Search This Blog

Saturday, June 13, 2009

Deploy Read Only Domain Controller


To reduce the attack and tighten the security on the branch environment, Microsoft has introduce RODC.In order to deploy RODC, the forest functional level must at least Win2k3.

It is suitable to deploy RODC if you do not need application aware directory services at the branch.

Only certain accounts are pre-populate to the RODC and we can use Delegation Control Wizard to assign right to local administrator for managing the RODC.

Not only RODC, we can also deploy read only DNS and GC.

In my environment, i have tested Windows Server 2008 and Windows Server 2008 R2 RC. Both OS work fine for RODC. If your schema is in Win2k8, you need to use Adprep32 to upgrade the forest and domain before deploy Win2k8 R2 as a new domain.

Finally, bear in mind that RODC only support one way replication. We can use Password Replication Policy to define which account to allow or deny replicate to the RODC.

So far, i've deployed multiple Branch office deployment by using Active Directory and the having the concept RODC really improve the security in the branch environment.

Cheer for Microsoft hardwork to improve the security !


  1. Hi,

    Good to see you with positive comment about RODC concept because we have enabled RODC on HyperV in one of our remote site, as you said every thing works fine but the moment WAN link goes down users where not able to access their network resources and share folder in the local site itself.

    Did you ever uncounted this issue on your remote sites,because all our password replication policy for users and computers and MS recommend support pack also applied still the same issue

    I would like to seek your support in this regards


Note: Only a member of this blog may post a comment.