ManageEngine x Forrester | Workforce Identity Platforms Landscape Report

Active Directory Fundamentals

What is a Read Only Domain Controller (RODC)


A read only domain controller (RODC) is a type of domain controller that has read-only partitions of Active Directory Domain Services (AD DS) database. RODC is available in Windows server 2008 OS and in its succeeding versions. Enterprises tend to deploy RODC under two conditions viz., 

  • When there is not enough physical security to the datacenter. 
  • When there isn’t enough bandwidth for establishing network connections.

Further, RODC enhances security for the domain especially in the case of AD DS remote accesses. For instance, if an enterprise need to deploy a business critical application (such as an attendance tracker) that can be installed only on a DC, then every time when a remote user is trying to access the application, the security is at stake. The RODC comes to the rescue in such scenarios. Since the AD DS has read-only permission, your AD and DC is safe from accidental or intentional modifications. 

However, there’s one constraint for the deployment-when you want to deploy RODC, at least one of the DCs in the forest must run on Windows Server 2008 or later versions of OS and the forest functional level should be Windows Server 2003 or later. 

Prominent features of the RODC

  • Read-only AD DS database: The RODC can hold all the objects and attributes that are present in DC except the user account credentials. The user credentials  gets cached only when you authenticate from RODC. 
  • Administrator role separation: A user in the RODC can be granted with administrator privileges for carrying out maintainance operations such as server upgrade. However, this administrator privilege will not have permission to make any changes in the DC. This helps in managing the RODC efficiently without risking the safety of the domain.
  • RODC Filtered Attribute Set (FAS): Enterprises wouldn’t want certain critical application’s schema to be replicated to RODC, since it would reduce the security of the application. For such cases, RODC comes with the FAS. If you configure certain attributes of application to RODC FAS, then the attributes are never replicated to any RODC.However, in case of manual replication of RODC, if the target DC is running on Windows Server 2003 functional level, then the attributes can also be replicated irrespective of being a FAS. Thus it is important to use Windows Server 2003 and above as the FFL for any RODC.
  • Unidirectional replication: In case of a compromise (there’s a high chance for this since the RODC is accessible from remote locations) proper measures have to be taken for the unwanted changes not to get reflected in the other domains. That’s where unidirectional replication plays a major role. No changes or replications from RODC gets reflected in any of the DCs in the forest. This eventually reduces the work load of monitoring replications. 
  • Credential caching: By default the user, computer, or application credentials are not cached in the RODC. If the RODC requests for a copy of such credentials for quicker login, then the corresponding DC refers to the Password Replication Policy (PRP) of that particular RODC. The credentials can be cached only when PRP allows the replication.
  • Read-only Domain Name System (DNS): RODC allows users to query name resolution. RODC’s read-only DNS can replicate all application directory partitions that a DNS would use. But the only limitation is that the DNS is read-only and hence does not support client updates directly. So, every time there is a client update it has to go through a DNS in a DC. You can read more about DNS from here.

In short, RODC enhances the security of the DC, provides faster logon, and better access to the resources from a remote location.  In order to leverage the functionalities of RODC, it is recommended that the FFL be set at Windows Server 2008 or later.

Installing an Read-only Domain Controller

An RODC must replicate domain updates from a writable domain controller running Windows Server 2008. It is critical that an RODC is able to establish a replication connection with a writable Windows Server 2008 domain controller. Ideally, the writable Windows Server 2008 domain controller should be in the closest site to the main site. In the following lesson, we will create an RODC called Branchrodc attached to the Es-net domain. We will create a branch office security group and users, then configure a Password Replication Policy (PRP)

Type dcpromo in the run box and click OK. Check if Active Directory binaries are installed. The Active Directory installation wizard starts. Click Next to continue. Operating System compatibility page click Next. Ensure add a domain controller to an existing domain is checked and click Next.

Enter domain you wish to join and specify credentials, then click Next. Select domain then click Next. Select site for new domain controller and click Next. Ensure Global Catalog and Read-only domain controller (RODC) are checked and click Next. Click Next. Type in and confirm restore mode password and click Next. Review selections and click Next. Installation of Active Directory begins. Installation completed. Click Finish. To complete the install click Restart Now.

 How to deploy a read only domain controller 

  • Open the Server Manager dashboard and click Add Roles and Features.
  • Click on the Role-based or Feature-based installation radio button and click Next.
  • Pick the desired server that is to be configured as a Read-Only Domain Controller and click Next.
  • Check the Active Directory Domain Services radio button and click on Add Features.
  • Keep clicking on Next until the installation begins. This installation process will take a few minutes to complete and your system may restart several times.
  • Once the installation is complete, click on Promote this server to a domain.
  • You’ll be prompted to enter the domain credentials to add a domain controller.
  • Click on the Read-only domain controller (RODC) radio button and provide a Directory Services Restore Mode (DSRM) password.
  • Keep clicking on Next until you reach the installation screen. Click on Install and wait for the configuration to complete.
Related posts
Active Directory FundamentalsTop Read Articles

How to raise AD forest functional level

Active Directory Fundamentals

How to schedule a process remotely via WMI

Active Directory Fundamentals

How to create a process via WMI remotely

Active Directory Fundamentals

How to create a task via WMI


There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from Identitude.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.