Windows Server 2008 introduced read-only domain controllers, which receive a full replica of the domain database but can't modify it, just like a good old Windows NT BDC.
I know all the technical ins and outs of how to run those semi-DCs (I just passed 70-646 and 70-647), but still I don't have a clear answer to the most important question of all: why should you use them?
This comment from TheCleaner really sums it up for me:
@Massimo - yes, you are correct. U are looking for a compelling reason for an RODC and there isn't one. It has a few additional security features to help alleviate branch office security and really only needs to be deployed there if you don't have a DC there already and are anal about its security.
That was the same I was thinking... a little increase in security, yes, sure, but definitely not so much to be worth the hassle.
I'll give you a real-world scenario:
We use it because there isn't an IT dept there, we handle all requests for AD accounts, etc. here in the USA. By having a RODC there we know:
By having AD/DNS read-only we don't have to worry about attempts to manipulate the data on the DC there.
This is because of features found here: http://technet.microsoft.com/en-us/library/cc732801%28WS.10%29.aspx
It's more of "peace of mind" than anything else for us...plus it allowed for a very minimal server install since it was just server core with RODC role installed. We put it on an older 1U server with 2 Raid-1 18GB drives. We actually put 2 of them in...same exact configuration using older non-warrantied hardware we had in the racks.
Simple, does what it needs to do, and we don't have to worry about it. If one of the boxes fails, we would simply replace it again.
I have a whole chapter on this feature in my book (www.briandesmond.com/ad4/). The long and short of it is that this is a security feature and for distributed organizations it is a huge deal.
There are two really big scenarios here:
--> RODCs store no passwords by default. This means that if someone physically gets the disks from the server, they don't get all your user (and computer) passwords.
The correct response if someone steals an RWDC is to reset ALL passwords in the domain as you can consider them all compromised. This is a major undertaking.
With an RODC you can say only cache the passwords for subset X of users and computers. When the RODC actually caches the password, it stores that information in AD. If the RODC is stolen you now have a small list of passwords which need to be reset.
--> RODCs replicate one-way. If someone stole you RWDC, made some changes to it, and plugged it back in, those changes would replicate back into the environment. For example they might add themself to the domain admins group or reset all the admin passwords or something. With an RODC this is simply not possible.
There's no speed improvement unless you're placing an RODC in a location which didn't have a DC there before and then there is likely to be a speed improvment in some scenarios.
TheCleaner's reply is really incorrect. There are ALOT of compelling scenarios for RODCs and I can think of several deployments of them at scale offhand. This is simple security stuff, not the "anal about security" stuff.
Thanks,
Brian Desmond
Active Directory MVP
You need RODC's when you have lots of branch offices with poor physical security and/or slow or unreliable network connectivity. Examples:
Most organizations have physical security standards for remote equipment. If you cannot meet those requirements, RODC's allow you to provide high speed authentication for access to local applications and file shares. They also allow you to limit the number of credentials stored on the server. A compromised server only compromises users at the remote location. A full DC with 75,000 users exposes all of those users in the event of a local compromise.
If you work in a smaller company, it's no big deal at all. I'm pumped to roll them out with BitLocker because RODC's substantially reduce security risk.
We are going to use RODC in a DMZ based off of this TechNet article. Setting up a new forest for web services with an RODC in DMZ.
Primarily for security, but also for speed as well.
See the short write up here
A RODC contains a read-only copy of your AD and you use one in a branch office where you don't have IT staff present and therefore can't guarantee security or integrity of your server room. In the event of the RODC being compromised you are safe in the knowledge that whoever compromises it will only have access to your AD in the state it was in at the time of discovery. No changes made to it will be replicated back to your main DCs. That means that whoever compromises it can't do nasty things like elevate themselves to Domain Admin, lock out your own admins, and have their wicked way with your entire network.
RODCs are useful for large enterprise organisations, competing enterprise Directory services like Novell eDirectory have had Read-Only replicas for years.
Another advantage of RODCs is, that they will allow you to have working domain controllers while you do some disaster recovery, that involves taking down all normal domain controllers to rebuild active directory. You don't have to turn off RODCs in those situations.