we've actually created a security group. So if we have a security group,
02:59
they were going to allow the passwords to replicate to the already see from Well, first we need to find Elliot. That security group just go ahead, open up their security group here. Double click on that.
03:08
Okay, well, what a go ahead.
03:09
Add some members in here. So it's great
03:12
on the members tab.
03:14
Open that up.
03:15
Oh, God!
03:15
Ad
03:17
And we could cook on Advanced here, go down. Unless to choose who we want or we could start typing in names. Doesn't matter. Whatever order you want to do it in, Um, let's go ahead. We'll put in, say,
03:30
Chris,
03:30
check names. So there's
03:32
Chris and we want to be sure we get the right wood. So if we take a look at it says what the What did research here? That's what.
03:38
Let's take this Chris here.
03:42
Yeah, let's go. Had it put in
03:45
Louise.
03:47
There's another name
03:50
ad.
03:51
Well, we're headed.
03:52
Put it in
03:53
predated.
03:54
So
03:57
put of these three users,
03:59
but it is Benny's Wanna refuse? What? Remember, we could have just one user of this. We use a security group. So if we need to add more people to the r o d C, we could do it as we go.
04:09
So we go ahead, get those in here, and then we got click out. Okay? And now we have members that are part of our already see security groups. A research already see Security group, which is then going to be added to the allowed security groups on the R T. C was gonna cook out. Okay,
04:25
so we now have users in a security. Now, we need to get this,
04:29
uh, actually
04:30
associate id properly with our environment. So
04:33
on our debate controllers, are you right?
04:35
Take a look here. We'll go to our actual ROTC and go ahead, open it up,
04:42
and we have
04:43
under there We actually have a tab that says password replication policy. So it's going to click on that tab
04:47
and those who actually have a list here already of denied. And I allowed, no sense is allowed. ROTC pastored replication group. Right.
04:57
So we have that. So it's ah, we have allowed there. And we can actually
05:00
add another group in here
05:02
so we can actually add another group in here. We could have a group to group either way. Want to do it? It's strictly up to us.
05:09
And we could actually
05:10
go ahead, put a
05:12
obviously we want to. We could actually put the
05:15
allowed ROTC passwords security group,
05:17
but I security group, it's out of a security group. That's how. Certainly one of pressure we could take
05:24
Ed we actually,
05:25
What do you deal with that? In terms of
05:28
how we actually functions as an environment. So we have the faster implication group. We actually have our
05:33
research already. See? Group it. Don't we want to go ahead
05:38
head?
05:39
Go ahead and his pacification policy. We're gonna go click on add here. We're gonna have the new security group
05:44
ad that says allow passwords for the account.
05:47
It's actually be accounts, obviously, because of security
05:49
account to implicate to this our d c. So quick.
05:54
Okay, there, quick.
05:56
Okay,
05:57
is this uses computer service kind of groups of security groups, security principles. This world would put it that research, right. So,
06:04
David, research check names would want that research.
06:09
I already see
06:10
group here, so we go ahead, select that one.
06:14
It could God. Okay,
06:16
good, good. Okay.
06:17
And our allowing
06:19
the research already see group
06:23
to replicate here.
06:24
So at that stage, we've now actually allowed the replication. So the next do I do is what actually take a look here at our advanced have,
06:32
and it does.
06:33
Who's replicated. So we have ah, one user. It's already replicated it here from a different group. But that's okay.
06:40
And we also have a constant of it. Authenticated the street a little bit controller decisional e d See, a counsellor replicated ST LL. It'd really to make a troller.
06:48
And obviously we want to see if anyone has people is going to be allowed. So we have a result instead of polish resulting policy tab here
06:57
if we click out ad.
06:58
Right?
07:00
Yeah, Let's go ahead, type. Did Louise right it quick? I checked days.
07:04
Okay,
07:06
tell us,
07:09
Louise,
07:10
as I deny.
07:12
So
07:13
what we have is the implicit denied.
07:15
If we go ahead and type in another member of that group,
07:18
it will type in this case.
07:21
Frieda.
07:24
Guys,
07:25
check days.
07:27
Pickle gun. Okay, so we have an implicit to die on these people. So we actually have to take into account what we have in terms of the implicit. Did I actually have to
07:34
fix that problem? So the problem that we actually have to fix is
07:40
deny prob.
07:41
Remember, what we did was we actually added a few things here, but do we have actually put the security group
07:46
into the security girl?
07:48
No. If you want to say if you come back down to our
07:53
actual users group here
07:55
and actually let me go ahead,
07:58
Clothes out of the windows. We have opened here
08:03
as it
08:05
go back to our security group.
08:05
So we have
08:07
are
08:09
security groups, right?
08:11
Are allowed already see pastor application,
08:13
do we? Eh? Actually,
08:16
add our security group for the research
08:20
already. See in here.
08:22
So you do research do check days. There's a research already. See it click out. Okay,
08:26
So if I added them to the
08:28
allowed
08:31
already surpassed a replication
08:33
versus the Deny one.
08:35
So I would come back to our r o d c.
08:37
And
08:39
go back to our pastor replication policy
08:41
and we'll go back to our advance tab here.
08:45
We'll check our results. Set of policy here,
08:46
click on add.
08:48
Go ahead, you
08:50
Brita,
08:52
check Dave's
08:54
cooking. Okay?
08:56
And now we have allowed.
08:56
So remember, it's implicit. Deny So Alicia should put them in the actual allowed group. Even though we added a group,
09:05
they actually a member of the allow group also,
09:07
So there's a policy. Use it. So you go ahead,
09:09
look at the policy uses tab, and we can actually now, for example,
09:15
take at pre populated password for
09:18
for example, our I t person that might actually be doing it. But this particular case, we're gonna go ahead and let
09:24
Chris
09:26
be the one. Actually, additionally it stalls are a varmint. So's Chris. We want to watch research. That's sort right here
09:33
and click out. Okay.
09:39
It says, Do you wish to set the curve password accounts? We say,
09:43
Obviously,
09:43
we want that. Do you actually have their passengers
09:46
free? Populated on the already see? So? Well, we actually bring it up and running initially in their environment, somebody actually is capable of doing that. So we go ahead. Yes.
09:54
It says
09:54
were pre populated. Okay. And now you should notice that Chris is actually on our list.
10:00
Good.
10:01
I think you're right. Close out of this
10:03
and
10:03
quick. Okay. Here. And we could close out. Ever. Actor director uses the computers.
10:07
That's what we need to do to actually get our r o d c
10:11
credential cashing configured. We obviously would do multiple steps if we needed to
10:16
for each individual already see environment that we're working with. So that's we gives us our
10:22
users
10:22
get assigned to a security group. That security group gets assigned to the
10:26
allowed already. See
10:28
security group.
10:30
Uh, actually, it's allowed are already see Pastor Replication. Boss is secure
10:33
so that they get assigned to that. And then we could pre five billion passwords for
10:37
the users that we need to pre populate it on that already. See, so that would they initially goto Lord on. They don't get
10:43
I rejection bash. It's in terms of their authentication of the credentials.

Up Next

Microsoft Active Directory Domain Services

Module 2 explains how to implement virtualized domain controllers and read-only domain controller (RODCs)

Instructed By

Instructor Profile Image
Michael Boberg
CEO of Broadline Enterprises, LLC
Instructor