An RODC is an additional domain controller for a domain. It hosts read-only partition of the AD database. Only accept relocated changes to AD and never initiate replication. Replication uses only a one-way connection from domain controller that has a writable database copy to the read only domain controller (RODC). It mainly designed for branch office environment for physical security concern. It cannot hold operation master roles, can be deployed only on windows 2008 server core for additional security. The following RODC functionality extenuates these problems.
- Credential Cache
- Admin role separation
- Read only : Active directory – Domain Services Database
- Unidirectional replication
- Read only: DNS
RODC does not store user or computer credentials by default. It has exception for the computer account of the RODC and a special krbtgt account that each RODC has. We can explicitly allow any other credential caching on an RODC. It advertises as KDC (Key Distribution Center) for the branch office. It uses different krbtgt account and password than the KDC on the writable domain controller uses when it signs or encrypts ticket-granting request. If account is successfully authenticated, the RODC attempts to contact writable domain controller at the hub site and request a copy of the appropriate credentials, then writable domain controller recognizes that the request is coming from an RODC and consults the PRP (Password replication policy) in effect for the RODC. The password replication policy decides if a computer or user credentials it can be replicated from the writable domain controller to the Read only domain controller and RODC caches them. RODC after cached the credentials, it can directly give the service to user’s logon requests until the credentials change.
Admin role separation:
We can delegate local admin access for read only domain controller to any domain user, but that user can’t do administrative task on any other domain or domain controller. It permits only allow on RODC to perform administrative tasks.
Read only: Active directory – Domain Services Database:
RODC have the all the active directory objects and attributes that a writable domain controller holds, except account passwords. Active directory database changes cannot be made to RODC Active directory database. Changes must be made on a writable domain controller and then replicate to RODC.
RODC is unidirectional replication because no changes are written directly to it and also no changes originate at the RODC. Unidirectional replication applies to both AD DS and Distributed File System Replication of SYSVOL. The RODC performs normal inbound replication for AD DS and SYSVOL changes.
Read only DNS
We can deploy DNS service on read only domain controller, it able to replicate all application partition that DNS uses. Client system can query it for name resolution as they query any other DNS server. It does not client updates directly.