RODC Placement Considerations

Applies To: Windows Server 2008, Windows Server 2012

With respect to placement of a read-only ___domain controller (RODC) in a site, consider how the RODC will replicate scheduled updates. An RODC can replicate updates of the ___domain partition only from a writable ___domain controller running Windows Server 2008 in the same ___domain. The RODC can replicate other partitions, including application directory partitions and global catalog partitions, from any writable ___domain controller that runs either Windows Server 2003 or Windows Server 2008. An RODC cannot be a source ___domain controller for any other ___domain controller because it cannot perform outbound replication.

An RODC must replicate the ___domain partition from a writable ___domain controller running Windows Server 2008 because only a writable ___domain controller that runs Windows Server 2008 can enforce the Password Replication Policy (PRP) for an RODC.

To replicate the ___domain partition to the RODC, you typically place a writable ___domain controller running Windows Server 2008 in the nearest site in your network topology to the site that contains the RODC. The nearest site in this sense is defined as the site that has the lowest-cost site link for the site that contains the RODC.

Security Note
An RODC that is placed in the same site as a writable ___domain controller does not provide security benefits. Some RODC features such as Administrator Role Separation can provide an administrative benefit. But to obtain security benefits, RODCs are intended to be placed in sites that are not as trustworthy as sites that have writable ___domain controllers.

If you cannot place a writable Windows Server 2008 ___domain controller in the nearest site to the RODC, RODC replication depends on a site link bridge between the site links that contain the site of the RODC and the site of the writable Windows Server 2008 ___domain controller.

By default, a new Windows Server 2008 forest has the Bridge all site links option enabled, which means that all site links are bridged. You can configure this setting in the properties of the Inter-Site transport in the Active Directory Sites and Services snap-in.

For most existing branch office deployments that use Windows Server 2003 ___domain controllers, however, the Bridge all site links option is disabled. If you are adding RODCs to an existing deployment where Bridge all site links option is disabled, consider how RODC replication will work if you cannot place a writable Windows Server 2008 ___domain controller in the nearest site.

The following sections in this topic explain how ___domain partition replication works in scenarios in which the Bridge all site links option is either enabled or disabled. For more information about how RODC placement affects other operations, see the following topics:

• How Operations in a Branch Site with an RODC Are Affected When the WAN Is Not Available

• Sites with multiple ___domain controllers

Placing RODCs with site link bridging

If the Bridge all site links option is enabled, as shown in the following illustration, a writable ___domain controller running Windows Server 2008 can be placed in Site A rather than Site B. This is because physical connectivity between Site A and Site C is available implicitly. If the site link schedules overlap and the wide area network (WAN) links are available for a time that is sufficient to complete replication, the RODC in Site C can replicate from the writable ___domain controller running Windows Server 2008 in Site A.

Placing RODCs without site link bridging

In the following illustration, Sites A, B, and C have site links A–B and B–C and the Bridge all site links option is disabled. In this example, there are Windows Server 2003 ___domain controllers in Site A and Site B, and there is an RODC in Site C.

So that an RODC can be placed in Site C, a writable ___domain controller running Windows Server 2008 for the same ___domain should be placed in Site B to replicate the ___domain partition to the RODC. Otherwise, the RODC in Site C can replicate the schema, configuration, and application directory partitions, but not the ___domain partition.

In general, the introduction of an RODC should require minimal, if any, replication topology changes. For example, consider a multitier replication topology in which:

• The Bridge all site links option is disabled.

• RODCs are placed in edge (or spoke) sites (Site C and Site D).

• A writable ___domain controller running Windows Server 2008 is placed in a hub site (Site A).

• A ___domain controller running Windows Server 2003 is placed in an intermediary site (Site B).

This topology is shown in the following figure.

In this scenario, you can do any of the following options to accommodate the need for direct replication between the RODC and the writable ___domain controller running Windows Server 2008.

• Create an additional site link between site A and site C and between site A and site D.

  

• Create a site link bridge that includes site link A-B, site link B-C, and site link B-D.

  

• Add a writable ___domain controller running Windows Server 2008 in the intermediary site (site B).