asked on
PRO/CON Read Only Domain Controller
Hello EE,
We currently have an environment setup where we have a parent forest
bergquistcompany.com
and a child domain where we have a domain controller at each of our 6 branch offices.
Each has it's own subnet and users log in locally. All DNS is replicated.
I am wondering rather than having full DCs at each branch if we were to leave corporate as a full DC and the branches all read only what are the pros/cons? Recommended? Not Recommended and why?
We currently have an environment setup where we have a parent forest
bergquistcompany.com
and a child domain where we have a domain controller at each of our 6 branch offices.
Each has it's own subnet and users log in locally. All DNS is replicated.
I am wondering rather than having full DCs at each branch if we were to leave corporate as a full DC and the branches all read only what are the pros/cons? Recommended? Not Recommended and why?
DNSActive DirectoryWindows Server 2012
Last Comment
Mahesh
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
RODC Frequently Asked Questions
http://technet.microsoft.com/en-us/library/cc754956%28WS.10%29.aspx
All About (RODC) Read Only Domain Controllers
http://awinish.wordpress.com/2011/10/04/rodc-read-only-domain-controller/
http://technet.microsoft.com/en-us/library/cc754956%28WS.10%29.aspx
All About (RODC) Read Only Domain Controllers
http://awinish.wordpress.com/2011/10/04/rodc-read-only-domain-controller/
ASKER
@Mahesh - I like how they say "few" users.
Can you elaborate on this as I'm unclear on your statement:
Are the users are accessing all applications in main office only (Hub and Spoke technology) ?
Because in most cases small branch offices do not contains application servers and read-only GC will not helping most of the cases for apps those required GC lookups.
in that case if WAN link get down, then there is no use weather user is able to logon with RODC cached credentials as same functionality can be achieved through enabling cache login and it is actually enabled by default (10 for XP and 25 for Win7 hopefully)
They have a local file server but it may eventually be centralized. Are you saying if users access the main office only they need a GC domain contoller? Or are you saying the RODC is not relevant as if a line goes down they can't access the data outside their PC anyway?
How about DHCP? We have a different DHCP subnet at each site so we would need something at the branch to give out DHCP locally as all users get DHCP. Can this be RODC or does it need a R/W DC?
Can you elaborate on this as I'm unclear on your statement:
Are the users are accessing all applications in main office only (Hub and Spoke technology) ?
Because in most cases small branch offices do not contains application servers and read-only GC will not helping most of the cases for apps those required GC lookups.
in that case if WAN link get down, then there is no use weather user is able to logon with RODC cached credentials as same functionality can be achieved through enabling cache login and it is actually enabled by default (10 for XP and 25 for Win7 hopefully)
They have a local file server but it may eventually be centralized. Are you saying if users access the main office only they need a GC domain contoller? Or are you saying the RODC is not relevant as if a line goes down they can't access the data outside their PC anyway?
How about DHCP? We have a different DHCP subnet at each site so we would need something at the branch to give out DHCP locally as all users get DHCP. Can this be RODC or does it need a R/W DC?
You can have DHCP role installed on the RODC server. There are however possible issues after installing the DHCP role and starting the service, as it cannot write back to the DC's. You need to create the domain local groups first and then add the DHCP role to the server. From there you can use RSAT (remote server admin tools) to manage the RODC in the branch office.
Will.
Will.
ASKER
Then will the branch offices DHCP information need to be configured on the R/W DC as now each sites DHCP is unique to that site and I'm wondering how that will work for configuring it?
I am assuming once it's in that it will work the same way. DHCP assigned locally however any changes will need to be done at the R/W side or can it be kept at the branch?
I.E
100.100.x.x branch 1
100.200.x.x branch 2
100.300.x.x branch 3
I am assuming once it's in that it will work the same way. DHCP assigned locally however any changes will need to be done at the R/W side or can it be kept at the branch?
I.E
100.100.x.x branch 1
100.200.x.x branch 2
100.300.x.x branch 3
ASKER
Also I read somewhere on the limitations of applications that require LDAP and I'm concerned if we roll this out how common is it 3rd party apps won't work?
What I mean to say, if all applications \ infrastructure servers are centralized at Hub location (Main site) and in case of WAN link goes down branch users will not be able to access those applications, weather you put RODC at branches or not.
If you have placed ur applications on internet (Web Based) and if branch has internet connectivity, then they can access them even if wan link goes down.
As pointed out earlier by other experts AD integrated applications such as Exchange do frequent GC lookups with AD and it requires R/W DC.
You can query with 3rd party AD integrated application vendors about GC requirements.
RODC will help only in case you have file servers in branches and if link down, still they can access branch file servers with the help of RODC as Kerberos ticket must be presented to file server before you access it and same can be issued to clients by RODC to access file server since he can authenticate users through cached credentials.
But you can make branch file server data available offline, so incase you have link down still they can work offline and as link restores, data will get synchronized with server data.
Lastly note that RODC is simply read only copy of AD database + DNS as well and your DHCP can't modify DNS records on RODC and also DNS dynamic update through DHCP will also not work unless you set DHCP credentials or DNSUpdateProxy group
Check below article for more info.
http://msmvps.com/blogs/acefekay/archive/2011/12/07/dns-on-a-read-only-domain-controller-rodc.aspx
Also check below thread on same topic
https://www.experts-exchange.com/questions/27321553/Windows-2008-R2-Rodc-and-DCHP.html
If you could put user base per site, it will help please
Hope that helps
Mahesh
If you have placed ur applications on internet (Web Based) and if branch has internet connectivity, then they can access them even if wan link goes down.
As pointed out earlier by other experts AD integrated applications such as Exchange do frequent GC lookups with AD and it requires R/W DC.
You can query with 3rd party AD integrated application vendors about GC requirements.
RODC will help only in case you have file servers in branches and if link down, still they can access branch file servers with the help of RODC as Kerberos ticket must be presented to file server before you access it and same can be issued to clients by RODC to access file server since he can authenticate users through cached credentials.
But you can make branch file server data available offline, so incase you have link down still they can work offline and as link restores, data will get synchronized with server data.
Lastly note that RODC is simply read only copy of AD database + DNS as well and your DHCP can't modify DNS records on RODC and also DNS dynamic update through DHCP will also not work unless you set DHCP credentials or DNSUpdateProxy group
Check below article for more info.
http://msmvps.com/blogs/acefekay/archive/2011/12/07/dns-on-a-read-only-domain-controller-rodc.aspx
Also check below thread on same topic
https://www.experts-exchange.com/questions/27321553/Windows-2008-R2-Rodc-and-DCHP.html
If you could put user base per site, it will help please
Hope that helps
Mahesh
Thanks
Mike