Server 2008 Read Only Domain Contoller (RODC)

Posted on 2010-01-07
Last Modified: 2012-05-08
okay will try to explain as best as can.....

currently have 5 sites connected through MPLS.....all different locations..we will call these sites A-E

At site A we have 2 DC`s win 2003 Server...only DC`s on domain....

Currently at site B we need to add an application Server for the apps on this server will not cross the T1 line....they have to be ran locally...

what i want two have users login at site B on the domain without having to cross the T1 constantly for user password authentication....

qustion is it better to setup that server as a member server or a RODC so why....what are the advantages or disadvantages of both....and is there a better alternative to accomplish the same thing....
Question by:westhelpdesk
    LVL 33

    Expert Comment

    "have users login at site B on the domain without having to cross the T1 constantly for user password authentication...."

    In site B you need a domain controller and you have to logically place this DC in the Site B Active Directory Site - In AD Sites and Services (based on the subnet).  You should also make this server a DNS server to isolate the DNS traffic (update clients to point to the site B ad DC/DNS server too).  Also make this server a global catalog server.

    Adding a member server to the domain in site be will do nothing for authentication of domain credentials.

    LVL 7

    Expert Comment

    If you want to reduce the authentication traffic, I think you have to chose between a DC and an RODC because a member server will itself go across for authentication...
    Now, a DC is a full fledged resource to manage your domain.Where as, an RODC is a read only replica of a DC. The first time some authentication comes to RODC, it has to ask a DC to get the ticket issued to the user/client and thenafter, it starts authenticating that user.
    You can also control what attributes should replicate to the RODC.

    See this:

    Hope this answers your queries. If you need any further clarifications, please feel free to revert.



    Author Comment

    from my understanding a RODC is a domain controller, but you can not make any changes on it....why would i want to go with a DC rather than a thinking is go with a RODC rather than a DC for if i have a user that needs to access this server they cannot make changes to AD........

    Why would i want to make this DC OR RODC(which i dont think you can) a Global Catalog Server.

    i guess over all what benifits of making this a DC or RODC????
    LVL 33

    Expert Comment

    LVL 33

    Accepted Solution

    The biggest benefit of making the remote site server a Read only DC if for security... the DC located in the remote site (if it is a RODC) will not be able to make changes to Activie Directory.  Therefore, you could make someone responsible for managing the server (full local admin rights) without having rights to AD - changing user accounts, resetting passwords, etc).

    Author Closing Comment

    thanks alot for all your help! much appreciated....

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Wish Marketing would stop bothering you?

    Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

    You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
    Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
    This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
    This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now