Questions on RODC and DC

Dear Wizards, we already have a DC for domain environment in our company. Now we have a branch office and intent to setup a second DC. Which one is better? Additional DC or Read-Only DC in terms of:
- Security
- Easy to manage, fix error, troubleshoot replication problem
- Easy to backup, restore

And is there any potential risk if we setup ADC or RODC?
Many thanks!
L0k1Network AdministratorAsked:
Who is Participating?
btanConnect With a Mentor Exec ConsultantCommented:
Since there is VPN, ensure that the RODC/ADC has the IPsec policy in place before it is exposed in the perimeter network. Suggest a RODC instead as the use case is specific and easier to achieve and just need to make sure caching is done. Other consideration is that to avoid issues with a single point of failure, you may consider deploying multiple RODCs for each domain in the perimeter network. Also RODC has the same port and protocol requirements as writeable DCs.

The following lists the ports that you must open on the firewall to allow communication from a writeable domain controller (Main DC) in the corporate network to the RODC (Second DC) in the perimeter network, along with the type of traffic that is used on these ports.
Port                     Type of traffic
TCP 135                 EPM
TCP Static 53248  FrsRpc
TCP 389                 LDAP

The following below lists the ports that you must open on the firewall to allow communication from the RODC (second DC) in the perimeter network to a writeable domain controller (Main DC) in the corporate network, along with the type of traffic that is used on these ports.
Port                         Type of traffic
TCP 49152-65535    LSASS
TCP 135                     EPM
TCP 389                     LDAP
TCP 3268                   GC, LDAP
TCP 445                     DFS, LsaRpc, NbtSS, NetLogonR, SamR, SMB, SrvSvc
TCP 53                       DNS
TCP 88                       Kerberos
UDP 123                    NTP
UDP 389                    C-LDAP
UDP 53                      DNS
TCP 5722                   DFS-R
TCP and UDP 464    Kerberos Change/Set Password

For the client (LAN user), consider the port required as below. See reference on service and port
  • The client computer can communicate with the RODC in the perimeter network but not with domain controllers in the internal network.
  • The RODC can communicate with a domain controller in the internal network at the time of the domain join.
  • If NETBIOS name resolution is required in the perimeter network, ensure Windows Internet
  • Must take care of the ephemeral ports which are depending on the OS version Name Service (WINS) is enabled.
- Deployment of RODC
-Service overview and network port requirements for Windows
Muhammad BurhanManager I.T.Commented:
If you're looking PURELY from a risk standpoint, then an RODC would be more of the direction to go solely because an attack couldn't make permanent changes to AD from it. However, on the other side of that, if something came up where you need to make changes to AD and the link to the "main" DC was down, then you're sort of SOL for a while. Just as long as you understand the tradeoffs.
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Jeff GloverConnect With a Mentor Sr. Systems AdministratorCommented:
We use RODcs for remote sites however, we have failover paths between sites (MPLS main and VPN over local Internet backup) so it will work. But, the main reason for an RODC is security. If you don't have an admin there at the remote site, then an RODC is good. If there is an admin there, and security is good, then a normal DC is just as good. Replication traffic is not that bad now with AD.  I would caution that you should have at least 2 DCs at the main site so if one if down, then the other is active.
  Also, if you are using RODCs, you should take advantage of just caching the users and computers at the site. This is the best way to use the security features of an RODC. If the remote site has its own Internet, be sure to install RoDNS on the server also.
btanConnect With a Mentor Exec ConsultantCommented:
since the second DC is for branch office, i would say that the master is still at the HQ (as hub) and branch office is as (so called) slave level (as spoke) . In other word, slave follow master hence the branch will mostly replicate from HQ. RODC can replicate from the writable AD. That can be the final state.

But if you thinking of always having branch office to have RODC, this is alright and more secure since it is not able to be easily tamper with read only and focus can be at protecting the hub. If you thinking of more of such replica, that means in the same domain, have more RODC, there is a potential issue.

E.g.  it can lead to inconsistent logon experiences for users if the WAN to the writeable domain controller in a hub site is offline. This is because the credentials for a user might be cached on one RODC but not the other. If the WAN to a writable domain controller is offline and the user tries to authenticate with an RODC that does not have the user’s credentials cached, then the logon attempt will fail.

Two more considerations
If the RODC cannot connect to a writable domain controller running Windows Server 2008 in the hub, the following branch office operations fail:

-Password changes
-Attempts to join a computer to a domain
-Computer rename
-Authentication attempts for accounts whose credentials are not cached on the RODC

Group Policy updates that an administrator might attempt by running the gpupdate /force command
Some password-change operations, such as a user initiating a password-change request by pressing Ctrl+Alt+Del, specifically require a writable domain controller. When the client computer detects that the RODC is not writable, it locates a writable domain controller instead. Other password-change operations, such as a user's password expiring and when the user is prompted to change it at logon, do not specifically require a writable domain controller.
So being restrictive has its challenge. But if you know it is one to one then the branch having the RODC is preferred. Otherwise, multiple branch can still have RODC but to avoid the issues mentioned earlier, caching is required to function well while WAN connectivity takes time to recover. If the connection is resilient and robust, the risk is low and RODC is still a way forward with Hub as master reference. Having too many writable DC also can lead inconsistency especially changes are not managed cnetrally and you have a hard time tracing and doing federation across identity will take a longer "cleaning up" per se for extended AD and domains. Going simple make the design secure too..since you have one master reliable source and it is the main one with much protection invested
Shaun VermaakTechnical Specialist/DeveloperCommented:
Will the server be in a secure server room?
L0k1Network AdministratorAuthor Commented:
Hi, let me clarify some things:
- The first DC is VM (Vsphere 6.5)
- We want to setup the second DC so that it can authorize users from branches (via VPN IPSec) and this second DC is physical, located in our secured Server room (same location with the first DC)

We are installing it as Additional DC or Read-only DC based on these requirements:
- Error-less authentication between remote users
- Less risk to main DC when the second DC is failed
- Easy to manage, troubleshoot the replication
- Easy to backup (which Software should be used to backup the second DC?)

Besides, I would like to know in this diagram, which services or ports do I have to open in the second DC? Which rule should I create in Firewall Sophos?

Can you help?
Jeff GloverConnect With a Mentor Sr. Systems AdministratorCommented:
Your diagram clarifies things. Setup an additional DC, not an RODC. There is absolutely no advantage in your physical setup to putting a RODC in the same datacenter as a full DC. Putting a second Full DC allows for Fault tolerance. Originally, your post looked like you wanted to put the DC in the remote office but your diagrams says otherwise. For ports, BTans post is pretty thorough.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.