Read-Only Domain Controllers (RODC)

Read-Only Domain Controllers (RODC):-

• RODC address some of the problems that are commonly found in branch offices.

• These locations might not have a DC, Or they might have a writable DC but no physical security to that DC, low network bandwidth, or inadequate expertise to support that DC.

Functionality of RODCs:-

• Read-Only DC database

• Uni-directional replication

• Credential caching

• Administrator role separation

 Read-only AD DS Database:-

• Except for accounts password, an RODC holds all the Active Directory objects and attributes that a writable domain controller holds.

• However, changes cannot be made to the database that is stored on the RODC. Changes must be made on a writable domain controller and then replicated back to the RODC.

Uni-Directional Replication:-

• Because no changes are written directly to the RODC, no changes originate at the RODC. Accordingly, writable DCs do not have to pull changes from the RODC. This means that any changes or corruption that a malicious user might make at branch locations cannot replicate from the RODC to the rest of the forest.

Credential Caching:-

• By default, an RODC does not store any user credentials.

• You must explicitly allow any credential to be cached on a RODC.

Administrator Role Separation:-

• You can delegate local administrative permissions for an RODC to any domain user without granting that user right for the domain or other domain controllers.

• In this way, the branch user can be delegated the ability to effectively manage and perform maintenance work on the server, such as upgrading a driver in the branch office RODC only, without compromising security of the rest of the domain