Site icon Windows Active Directory

What is a Read Only Domain Controller (RODC)

Introduction

A read only domain controller (RODC) is a type of domain controller that has read-only partitions of Active Directory Domain Services (AD DS) database. RODC is available in Windows server 2008 OS and in its succeeding versions. Enterprises tend to deploy RODC under two conditions viz., 

Further, RODC enhances security for the domain especially in the case of AD DS remote accesses. For instance, if an enterprise need to deploy a business critical application (such as an attendance tracker) that can be installed only on a DC, then every time when a remote user is trying to access the application, the security is at stake. The RODC comes to the rescue in such scenarios. Since the AD DS has read-only permission, your AD and DC is safe from accidental or intentional modifications. 

However, there’s one constraint for the deployment-when you want to deploy RODC, at least one of the DCs in the forest must run on Windows Server 2008 or later versions of OS and the forest functional level should be Windows Server 2003 or later. 

Prominent features of the RODC

In short, RODC enhances the security of the DC, provides faster logon, and better access to the resources from a remote location.  In order to leverage the functionalities of RODC, it is recommended that the FFL be set at Windows Server 2008 or later.

Installing an Read-only Domain Controller

An RODC must replicate domain updates from a writable domain controller running Windows Server 2008. It is critical that an RODC is able to establish a replication connection with a writable Windows Server 2008 domain controller. Ideally, the writable Windows Server 2008 domain controller should be in the closest site to the main site. In the following lesson, we will create an RODC called Branchrodc attached to the Es-net domain. We will create a branch office security group and users, then configure a Password Replication Policy (PRP)

Type dcpromo in the run box and click OK. Check if Active Directory binaries are installed. The Active Directory installation wizard starts. Click Next to continue. Operating System compatibility page click Next. Ensure add a domain controller to an existing domain is checked and click Next.

Enter domain you wish to join and specify credentials, then click Next. Select domain then click Next. Select site for new domain controller and click Next. Ensure Global Catalog and Read-only domain controller (RODC) are checked and click Next. Click Next. Type in and confirm restore mode password and click Next. Review selections and click Next. Installation of Active Directory begins. Installation completed. Click Finish. To complete the install click Restart Now.

 How to deploy a read only domain controller 

Exit mobile version