A read only domain controller (RODC) is a type of domain controller that has read-only partitions of Active Directory Domain Services (AD DS) database. RODC is available in Windows server 2008 OS and in its succeeding versions. Enterprises tend to deploy RODC under two conditions viz.,
- When there is not enough physical security to the datacenter.
- When there isn’t enough bandwidth for establishing network connections.
Further, RODC enhances security for the domain especially in the case of AD DS remote accesses. For instance, if an enterprise need to deploy a business critical application (such as an attendance tracker) that can be installed only on a DC, then every time when a remote user is trying to access the application, the security is at stake. The RODC comes to the rescue in such scenarios. Since the AD DS has read-only permission, your AD and DC is safe from accidental or intentional modifications.
However, there’s one constraint for the deployment-when you want to deploy RODC, at least one of the DCs in the forest must run on Windows Server 2008 or later versions of OS and the forest functional level should be Windows Server 2003 or later.
Prominent features of the RODC
- Read-only AD DS database: The RODC can hold all the objects and attributes that are present in DC except the user account credentials. The user credentials gets cached only when you authenticate from RODC.
- Administrator role separation: A user in the RODC can be granted with administrator privileges for carrying out maintainance operations such as server upgrade. However, this administrator privilege will not have permission to make any changes in the DC. This helps in managing the RODC efficiently without risking the safety of the domain.
- RODC Filtered Attribute Set (FAS): Enterprises wouldn’t want certain critical application’s schema to be replicated to RODC, since it would reduce the security of the application. For such cases, RODC comes with the FAS. If you configure certain attributes of application to RODC FAS, then the attributes are never replicated to any RODC.However, in case of manual replication of RODC, if the target DC is running on Windows Server 2003 functional level, then the attributes can also be replicated irrespective of being a FAS. Thus it is important to use Windows Server 2003 and above as the FFL for any RODC.
- Unidirectional replication: In case of a compromise (there’s a high chance for this since the RODC is accessible from remote locations) proper measures have to be taken for the unwanted changes not to get reflected in the other domains. That’s where unidirectional replication plays a major role. No changes or replications from RODC gets reflected in any of the DCs in the forest. This eventually reduces the work load of monitoring replications.
- Credential caching: By default the user, computer, or application credentials are not cached in the RODC. If the RODC requests for a copy of such credentials for quicker login, then the corresponding DC refers to the Password Replication Policy (PRP) of that particular RODC. The credentials can be cached only when PRP allows the replication.
- Read-only Domain Name System (DNS): RODC allows users to query name resolution. RODC’s read-only DNS can replicate all application directory partitions that a DNS would use. But the only limitation is that the DNS is read-only and hence does not support client updates directly. So, every time there is a client update it has to go through a DNS in a DC.
In short, RODC enhances the security of the DC, provides faster logon, and better access to the resources from remote location. In order to leverage the functionalities of RODC, it is recommended that the FFL be set at Windows Server 2008 or later.