Sunday, November 18, 2007

Active directory windows 2008, Read only DC (Domain Controllers)

The security aspect is getting more and more integrated into windows 2008 servers. Therefore, if we examine the new futures in active directory we will quickly realize, the security focus around most of the directors and DNS services. The read only DC concept is brand new; it makes me remember UNIX concept. The out the box Windows servers seems to be more robust and contains more granular delegation of task, which can be delegated to administrators.

Below some of the highlights, I have observed and wanted to share with you all.

Administrator role separation

  • Read only domain controllers (RODC) in windows 2008. More secure deployment with read only DC.
  • This is great for sites, which do not have IT support. (Providing local services, Print service, logon service)

We are not exposing full writable domain controller in the remote site (RODC)

  • RODC stores copy of the DIT database, no security principle ( no passwords). If the RODC gets compromised the DIT, Database have no passwords in it.
  • If there I changes made at the site, this wont effect the corporate site, since the DIT is read only.


  • Great improvement o the DCPROMO, ADUC Distributes files system replication (DFSR)
  • Administration roles separation
  • Delegation of DCPROMO and RODC (more granular control)

DNS Improvements

  • Backbone of AD is still DNS, and DNS have many improvements in windows 2008 AD.
  • DNS has new located Flag, (based on site cost).
  • Read –Only active directory integration zone for RODC

RODC (Read Only Domain Controller)

The DIT Database is read only. The changes must be done on the writable DC, such as password changes. RODC is primary targeted to remote sites and Edge offices. The security treads Each RODC has its own Kerberos ticketing system.

Deploying RODC Requirements

Windows 2003 forest functional mode or later, and one at least DC must be running windows 2008 server. Domain functional level must be raise to windows 2003 or later.

  • RODC needs to forward the logon request to windows 2008 server
  • One RODC per site is recommended
  • NO RODC to RODC Replication
  • No plans to support Exchange to support RODC / GC ( Global Catalog


Oz Ozugurlu

1 comment:

oracleR12 said...

It is a very good article that you are cleanly presented on Active directory windows 2008 and read only domain controllers .The way you explained is too good any user can understand this kind of presentation.
Thank you.
oracle EBS training