Hello Guys
Hope you are doing well and enjoying our all posts.
Today we are going to explain about RODC-Read Only Domain Controller.
What is a Read Only Domain Controller (RODC)
RODC is a read-only domain controller that contains read-only Active Directory database copy and responds to security authentication requests.
Before installing RODCs, Microsoft recommends that organizations meet some prerequisites to ensure they work properly, including having a functional AD forest level set at Windows Server 2003 or higher and at least one writable domain controller deployed on Windows Server 2008 or higher.
The main reason to introduce RODCs is to allow a Domain Controller to exist in a remote office that may have few users or less physical security as well network security requirements while not sacrificing performance for the remote location.
The main features of an RODC are as below:
Read-only AD database– RODC host read only database where we cannot make any changes directly. , any database changes must be made to a writable DC, and then replicated back to the RODC. Applications or tools that need read only access of database can use the RODC.
Read-only DNS—RODC also host a read only dns database and RODC DNS doesn’t allow client updates, nor does it register name-service resource records.
Credential caching–An RODC doesn’t store user or computer credentials except for the RODC’s computer account. When the RODC receives an authentication request, it forwards it to an RODC. The RODC then requests a copy of the credential so that it can service the request itself in the future.
If the password-replication policy allows credential caching, the credential details will be cached and the RODC can service logon requests (until the credentials change).
Unidirectional replication– RODC support unidirectional replication that means replication happens only from writable domain controller to RODC. The RODC can’t spread misinformation to the rest of the domain, even if a change is made on the RODC.
Filtered attribute set configuration–A filtered attribute set isn’t replicated to any RODC in the forest. If an RODC is compromised and the set modified, a Server 2008 RWDC won’t replicate the values. It’s also important to note that you can’t add system-critical attributes to the RODC filtered attribute set
Separation of administrator capabilities–An RODC can designate users as server administrators without granting any domain or other DC permissions.
The main benefits of an RODC are as below:
- Reduced security risk to a writable copy of Active Directory.
- Better logon times compared to authenticating across a WAN link.
- Better access to the authentication resource on the network.
- Better performance of directory-enabled applications.
So, that’s all in this blog. I will meet you soon with next stuff .Have a nice day !!!
Recommended content
RODC Installation Guide- Step by step guide to install read only domain controller
RODC Filtered Attribute Set
Installing and configuring a RODC in Windows Server-2012
How to find the GUID of Domain Controller
Group Policy Understanding Group Policy Preferences
Group Policy Verification Tool GPOTool Exe
Group Policy Health Check on Specific Domain Controller
What is Netlogon Folder in Active Directory
How to Create Custom Attributes in Active Directory
How Can I Check the Tombstone Lifetime of My Active Directory Forest
How to Determine a Computers AD Site From the Command Line
How to Check the Active Directory Database Integrity
How to Check the Active Directory Database Integrity
Disabling and Enabling the Outbound Replication
DFS Replication Service Stopped Replication
What is Strict Replication Consistency
The replication operation failed because of a schema mismatch between the servers involved
Troubleshooting ad replication error 8418 the replication operation failed because of a schema mismatch between the servers
How to export replication information in txt file
Repadmin Replsummary
Enabling the outbound replication
Guys please don’t forget to like and share the post. You can also share the feedback on below windows techno email id.
If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.
