A Read-Only Domain Controller (RODC) is a new type of domain controller in Windows Server 2008. Its main purpose is to improve security in office branches. In this post, I summarize the functionality of RODC.

In office branches, it is often not easy to provide sufficient physical security for servers. It is not a big deal to manipulate a Windows system if you can get physical access to it. Since Domain controllers store security sensitive data, they are particularly endangered. RODCs can help with this problem in four ways:

RODC essentials

• Read-only feature: An intruder on the RODC can’t manipulate the Active Directory database.
• DNS protection: If the RODC server hosts a DNS server, the intruder won’t be able to tamper with the DNS data.
• Password protection: A malicious user won’t be able to access passwords using a brute-force-attack. This applies only if password caching is disabled on the RODC.
• Administrator Role Separation: You can delegate a local Administrator role to a domain user.

Read-only Domain Controller

• An RODC holds all Active Directory objects and attributes.
• RODCs only support unidirectional replication of Active Directory changes (i.e., from the forest to the RODC).
• If an application needs write access to Active Directory objects, the RODC will send an LDAP referral response that redirects the application to a writable domain controller.

DNS Protection

• A DNS server running on an RODC doesn’t support dynamic updates.
• If a client wants to update its DNS record, the RODC will send a referral for a writeable DNS server.
• The client can then update against this DNS server.
• This single record will then be replicated from the writable DNS server to the RODC DNS server.

Password Protection

• By default, an RODC doesn’t store user or computer credentials. (The only exception is the computer account of the RODC itself and a special krbtgt account.)
• However, an RODC can cache passwords.
• If a password isn’t cached, the RODC will forward the authentication request to a writeable DC.
• The Password Replication Policy determines the user groups for which passwords caching will be allowed (more about this in my next post).

Administrator Role Separation:

• A domain user having the Administrator role on an RODC doesn’t have to be a domain admin.
  
• A domain user having the Administrator role can do maintenance work on the RODC such as installing software.
  
• If an intruder gains access to the credentials of this local administrator account, he will not be able to make changes on other domain controllers.
  

In my next post, I will explain how to install and configure an RODC.