Another exciting new feature of Windows Server 2008 is the Read-Only Domain Controller (RODC). The RODC can greatly improve the security of a domain controller that’s deployed in a branch office or another hard to secure location.
In Windows 2000 and Windows Server 2003, all domain controllers participated in Active Directory’s multimaster replication scheme, which meant that an administrator could make a change on any domain controller and it would be replicated throughout the rest of Active Directory. This created issues for businesses that needed to deploy domain controllers in offices that have limited physical security, such as a remote branch office with only a few employees. As the name suggests, Read-only Domain controller now allow you to deploy a domain controller that host a read-only copy of the Active Directory database. This means that an administrator will need to connect to a writable domain controller to make any changes to Active Directory.
What is Read-Only Domain Controller (RODC) in Active Directory?
One of the key features of RODCs is that they do not perform any outbound replication whatsoever. They only accept inbound replication connections from writable domain controllers. To deploy an RODC, you need to have at least one writable Windows Server 2003 domain and forest functional levels.
Another key feature of an RODC is that each RODC can be configured with its own Password Replication Policy. On writable domain controllers, information about every Active Directory password is stored locally within the ntds.dit file. If a writable domain controller is compromised or stolen, all username and password information in your environment is at risk. By contrast, you can specify a particular list of user or group accounts whose password information should be stored on a particular RODC. Conversely, you can also configure specific users or groups whose password information should not be cached on an RODC. For example, high-level administrative accounts, such as Domain Admins and Enterprise Admins, are configured by default so that their password information cannot be cached on any RODCs within an environment.
- Active Directory Learning Guide
- Benefits of Active Directory
- Understanding the Active Directory DNS in Windows Server 2008
It is recommended that you do not change these settings. To allow enterprise wide configuration of the RODC Password Replication Policy, Windows Server 2008 creates the following security groups:
- Denied RODC Password Replication Group: Members of this group will be placed in the deny list of the password replication policies of all RODCs by default. This group contains the following members when Windows Server 2008 is first installed: Cert Publishers, Domain Admins, Domain Controllers, Enterprise Admins, Group Policy Creator Owners, Read-only domain controller, Schema Admins, and kerbtgt.
Allowed RODC Password Replication Group: Members of this group will be placed in the Allow list of the Password Replication Policies of all RODCs by default. This group has no members when Windows Server 2008 is first installed.