What a mouthful. Starting with the notion of the Read-Only Domain Controller (RODC). There's a new tool for preppin a machine to be an RODC. If no accounts are cached on the RODC (which is the default) the machine is very secure; the RODC is not responsible for replicating to other DCs—only the recipient. It does not require that a domain admin ever needs to log on to the machine—so it sounds like this is a great machine to put in a branch location where there is no IT admin staff… hmmmm… wonder if there are applications for us at the University.
Fine-grain password policy can be set to global security groups or users. So no longer do we need the same password policy for the whole domain. Where there is overlap and multiple policies would apply to the same person, they have a precedence algorithm. They do not apply password setting to OUs.
Apparently we really ought to regularly back up our DCs…
No comments:
Post a Comment