DC Secure Topology Question (2008 functional level)

Posted on 2011-10-12
Medium Priority
Last Modified: 2012-05-12
So, I had a thought, relating to security of an AD network.  Particularly to the prevention of malicious people creating backdoor accounts.

What would happen if I had 3 sites (one for each physical building).

Site 1 (primary site):
Full domain controller, private subnet, ONLY reachable by other DCs (layer 2/3/4 ACLs)
RODC, public subnet, reachable by local users

Site 2:
RODC, public subnet, reachable by local users

Site 3:
RODC, public subnet, reachable by local users

The replication would be between each RODC and the RWDC.  The RWDC of course being where IT staff would connect to, to create/modify accounts.

My question comes to bear mostly on my lack of understanding of what you can and cannot do on an RODC.  If a user is completely unable to reach a RWDC, can they still change their passwords on expiry (or anything else that a user may need to do)?  In implementation there would obviously be more than one RWDC for availability, but for simplicity there is one in this example.
Question by:lunanat
LVL 15

Assisted Solution

alienvoice earned 800 total points
ID: 36959357
Hi there,

From my understand, if a RWDC is offline/not available to a RODC then password changes fail as do many operations as a RODC can only replicate with a RWDC.

Link below has more answers.


Specifically: (Direct C&P from above link)


Can an RODC replicate to other RODCs?

No, an RODC can only replicate from a writable Windows Server 2008 domain controller. In addition, two RODCs for the same domain in the same site do not share cached credentials. You can deploy multiple RODCs for the same domain in the same site, but it can lead to inconsistent logon experiences for users if the WAN to the writeable domain controller in a hub site is offline. This is because the credentials for a user might be cached on one RODC but not the other. If the WAN to a writable domain controller is offline and the user tries to authenticate with an RODC that does not have the user’s credentials cached, then the logon attempt will fail.

What operations fail if the WAN is offline, but the RODC is online in the branch office?

If the RODC cannot connect to a writable domain controller running Windows Server 2008 in the hub, the following branch office operations fail:

    Password changes

    Attempts to join a computer to a domain

    Computer rename

    Authentication attempts for accounts whose credentials are not cached on the RODC

    Group Policy updates that an administrator might attempt by running the gpupdate /force command

LVL 24

Accepted Solution

Sandeshdubey earned 1200 total points
ID: 36960465
RODCs also participate in normal AD DS replication, connection objects must be created between RODCs and other domain controllers.Because RODCs have read-only copies of the AD DS database, the KCC will only create single one-way connection object from a domain controller with a writable copy of the database to the RODC. The RODC can only pull changes from other domain controllers; it can never be configured as a replication source.

RODC replication is also limited by which domain controllers can be direct replication partners. RODCs can replicate all AD DS partitions except the domain partition from Windows Server 2003 domain controllers. RODCs can also replicate all partitions from another Windows Sever 2008 domain controller, but they must replicate the domain partition from a domain controller running Windows Server 2008,meaning that each RODC must have a connection object with a Windows Server 2008 domain controller with a writable copy of the database for the RODCs domain. It also means that when you upgrade a domain from Windows Server 2003, the first Windows Server 2008 domain controller cannot be an RODC.

From a technical/deployment perspective, there isn’t anything stopping you from deploying 2 RODC’s from the same domain into the same site.  But there are definitely some important gotcha’s to remember:

1.  RODC’s don’t replicate out to anyone – so that means they don’t replicate out to each other either.  Therefore, from a replication perspective, each server will still replicate in from a full, upstream DC.

2.  Replicated passwords are part of #1 – This is important.  If I’m a user in a site, and the site has 2 RODC’s from my domain in them, but only one of them has my password cached.  Then if the WAN link goes offline, and I try to log-on, Murphy’s Law says that DCLocator will find the “other” RODC for me (which does not have my password cached).  In this case, auth will fail, and I will be an unhappy user.  You as the AD admin, will cache a boatload of flack for this flagrant violation of our SLA.

Refer this KB article for more details:


Author Closing Comment

ID: 36962523
RODCs forwarding password changes to the RWDCs is exactly what I wanted to know, clearly explained in both comments.

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question