- If you add RODCs to your network, you certainly increase the complexity. RODCs simply work differently than DCs, which means that new kind of problems might come up.
- Administrators need to invest time to learn how to manage RODCs.
- Some third party products will not work together with RODCs.
- An RODC usually needs a writeable domain controller to work properly. For example, users can’t change passwords, computers can’t join the domain, accounts whose passwords haven’t been cached can’t logon, and Group Policy doesn’t work properly if no writable RODC is available. This means that an RODC doesn’t provide the same failure safety like a writeable DC.
Don’t underestimate the first two points. At first, I thought, it can’t be too difficult installing an RODC. After all, it is just a DC with reduced functionality, i.e. with only unidirectional replication. However, it took me more time than expected to set up a test environment.
My RODC had two network cards, one was in the same sub network as the writeable DC, and the other network card was connected to the same sub network as my clients. Most things worked fine. However, I wasn’t able to authenticate against the RODC if the writeable DC was offline. In theory, this should work if the user’s password is cached on the RODC. Even though I could see that the password was cached, I always got this error message: The trust relationship between this workstation and the primary domain failed. However, if the writeable DC was online, I had no problems logging on to the RODC.
Maybe my configuration was not correct or maybe there was a bug involved. I didn’t try too long to solve this problem, since Windows Server 2008 is still beta. But this example shows how new kind of problems can arise. With two writable DCs I wouldn’t have to invest extra time. Time is money. Maybe it makes more sense to invest this money in a better physical protection of the servers in your branch offices.
There are certainly environments where it makes sense to work with RODCs. Big companies with Active Directory specialists probably won’t be afraid of the increased complexity. However, since bandwidth gets cheaper almost every day, it is probably only a matter of time until domain controllers in branch offices will not be necessary anymore. So maybe it is a bit late for this new technology.
But wait! Is this really new technology? Do you remember the BDCs (backup domain controllers) in Windows NT? When Windows 2000 came out most admins were quite happy that they didn’t need these DCs with limited capabilities anymore.