Windows Server 2008: Read-Only Domain Controller (RODC)

A Read-Only Domain Controller (RODC) is a new type of domain controller in Windows Server 2008. Its main purpose is to improve security in office branches. In this post, I summarize the functionality of RODC.

Profile photo of Michael Pietroforte

Michael Pietroforte

Michael Pietroforte is the founder and editor of 4sysops. He is a Microsoft Most Valuable Professional (MVP) with more than 30 years of experience in IT management and system administration.
Profile photo of Michael Pietroforte

In office branches, it is often not easy to provide sufficient physical security for servers. It is not a big deal to manipulate a Windows system if you can get physical access to it. Since Domain controllers store security sensitive data, they are particularly endangered. RODCs can help with this problem in four ways:

RODC essentials

  • Read-only feature: An intruder on the RODC can’t manipulate the Active Directory database.
  • DNS protection: If the RODC server hosts a DNS server, the intruder won’t be able to tamper with the DNS data.
  • Password protection: A malicious user won’t be able to access passwords using a brute-force-attack. This applies only if password caching is disabled on the RODC.
  • Administrator Role Separation: You can delegate a local Administrator role to a domain user.

Read-only Domain Controller

  • An RODC holds all Active Directory objects and attributes.
  • RODCs only support unidirectional replication of Active Directory changes (i.e., from the forest to the RODC).
  • If an application needs write access to Active Directory objects, the RODC will send an LDAP referral response that redirects the application to a writable domain controller.

DNS Protection

  • A DNS server running on an RODC doesn’t support dynamic updates.
  • If a client wants to update its DNS record, the RODC will send a referral for a writeable DNS server.
  • The client can then update against this DNS server.
  • This single record will then be replicated from the writable DNS server to the RODC DNS server.

Password Protection

  • By default, an RODC doesn’t store user or computer credentials. (The only exception is the computer account of the RODC itself and a special krbtgt account.)
  • However, an RODC can cache passwords.
  • If a password isn’t cached, the RODC will forward the authentication request to a writeable DC.
  • The Password Replication Policy determines the user groups for which passwords caching will be allowed (more about this in my next post).

Administrator Role Separation:

  • A domain user having the Administrator role on an RODC doesn’t have to be a domain admin.
  • A domain user having the Administrator role can do maintenance work on the RODC such as installing software.
  • If an intruder gains access to the credentials of this local administrator account, he will not be able to make changes on other domain controllers.

In my next post, I will explain how to install and configure an RODC.

Share
-1+1 (No Ratings Yet)
Articles in series

Read-Only Domain Controller (RODC)

15 Comments
  1. avatar
    Lukas Beeler 9 years ago

    Yeah, this is one of the features i’m really looking forward to. (And restartable AD:DS)

    It makes branch office management so much easier.

  2. Profile photo of Michael Pietroforte
    Michael Pietroforte 9 years ago

    I am not yet 100% convinced of this new feature. Am going to write about my doubts soon. A post about restartable AD DS is in preparation, too.

  3. avatar
    Lukas Beeler 9 years ago

    What makes you doubt this feature?

    Of course it’s usefulness will depend on your company structure, but it makes deploying DCs on small sites possible.

  4. Profile photo of Michael Pietroforte
    Michael Pietroforte 9 years ago

    It increases the complexity of your network. I am not sure yet if the advantages of an RODC are enough compensation for that. I have to play more with it to make up my mind, though.

  5. avatar
    Malte 9 years ago

    Sounds great but there is one problem: It windows, so there will be enough loopholes and bugs to abuse ­čśÇ

  6. […] Server 2008 – Read-Only Domain Controller 3 07 2007 Michael has a very nice post on the RODC role available in Windows Server 2008. The post provides usefull information on the […]

  7. avatar
    Mohit Bharatwal 7 years ago

    Is that true that to install RODC server we should have Data center server 2008 as main DC?

    Can we use Enterprise Server 2008 for deploying RODC?

    TIA

    Mo

  8. Profile photo of Michael Pietroforte
    Michael Pietroforte 7 years ago

    Mohit, no you only require at least one writable Windows Server 2008 domain controller. You can use the enterprise edition but it also works with the standard edition.

  9. avatar
    Aaron 6 years ago

    Can you have multiple RODC servers (all at diferent sites) and have the writable DC as Small Business Server 2008?

  10. avatar
    Mohit Bharatwal 6 years ago

    Hi Michael Pietroforte,

    Thanks for adivce Mate.

    A quick one for you can you also suggest which remote session is best and stable among HP ILO2 and Dell DRAC6?

    would appreciate your adivce on it.

  11. avatar
    Vivek 6 years ago

    I just wanted to share that when I log on the RODC with enterprise admin credentials, it no more works as an RODC, rather it starts working as R/W DC. Is it normal?

    Or I am making some mistake in configuring RODC??

  12. avatar
    suchi 4 years ago

    can u just tell me in brief what is the new 10 features in 2008 & elaborate it please which could make me easy to explain to others?

  13. avatar
    suchi 4 years ago

    Hi Vicky,

    I want to know about the ESX & its version,differece in old & new version of ESX server also want to know about the cluster & slots…..please help me on it.

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
┬ę 4sysops 2006 - 2016

Log in with your credentials

or    

Forgot your details?

Create Account