Link to home
Start Free TrialLog in
Avatar of synergiq
synergiqFlag for United Kingdom of Great Britain and Northern Ireland

asked on

SBS 2008 With Read Only Domain Controller

We are looking to quote a business for a solution and just want to check that what I think is right.

If we have a SBS 2008 Premium server at one site, have a VPN Link (provided by 2 draytek's) at the other site and then use the Server 2008 license that comes with premium to install a second server at the other site. This will then be setup as a Read Only Domain Controller so the users at that site will authenticate locally and all profiles will be stored locally to reduce network traffic.
ASKER CERTIFIED SOLUTION
Avatar of james_tubberville
james_tubberville
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
What does the remote site have to be RODC?
The remote site does not have to be a RODC. Placing a RODC at a remote site reduces network load.
Normally, a user authenticates at logon. Tickets are continuously exchanged even after login(security).

When a RODC is placed at the remote site, users authenticate once to a DC. All subsequent ticketing occurs between the RODC and client.

This is great for locations with bandwidth issues, network latency, etc. "i.e. those remote locations in or through the deep woods"....I have several.
Users will authenticate to the closest DC if the domain is configured correctly. The only traffic on the WAN is replication  - which has to occur anyway.
I've had numerous home office /remote site networks and managed to survive without RDOC. My understanding is this is more for security than efficiency. If your DC in in a non-secure area, you don't have to worry about anyone being able to make changes - such as create an admin account on the domain...