RODC vs BDC
In the olddays, we used Bdc's on a branch office. We couldnt change a thing on the bdc's, couldnt add a user/pdc and so on. Now, the Bdc is back as a RODC. Can someone tell me if they use Rodc's, if so why and where(branche office?). What are the problems
a Rodc is causing in daily administering tasks? And is the Rodc installed as a global catalogue?
June 22nd, 2011 11:22am
Hello,
RODC means Read-Only Domain Controller.
As now all DCs are RW then Microsoft added a new technology of DCs which is RODCs.
Using RODCs you can benefit from:
Reducing replication traffic as it is based on a one-way AD replication More security for AD environments as it is a read only DC means that you can not perform modify operations on it and then get replicated to other DCs. It is for that you can add it in branch office which physical security is not well ensured. Also, it is
more secure to use RODCs due to filtered attributes and password replication policies
...
Note that to add a RODC you have at least to have a RWDC in your domain with 2008 Server OS or higher installed.
If you are planning to add a RODC in a branch office, I recommend installing DNS on it and configuring the password replication policy.
More here: http://technet.microsoft.com/en-us/library/cc732801(WS.10).aspx
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner 2010 / 2011
Microsoft Certified
Professional
Microsoft Certified
Systems Administrator: Security
Microsoft Certified
Systems Engineer: Security
Microsoft Certified
Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified
Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified
Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified
Technology Specialist: Windows 7, Configuring
Microsoft Certified
IT Professional: Enterprise Administrator
Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2011 11:28am
You really want to research this more. I wouldnt recommend adding any additional complexity to any network design unless there is an actual business need that drives it. To answer your question with regard to the situations where an RODC is used,
yes..the RODC is mainly deployed in situations like a remote office where physical security may be of concern. It also addresses the concerns where you may have a location with one server, the RODC, that requires additional software to be installed
where the "admin" at the local site is not a domain admin, but more of a server admin. IN this scenario, AD is protected and the admin can manage the server.
There are pre-reqs that have to put in place as Mr X described. If you proceed, I would suggest that you work with this in lab prior to deploying on your production infrastructure.
Visit: anITKB.com, an IT Knowledge Base.
June 22nd, 2011 1:27pm
Hello,
RODCs should be placed in branch offices with reduced physical security for example and if no admins exist in the site that you trust to manage the domain but that should be able to reboot the server or install some updates.
There is no problem for daily tasks as the AD tasks must be done on RWDCs, so not in the remote location.
An RODC can become GC and also DNS server without any problem. You also have to configure PRP, password replication policy, for users and computers so they are able to logon even the main site is not available.
More details you will find in:
http://technet.microsoft.com/en-us/library/cc754956(WS.10).aspx
http://technet.microsoft.com/en-us/library/dd734758(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc725669(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc732632(WS.10).aspx
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
June 23rd, 2011 2:57am
many thanks for the replies. Is anyone using a rodc and what are the daily (dis)advantages youre encountering??
July 3rd, 2011 3:45am
It is that there is solutions that can not use it as a GC like Exchange.
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner 2010 / 2011
Microsoft Certified
Professional
Microsoft Certified
Systems Administrator: Security
Microsoft Certified
Systems Engineer: Security
Microsoft Certified
Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified
Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified
Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified
Technology Specialist: Windows 7, Configuring
Microsoft Certified
IT Professional: Enterprise Administrator
Free Windows Admin Tool Kit Click here and download it now
July 3rd, 2011 5:06am