Hi All, I've recently received two relatively beefy servers to replace all four of our current servers. I'm using Windows Server 2008 R2 and I've added the Hyper-V role to both servers. One of the host machines is now our domain controller and I was planning on having a virtual machine on the second new server as a backup domain controller. I know times have changed and the roles of "primary" and "backup" DC's are (apparently) not really relevant. Even though all our international sites are connected via a private MPLS, each site is on a different subnet on the same domain. Since we're the newest site, I've only ever had one DC on site. I had the idea of setting up the second (low resource VM) DC as an RODC. The idea is, if the first DC is down for any reason, users would still be able to log on by querying the RODC VM. Is there any merit in doing this? I understand the concept of RODC's tackling the "branch office" setup, but would an RODC work as a backup domain controller on the same site as well?

No. The RODC by default does not authenticate anyone, it forwards the request to a writable DC. You have to manually define those user and computer accounts on the RODC that it *can* authenticate without contacting writable DC. In branch office scenario, if someone stole your DC you would know which accounts need to be reset because only a small number were "cached" or defined to authenticate users. I would deploy RODC in scenario where you have physical security risk. Sounds like you need to deploy standard DC in your site. In this way, if DC#1 goes down, clients will contact DC#2 based since it will be defined that way in sites and services.Dave Guenthner [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. http://blogs.technet.com/b/davguents_blog

Hi, No, I would not recommend RODC as a backup DC. RODC still has lots of limitations. Instead you can promote is as additional domain controller. There are lots of applications still not work with RODC. If you fee that you have adequate security in the new site you can go for a additional domain controller instead of RODC. RODC enhances the authentication locally where it is been placed, but again it should not be considered as replacement of writable DC. You can configure RODC as GC and DNS server too for enhancing authentication locally. If you have deployed a Exchange server in site or want to deploy you cant utilize RODC in that site you need to have RWDCs only. An RODC usually needs a writeable domain controller to work properly. For example, users cant change passwords, computers cant join the domain, accounts whose passwords havent been cached cant logon, and Group Policy doesnt work properly if no writable RODC is available. This means that an RODC doesnt provide the same failure safety like a writeable DC. http://www.trainsignal.com/blog/windows-server-2008-rodc-2 http://blogs.msdn.com/b/douggowans/archive/2009/01/06/windows-2008-read-only-domain-controllers-and-exchange-2007.aspx All About (RODC)Read Only Domain Controllers http://awinish.wordpress.com/2011/10/04/rodc-read-only-domain-controller/ Applications That Are Known to Work with RODCs http://technet.microsoft.com/en-us/library/cc732790.aspx Regards, Rafic If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

OK, thanks to both of you. These are the answers I was looking for. I wasn't really aware of the limitations, I just kept coming across the branch scenarios in my research. Standard DC seems to be the answer then!

Hello, "I'm using Windows Server 2008 R2 and I've added the Hyper-V role to both servers. One of the host machines is now our domain controller" This is NOT recommended configuration, a Hyper-V host should NEVER run anything else, especially NOT a DC role. This belongs to security and performance reasons. Hyper-V hostst should always be workgroup servers to have them separated from the domain or be domain MEMBER only. An RODC on the same site as a RWDC is not recommended. In your case use at least 2 RWDC/DNS/GC and configure all clients to use both DNS servers on the NIC, without domain DNS no one is able to logon as the DCs cannot be found. An RODC need PRP configured and must also be DNS/GC for best working option. BUT this DNS is NOT able to write records so a referral is made to an RWDC if requried.Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.