When to use Read-Only Domain Controller (RODC)?

I was designing AD recently for a projects that has approx 6 remote site and someone actually ask me why I do not use one of the new features from Windows 2008 that targets on branch office – Read Only Domain Controller (RODC) but a Normal Domain Controller on Windows 2008 Core.

Before we discuss further, let check out what are the features which RODC providing and see what Microsoft propose on when to use it.

Features of RODC

  1. Read Only Active Directory Database
  2. Only allowed user passwords are stored on RODC
  3. Unidirectional Replication
  4. Role Separation

Benefits of RODC

Increases security for remote Domain Controllers where physical security cannot be guaranteed

Roles and Services Supported by RODC

ADFS,DNS, DHCP, FRS V1, DFSR (FRS V2), Group Policy, IAS/VPN, DFS, SMS, ADSI queries, MOM


After getting to know RODC better, are you able to determine when to use RODC? Something more for you all to know and consider is that configuration of a RODC is not as easy as setting up one.

The Key point to note on when you want to deploy a RODC is level of SECURITY.

If your remote branch office has a server room that is locked at all time and only authorize personnel is able to access it (Physically Secured), my advise is not to use RODC that will complicate your future administration. As what the Key Benefit of RODC above stated… RODC is meant for branch office which require a local DC for authentication but physical security cannot be guaranteed.

So.. RODC is a feature for Branch Offices but Microsoft never say you must use this for all Branch Office! Know the features… Know what you need.. And find the right technology to fit! And must be Cost-Effective! LOL~

This entry was posted in Windows Server. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s