Windows 2008 RODC Tick List for Deployment

Well I am sat in the departure lounge of Aberdeen Scotland Airport after a really interesting and enjoyable Customer Engagement around all things Active Directory. Aberdeen has enjoyed some lovely Spring Weather,while I have been there and is very pretty in the Sunshine. Anyway I have also been doing some studying and deeper research around a great new feature in Windows 2008 Branch Office Deployment, specifically Read Only Domain Controllers. So I thought I would put together a Tick List of considerations you should reference to ascertain whether your particular Branch office would satisfy the criteria for deployment. This is not an exhaustive list but is a good starting point. I recommend downloading the step by step guide on RODC servers for an in depth guide.

Plus also read a great entry from this blog, and also this interview with Gregoire Gutat Program Manager Microsoft plus this RODC  FAQ

Tick List for RODC Deployment

Criteria RODC Justification Additional Support information if Applicable
Low Security In Branch Office RODC Never Originates Changes
It only receives Inbound Replication from a R/W copy at the Hub site. This is for DNS, AD DS, and Sysvol replication
Limit and define exactly which credentials are cached locally on the RODC to minimize exposure in the eventuality the RODC is stolen via Password Replication Policy
RODC cannot be a replication bridgehead server if placed in a site with other RW Domain Controllers. (The above is not a recommended configuration)
RODC cannot hold any FSMO roles
RODC compatible Roles AD DS (New name with Active Directory in Windows 2008)
DNS server Role
Reduced Management and Technical competance Level in Branch Office No "Full" Domain Administrators in Branch Office required.
Delegated Administration.
Performs only local Admin Tasks on RODC
No need to be a Domain Admin
NO PERMISSIONS elsewhere in domain.
Each RODC has a different KRBTGT Account
Lower Specification Kit in Branch Office RODC can be deployed  as a Role on a Server Core platform. This has a minimal footprint and minimal attack vector. Plus this can be coupled with Bitlocker.  
Less load on  Bridgehead Servers Required in Branch Office This is because of inbound replication only and filtering what is actually replicated to RODC.
"Filtered Attribute Set"
Define what applications can be supported by an RODC in Branch office Application needs to be able to do a write referral.


See TechNet articles on RODC compatibility

Applications That Are Known to Work with RODC

Application Compatibility with RODC

Testing Application Compatibility with RODC

Awarenes of Known Compatibility Issues Please refer to right hand column for more info. 1.Not compatible with  Exchange 200X Servers deployed in a site with only a RODC.
2.Issues with AutositeCoverage in a Windows 2003 domain. See following  TechNet  article.
4. Issues around Optimisation of Group Policy processing & WMI filters from a client running Windows 2003 Server
Client Compatibility

Requires Windows XP, Vista, Windows Server 2000 or later

Comments (1)

Skip to main content