WHAT IS AN RODC.doc

What Is an RODC?

Updated: May 1, 2009

Applies To: Windows Server 2008

An RODC is an additional domain controller for a domain that hosts read-only partitions of the Active Directory database. An RODC is designed primarily to be deployed in a branch office environment. Branch offices typically have relatively few users, poor physical security, relatively poor network bandwidth to a hub site, and little local IT knowledge.

The following figure illustrates the RODC branch office environment.

RODC Placement Considerations for Windows Server 2003 Domains



An RODC must replicate domain data from a domain controller running Windows Server 2008. Therefore, replication is among the most important considerations for

determining where to place RODCs. This section provides guidance for placing RODCs in sites where they can maintain necessary replication connections.

It then discusses other points to keep in mind regarding RODC placement, in addition to considerations pertaining to the client operating system.

Active Directory Replication Considerations



Domain controllers running Windows Server 2008 can replicate Active Directory database partitions as listed in the following table. Although an RODC can replicate data from domain controllers running Windows Server 2003, it can replicate updates of the domain partition only from a domain controller running Windows Server 2008 from the same domain. RODCs cannot be a source domain controller for any other domain controller because they cannot perform outbound replication. Application directory partitions include ForestDNSZones and DomainDNSZones.

Destination domain controller

Windows Server 2003 source domain controller

Writable Windows Server 2008 source domain

controller

Windows Server 2003

Schema

Configuration

Domain

Application directory partitions

Partial attribute set of the other domain partitions in the forest (global catalog)

Schema

Configuration

Domain



Writable Windows Server 2008

Schema

Configuration

Domain


Partial attribute set of the other

Schema

Configuration

Domain


domain partitions in the forest (global catalog)


RODC

Schema

Configuration



Schema

Configuration

Domain



Writable domain controllers running Windows Server 2008 and domain controllers running Windows Server 2003 can perform inbound and outbound replication of all available partitions. Therefore, they do not require the same placement considerations that RODCs require.

Because an RODC can replicate the domain partition only from a writable domain controller running Windows Server 2008, the placement of each becomes important and requires careful planning. The placement of an RODC and writable domain controllers running Windows Server 2008 might be affected by the site topology and network constraints.

Each RODC requires a writable domain controller running Windows Server 2008 for the same domain from which the RODC can directly replicate. Typically, this requires that a writable domain controller running Windows Server 2008 be placed in the nearest site in the topology. The nearest site in this sense is defined as the site that has the lowest-cost site link for the site that includes the RODC.

For example, suppose you have Sites A, B, and C with site links A – B and B – C and the Bridge all site links option is disabled, as shown in the following figure. In order to put an RODC in Site C, a domain controller running Windows Server 2008 for the same domain should be placed in Site B to replicate the domain partition to the RODC. Placing only a domain controller running Windows Server 2003 in Site B would permit the RODC in Site C to replicate the schema, configuration, and application directory partitions, but not the domain partition.

If the Bridge all site links option is enabled, as shown in the next figure, a domain controller running Windows Server 2008 could be placed in Site A rather than Site B. This is because physical connectivity between Site A and Site C is now implicitly available.

Generally, the introduction of an RODC should require minimal, if any, replication topology changes. For example, consider a multitier replication topology where:

The Bridge all site links option is disabled.

RODCs are placed in tail sites. Writable domain controllers running Windows Server 2008 are placed in the hub

site.

This is shown in the following figure. In this case, you might create additional site links between the hub site and the tail sites to accommodate the need for direct replication between the RODC and the writable domain controller running Windows Server 2008.

For more information about the Active Directory replication topology and Bridge all site links option, see How Active Directory Replication Topology Works (http://go.microsoft.com/fwlink/?LinkId=67499).

Additional RODC Placement Considerations



The information in this topic has been updated and republished as part of Planning and Deploying Read-Only Domain Controllers (http://go.microsoft.com/fwlink/?LinkID=120840). For the most up-to-date information about placement considerations for read-only domain controllers (RODCs), see RODC Placement Considerations.

For more information about how password changes are processed on an RODC, see Password changes on an RODC.

For more information about how DNS updates are performed on an RODC, see DNS updates for clients that are located in an RODC site.

http://technet.microsoft.com/en-us/library/cc732632(WS.10).aspx

http://go.microsoft.com/fwlink/?LinkID=120840

http://go.microsoft.com/fwlink/?LinkID=120840

http://go.microsoft.com/fwlink/?LinkId=67499

Prerequisites for Deploying an RODC



Your system must meet the following prerequisites for deployment of an RODC:

The forest functional level must be Windows Server 2003, so that linked-value replication is available. This provides a higher level of replication consistency. The domain functional level must be Windows Server 2003, so that Kerberos constrained delegation is available. Constrained delegation supports security calls that must be impersonated under the context of the caller.

You must deploy at least one writable domain controller running Windows Server 2008 for the same domain as the RODC. This provides the RODC with a replication partner. To deploy a domain controller that runs Windows Server 2008, you must copy the contents of the \sources\adprep folder on the Windows Server 2008 installation DVD to the schema master and then run adprep /forestprep and adprep/domainprep /gpprep. For more information, see Prepare a Windows 2000 or Windows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 at http://go.microsoft.com/fwlink/?LinkId=109019.

You must then run the adprep /rodcprep command before you install the first RODC. This step is not required if you are creating a new forest with only domain controllers that run Windows Server 2008. For more information, see Prepare a Forest for a Read-Only Domain Controller at http://go.microsoft.com/fwlink/?LinkId=109020.

Known Issues for Deploying an RODC



This section describes some of the known issues for deploying an RODC running Windows Server 2008. Some of the problems are avoided or mitigated by following the guidelines (described earlier) for placing RODCs. For more information, see RODC Placement Considerations for Windows Server 2003 Domains.

Note Some of the known issues from preliminary releases of Windows Server 2008 are no longer valid. For example, an RODC advertises as a time source without needing to configure a Windows Server 2008 domain controller as GTIMESERV. It can take from 10 to 15 minutes after the RODC restarts following the AD DS installation before it






begins to advertise as a time source.

Documents

WHAT IS AN RODC.doc