One of the most touted features of Windows Server 2008 is the Read-Only Domain Controller (RODC). The RODC is a domain controller deployed after a traditional domain controller that contains the schema, configuration, domain, application directory partitions, and partial attribute set schemas of an Active Directory database in a read-only fashion.
Some of the intended uses of the RODC include: processing logon requests for remote sites, any situation where you may have an unsecure environment, poor network connections to the main sites, or other scenarios where a domain controller would be required.
Planning to implement the RODC
There are two critical planning points around deciding to implement the RODC. The first is whether the core installation will be used for the RODC operating system; the second is the password caching replication policy for the RODC. The policy defines which users and computer objects can cache their password locally on the domain controller.
The intended design of the RODC is that a branch office with unreliable network connectivity could have only the local users and computers to that facility permitted to cache passwords on the RODC.
Another configuration is to explicitly prohibit certain groups (such as the domain admins group) or accounts with elevated permissions from caching their passwords on the RODC. Check out TechNet for additional information about the password policies specific to the RODC.
Setting up the RODC
The setup process for the RODC is very easy and hardly distinguishable from the normal dcpromo process to add a domain controller — except for the single option to enable the RODC, as shown in Figure A.
Once the setup of the newly added RODC is complete, you need to reboot and then the system is ready to go with the configured role. Within Active Directory Users And Computers, the RODC type is shown in Figure B to designate its difference from other domain controllers.
Replication and DNS integration
The RODC has unique behavior that deserves some consideration in the areas of replication and DNS integration. The replication pattern is always one way up from the RODC, meaning that another RODC cannot replicate to or from another RODC. And DNS zones that are Active Directory integrated must be able to register entries upward to a traditional domain controller running DNS in an Active Directory integrated zone.
Overall, the RODC is a welcome addition to the Windows Server line. It optimizes bandwidth in situations where frequent logon requests are processed over slow or unreliable connections.