Read-Only Domain Controllers (RODC) are another type of domain controller that can be used in a Windows 2008 Active Directory (AD) Domain. These RODCs host a read-only version of the AD database. They provide the same authentication and authorization as other domain controllers in the domain. Those network professionals that have been supporting networks since the 1990s would find these RODCs as the closest equivalent to a Windows NT 4.0 Backup Domain Controller (BDC).
RODCs were designed to be deployed in locations such as small branch offices where the physical security of the domain controller cannot be guaranteed. Keep in mind that the domain controllers keep a local copy of the user accounts and their associated passwords, so if someone were to walk out of the office with a DC, they would have access to the local database. With the help of some cracking tools, the timer begins. Hopefully, your domain had a complex password policy in place to ensure users weren’t storing blank passwords. For tighter security, an RODC can be deployed on a Server Core installation.
Before you consider deploying these types of domain controllers, you should understand how they are managed and what their limitations are. For instance, here are some of the limitations:
- The domain controller is holding a read-only copy (hence Read-Only Domain Controller)
- An RODC cannot hold a Flexible Single Operations Master (FSMO) role.
- An RODC cannot be a bridgehead server for a site.
Recommended Books & Training Resources