Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Server 2008 Read Only Domain Contoller (RODC)

Posted on 2010-01-07
Medium Priority
Last Modified: 2012-05-08
okay will try to explain as best as can.....

currently have 5 sites connected through MPLS.....all different locations..we will call these sites A-E

At site A we have 2 DC`s win 2003 Server...only DC`s on domain....

Currently at site B we need to add an application Server for the apps on this server will not cross the T1 line....they have to be ran locally...

what i want accomplished...is two have users login at site B on the domain without having to cross the T1 constantly for user password authentication....

qustion is it better to setup that server as a member server or a RODC ....is so why....what are the advantages or disadvantages of both....and is there a better alternative to accomplish the same thing....
Question by:westhelpdesk
  • 3
  • 2
LVL 33

Expert Comment

ID: 26203504
"have users login at site B on the domain without having to cross the T1 constantly for user password authentication...."

In site B you need a domain controller and you have to logically place this DC in the Site B Active Directory Site - In AD Sites and Services (based on the subnet).  You should also make this server a DNS server to isolate the DNS traffic (update clients to point to the site B ad DC/DNS server too).  Also make this server a global catalog server.

Adding a member server to the domain in site be will do nothing for authentication of domain credentials.


Expert Comment

ID: 26205967
If you want to reduce the authentication traffic, I think you have to chose between a DC and an RODC because a member server will itself go across for authentication...
Now, a DC is a full fledged resource to manage your domain.Where as, an RODC is a read only replica of a DC. The first time some authentication comes to RODC, it has to ask a DC to get the ticket issued to the user/client and thenafter, it starts authenticating that user.
You can also control what attributes should replicate to the RODC.

See this:


Hope this answers your queries. If you need any further clarifications, please feel free to revert.



Author Comment

ID: 26276073
from my understanding a RODC is a domain controller, but you can not make any changes on it....why would i want to go with a DC rather than a RODC...my thinking is go with a RODC rather than a DC for if i have a user that needs to access this server they cannot make changes to AD........

Why would i want to make this DC OR RODC(which i dont think you can) a Global Catalog Server.

i guess over all what benifits of making this a DC or RODC????
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 33

Accepted Solution

NJComputerNetworks earned 2000 total points
ID: 26282740
The biggest benefit of making the remote site server a Read only DC if for security... the DC located in the remote site (if it is a RODC) will not be able to make changes to Activie Directory.  Therefore, you could make someone responsible for managing the server (full local admin rights) without having rights to AD - changing user accounts, resetting passwords, etc).

Author Closing Comment

ID: 31674192
thanks alot for all your help! much appreciated....

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New style of hardware planning for Microsoft Exchange server.
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question