Search This Blog

Saturday, June 13, 2009

Deploy Read Only Domain Controller


To reduce the attack and tighten the security on the branch environment, Microsoft has introduce RODC.In order to deploy RODC, the forest functional level must at least Win2k3.

It is suitable to deploy RODC if you do not need application aware directory services at the branch.

Only certain accounts are pre-populate to the RODC and we can use Delegation Control Wizard to assign right to local administrator for managing the RODC.

Not only RODC, we can also deploy read only DNS and GC.

In my environment, i have tested Windows Server 2008 and Windows Server 2008 R2 RC. Both OS work fine for RODC. If your schema is in Win2k8, you need to use Adprep32 to upgrade the forest and domain before deploy Win2k8 R2 as a new domain.

Finally, bear in mind that RODC only support one way replication. We can use Password Replication Policy to define which account to allow or deny replicate to the RODC.

So far, i've deployed multiple Branch office deployment by using Active Directory and the having the concept RODC really improve the security in the branch environment.

Cheer for Microsoft hardwork to improve the security !