Read-Only Domain Controllers (RODC)
Feature Impact
Moderate
Brief Description
A Read-Only Domain Controller (RODC) is a new type of ___domain controller under the Windows Server 2008 operating system. With an RODC, organizations can easily deploy a ___domain controller in locations where physical security cannot be guaranteed. An RODC hosts a read-only replica of the database in Active Directory® Domain Services (AD DS) for a given ___domain.
Before the release of Windows Server 2008, if users had to authenticate with a ___domain controller over a wide area network (WAN), there was no real alternative. In many cases, this solution was not efficient. Branch offices often cannot provide adequate physical security that is required for a writable ___domain controller. Furthermore, branch offices often have poor network bandwidth when connected to a hub site. This limitation can increase the amount of time required to log on; it can also hamper access to network resources.
Beginning with Windows Server 2008, an organization can deploy an RODC to address these problems. As a result, users in this situation can benefit from:
Improved security.
Faster logon times.
More efficient access to resources on the network.
Manifestation
Any application that writes to the Active Directory is potentially impacted by RODCs and might see compatibility issues involving failed writes or failed reads of newly written data.
Remedies
Applications that write data might locate a ___domain controller using methods that do not differentiate between writable and read-only ___domain controllers.
There are two methods that applications typically use to request the nearest ___domain controller:
Serverless binding, as recommended in Binding to Active Directory Domain Services
Domain controller Locator calls
In Windows Server 2008, a ___domain controller Locator call can return any ___domain controller, including a ___domain controller running Windows 2000 Server or Windows Server 2003 or a writable or read-only ___domain controller running Windows Server 2008.
Problems can occur if an application needs to write to directory objects and it gets an RODC from calling a serverless bind. In that case, the write operations are referred to a writable ___domain controller running Windows Server 2008 at the hub site. Depending on the WAN connection to the hub site at that time, the application can fail to connect to the hub and can report errors. The application must also correctly handle these referrals. Even if the write operation succeeds, any subsequent reading of the data that was just written might fail because of inherent latency that is required to replicate this data back to the RODC.
Applications that must run on a ___domain controller should be aware of RODCs. These applications must determine if the ___domain controller is writable or if it is an RODC. Checking the registry or using OSVERSIONINFOEX, as discussed in OSVERSIONINFOEX Structure, does not distinguish an RODC from a writable ___domain controller. An RODC still advertises itself as a ___domain controller.
To making this determination, check the supportedCapabilities attribute on the rootDSE class. For more information, see Serverless Binding and RootDSE. The presence of object identifier value 1.2.840.113556.1.4.1920 indicates that the specified ___domain controller is an RODC.
You can also use the DsRoleGetPrimaryDomainInformation function to determine if the ___domain controller is an RODC. A new flag has been added to the DSROLE_PRIMARY_DOMAIN_INFO_BASIC structure.
Links to Other Resources
Application Compatibility with RODCs
The Future of Active Directory (February 22, 2006) chat
The Future of Windows: Directory Services in Windows Server 2008