I was designing AD recently for a projects that has approx 6 remote site and someone actually ask me why I do not use one of the new features from Windows 2008 that targets on branch office – Read Only Domain Controller (RODC) but a Normal Domain Controller on Windows 2008 Core.
Before we discuss further, let check out what are the features which RODC providing and see what Microsoft propose on when to use it.
Features of RODC
- Read Only Active Directory Database
- Only allowed user passwords are stored on RODC
- Unidirectional Replication
- Role Separation
Benefits of RODC
Increases security for remote Domain Controllers where physical security cannot be guaranteed
Roles and Services Supported by RODC
ADFS,DNS, DHCP, FRS V1, DFSR (FRS V2), Group Policy, IAS/VPN, DFS, SMS, ADSI queries, MOM
After getting to know RODC better, are you able to determine when to use RODC? Something more for you all to know and consider is that configuration of a RODC is not as easy as setting up one.
The Key point to note on when you want to deploy a RODC is level of SECURITY.
If your remote branch office has a server room that is locked at all time and only authorize personnel is able to access it (Physically Secured), my advise is not to use RODC that will complicate your future administration. As what the Key Benefit of RODC above stated… RODC is meant for branch office which require a local DC for authentication but physical security cannot be guaranteed.
So.. RODC is a feature for Branch Offices but Microsoft never say you must use this for all Branch Office! Know the features… Know what you need.. And find the right technology to fit! And must be Cost-Effective! LOL~