One of the most touted features of Windows Server 2008 is the Read-Only Domain Controller (RODC). The RODC is a domain controller deployed after a traditional domain controller that contains the schema, configuration, domain, application directory partitions, and partial attribute set schemas of an Active Directory database in a read-only fashion.

Some of the intended uses of the RODC include: processing log-on requests for remote sites, any situation where you may have an insecure environment, poor network connections to the main sites, or other scenarios where a domain controller would be required.

Planning to implement the RODC

There are two critical planning points around deciding to implement the RODC. The first is whether the core installation will be used for the RODC operating system; the second is the password caching replication policy for the RODC. The policy defines which users and computer objects can cache their password locally on the domain controller.

The intended design of the RODC is that a branch office with unreliable network connectivity could have only the local users and computers to that facility permitted to cache passwords on the RODC.

Another configuration is to explicitly prohibit certain groups (such as the domain admins group) or accounts with elevated permissions from caching their passwords on the RODC. Check out TechNet for additional information about the password policies specific to the RODC.

Setting up the RODC

The set-up process for the RODC is very easy and hardly distinguishable from the normal dcpromo process to add a domain controller -- except for the single option to enable the RODC, as shown below.

Once the set-up of the newly added RODC is complete, you need to reboot and then the system is ready to go with the configured role. Within Active Directory Users And Computers, the RODC type is shown below to designate its difference from other domain controllers.

Replication and DNS integration

The RODC has unique behaviour that deserves some consideration in the areas of replication and DNS integration. The replication pattern is always one way up from the RODC, meaning that another RODC cannot replicate to or from another RODC. And DNS zones that are Active Directory integrated must be able to register entries upward to a traditional domain controller running DNS in an Active Directory integrated zone.

Overall, the RODC is a welcome addition to the Windows Server line. It optimises bandwidth in situations where frequent log-on requests are processed over slow or unreliable connections.

Serverside This was published in Serverside, check every Tuesday for more stories

Related links

Leave a comment

You must read and type the 6 chars within 0..9 and A..F

* indicates mandatory fields.

Log in


Sign up | Forgot your password?

Blogs

RSS feed

  • Staff Aussies to pay more for Win 7

    If you are looking to make some money in these troubled times, perhaps importing copies of Windows 7 could be for you. Read more »

    -- posted by Staff

  • Staff Firefox: Greens want it, 3.5rc2 not up to par

    This week's roundup looks at the situation surrounding a campaign to change Outlook HTML renderer, a Greens MP wants to install Firefox but is restricted and all the photos from the iPhone 3GS launch. Read more »

    -- posted by Staff

  • Chris Duckett Microsoft misses the Outlook point

    Ask designers which mail program is the bane of their existence, and you'll find that Outlook tops the list. The reason why the most popular email reader is also the most painful is simple: it uses Word to render HTML emails. Read more »

    -- posted by Chris Duckett

What's on?