search

dsccommunity / ActiveDirectoryDsc

This module contains DSC resources for deployment and configuration of Active Directory Domain Services.
MIT License
336 stars 140 forks source link

ADReadOnlyDomainControllerAccount: New resource proposal #711

Closed Borgquite closed 1 month ago

Borgquite commented 3 months ago

Resource proposal

Continuing the discussion from #40 - I can let you know of a need for support for Add-ADDSReadOnlyDomainControllerAccount to implement a pre-staged account for an RODC.

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/rodc/install-a-windows-server-2012-active-directory-read-only-domain-controller--rodc---level-200-

The situation would be to reduce the exposure of Domain Admin level privileges on DSC configurations stored on an RODC. Consider:

  1. Configuration on a RWDC (in a secure location) - prestaging ADReadOnlyDomainControllerAccount resource in advance, including specifying the DelegatedAdministratorAccountName parameter to allow delegation. Running this resource requires Domain Admin privileges in the configuration.
  2. Configuration on an RODC (in a less secure location) - joining the domain via DSC configuration, using an ADDomainController resource with the account pre-created by ADReadOnlyDomainControllerAccount. Running this resource can be done with a less privileged account, and therefore there is no longer a need to store Domain Admin privileged credentials in a configuration on an RODC. This is more secure for initial configuration, and also allows the same configuration to be left on the RODC to check for drift.

If such a resource would be accepted, I am happy to implement. Originally I thought it would be best to include in the ADComputer resource. However I can now see that the basic code is going to look much more like ADDomainController - since Install-ADDSDomainController and Add-ADDSReadOnlyDomainControllerAccount are within the same PowerShell module and have extremely similar syntax, including the need for code to update SiteName/AllowPasswordReplicationAccountName, DelegatedAdministratorAccountName, DenyPasswordReplicationAccountName attributes. It should be fairly simple for me to duplicate the ADDomainController syntax / tests etc to stand up the new ADReadOnlyDomainControllerAccount resource.

I'm very happy to get on and do this, provided I can count on the relevant people's support to get it merged in the end - @johlju?

Proposed properties

The same attributes as ADDomainController, without any unsupported by Add-ADDSReadOnlyDomainControllerAccount

https://learn.microsoft.com/en-us/powershell/module/addsdeployment/add-addsreadonlydomaincontrolleraccount?view=windowsserver2022-ps

Special considerations or limitations

Should work as described.

johlju commented 3 months ago

I'm good with it. Since it is a new resource there is nothing breaking, and you concluded that it must be its own resource, it cannot be implemented in an existing resource.

So if you send in a PR with the corresponding unit test I will review and merge.

johlju commented 3 months ago

@Borgquite ping me in the PR if I forget to review.