Implementing Windows Server 2008's Read-Only Domain Controller

By Rick Vanover, TechRepublic | 2008/06/10 11:16:01

Tags: controller, password, windows server 2008

Change the text size: a | A

One of the most touted features of Windows Server 2008 is the Read-Only Domain Controller (RODC). The RODC is a domain controller deployed after a traditional domain controller that contains the schema, configuration, domain, application directory partitions, and partial attribute set schemas of an Active Directory database in a read-only fashion.

Some of the intended uses of the RODC include: processing log-on requests for remote sites, any situation where you may have an insecure environment, poor network connections to the main sites, or other scenarios where a domain controller would be required.

Planning to implement the RODC

There are two critical planning points around deciding to implement the RODC. The first is whether the core installation will be used for the RODC operating system; the second is the password caching replication policy for the RODC. The policy defines which users and computer objects can cache their password locally on the domain controller.

The intended design of the RODC is that a branch office with unreliable network connectivity could have only the local users and computers to that facility permitted to cache passwords on the RODC.

Another configuration is to explicitly prohibit certain groups (such as the domain admins group) or accounts with elevated permissions from caching their passwords on the RODC. Check out TechNet for additional information about the password policies specific to the RODC.

Setting up the RODC

The set-up process for the RODC is very easy and hardly distinguishable from the normal dcpromo process to add a domain controller -- except for the single option to enable the RODC, as shown below.

Once the set-up of the newly added RODC is complete, you need to reboot and then the system is ready to go with the configured role. Within Active Directory Users And Computers, the RODC type is shown below to designate its difference from other domain controllers.

Replication and DNS integration

The RODC has unique behaviour that deserves some consideration in the areas of replication and DNS integration. The replication pattern is always one way up from the RODC, meaning that another RODC cannot replicate to or from another RODC. And DNS zones that are Active Directory integrated must be able to register entries upward to a traditional domain controller running DNS in an Active Directory integrated zone.

Overall, the RODC is a welcome addition to the Windows Server line. It optimises bandwidth in situations where frequent log-on requests are processed over slow or unreliable connections.

This was published in Serverside, check every Tuesday for more stories

Log in

News and features

Latest
Popular
Features
Most Discussed

Going beyond Flash, Adobe shows off web tech (15 hours, 23 minutes ago)
IE9, Windows Phone in the Mix (15 hours, 28 minutes ago)
Microsoft races to plug IE hole after exploit code released (15 hours, 32 minutes ago)
Web guru Tim Bray takes Google Android job (15 hours, 38 minutes ago)
New OpenGL 4.0 aims to match DirectX 11
McAfee blog enabled IE exploit
More news »

Blogs

Google launches Apps Marketplace

Google launches and app store, while Mozilla plans to re-write its open-source license. More of this week's news in the Roundup. Read more »

-- posted by Staff
Microsoft showcases new NUIs

TechFest, Microsoft's internal even took place this week with researchers showcasing some new interfaces the company is working on. Read more »

-- posted by Staff
Google to dump Gears

Google is about to pull the plug on its Gears project, while Mozilla plans to drop Mac OS X 10.4 support in future versions of Firefox. Read more »

-- posted by Staff