Read only Domain Controllers in Windows Server 2008

May 13, 2008 8:00 am Tech Help Staff Active Directory, Windows Server Operating Systems

The Domain Controller has been a cornerstone of Windows networking as far back as Windows NT. While the functionality of the Domain Controller has evolved from a primary and backup configuration in NT to the flexible single master of operations model used with Active Directory, the Domain Controller remains the central concept in Windows Server 2008.

In Windows Server 2008 however there have been enhancements made to the Domain Controller concept to allow read only Domain Controllers. These are Domain Controllers that contain a copy of Active Directory information but do not allow the information to be changed by the read only DC.

For example, suppose a company has a large corporate office where the network consists of three Domain Controllers, two member servers, and 100 client PCs and users. The company then decides to open a smaller office about thirty miles away where they will move a few staff members to expand the operation of the company. Because of the small size of the branch office, the company elects to place a read only Domain Controller (RODC) in the branch office to allow most of the AD information to be stored in the branch office without allowing changes made in the branch office to propagate back to the other DCs on the network.

Note: Password information cannot be stored on a RODC, which will increase security. When this information is needed for authentication it is requested from a writeable Domain Controller.

To configure a read only Domain Controller, simply check the read-only Domain Controller box displayed during the Domain Controller installation wizard.

Note: Updates to the directory partition received by an RODC must be pulled from a Domain Controller running Windows Server 2008 in the same domain. The domain and forest must be at least at the Windows Server 2003 functional level.

To configure a read only Domain Controller to also handle DNS for the remote site, you will also need to run the adprep /rodc command once per forest to allow DNS permissions to be updated across all DNS partitions in the forest.

When using DNS on a read only Domain Controller, be aware that this server cannot register name server resource records for any Integrated DNS zones which it hosts. In the event that a resource registration is requested a referral to another DNS server is returned, allowing the client to request this registration through a writeable Domain Controller.

Note: A read only Domain Controller cannot function as a Global Catalog server because the GC requires a writeable Domain Controller.

There are several restrictions that come into play when deploying Read Only Domain Controllers; however they can be deployed with little worry in offices which may not be as physically secure as needed for a completely writeable copy of Active Directory.
Leave a Comment

Your comment

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.