Read Only Domain Controllers – What are they?


Read Only Domain Controllers or “RODC” are a new type of domain controllers introduced in the Windows 2008 server infrastructure. One of the main applications of a RODC is its for remote or satellite offices of an organization.

Example: Imagine this scenario: Main site: Atlanta (main DC); Toronto (2nd DC) Mexico City (3rd DC). You now open a Miami office Branch and there a few users there. The RODC is a great candidate for the Miami office. You don’t need to have an IT expert in Miami, and with a RODC the user authentication, GPO resources, and other AD database functions will be accessible much quicker and with more security

In terms of Security here are 4 advantages of a RODC:
* Unidirectional replication (RODCs can replicate changes inbound but outbound replication does not occur)
* Special krbtgt account. Each RODC has a special krbtgt account that also helps to restrict malicious updates from affecting the rest of the forest
* Password Replication Policy (PRP). Each RODC has a PRP that, by default, does not allow any passwords to be cached on the RODC
* RODC filtered attribute set (FAS). You can also restrict which application data can replicate to RODCs in your forest by adding attributes to the RODC FAS and marking them as confidential

A RODC can be implemented in a Windows Server 2003 domain infrastructure but you must have a Windows Server 2008 installed. The reason is: An RODC must replicate domain data from a domain controller running Windows Server 2008.

Replication is the most important consideration for determining where to place RODCs.

More detais here…

Read this segment extracted from the technet site:

***
Writable domain controllers running Windows Server 2008 and domain controllers running Windows Server 2003 can perform inbound and outbound replication of all available partitions. Therefore, they do not require the same placement considerations that RODCs require.

Because an RODC can replicate the domain partition only from a writable domain controller running Windows Server 2008, the placement of each becomes important and requires careful planning. The placement of an RODC and writable domain controllers running Windows Server 2008 might be affected by the site topology and network constraints.

Each RODC requires a writable domain controller running Windows Server 2008 for the same domain from which the RODC can directly replicate. Typically, this requires that a writable domain controller running Windows Server 2008 be placed in the nearest site in the topology. The nearest site in this sense is defined as the site that has the lowest-cost site link for the site that includes the RODC.

For example, suppose you have Sites A, B, and C with site links A – B and B – C and the Bridge all site links option is disabled, as shown in the following figure. In order to put an RODC in Site C, a domain controller running Windows Server 2008 for the same domain should be placed in Site B to replicate the domain partition to the RODC. Placing only a domain controller running Windows Server 2003 in Site B would permit the RODC in Site C to replicate the schema, configuration, and application directory partitions, but not the domain partition.

There is so much more to read about RODC
You can continue to read here on this RODC technet link

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: