Windows 2008 RODC Tick List for Deployment
Well I am sat in the departure lounge of Aberdeen Scotland Airport after a really interesting and enjoyable Customer Engagement around all things Active Directory. Aberdeen has enjoyed some lovely Spring Weather,while I have been there and is very pretty in the Sunshine. Anyway I have also been doing some studying and deeper research around a great new feature in Windows 2008 Branch Office Deployment, specifically Read Only Domain Controllers. So I thought I would put together a Tick List of considerations you should reference to ascertain whether your particular Branch office would satisfy the criteria for deployment. This is not an exhaustive list but is a good starting point. I recommend downloading the step by step guide on RODC servers for an in depth guide.
Plus also read a great entry from this blog, and also this interview with Gregoire Gutat Program Manager Microsoft plus this RODC FAQ
Tick List for RODC Deployment
| Criteria | RODC Justification | Additional Support information if Applicable |
| Low Security In Branch Office | RODC Never Originates Changes It only receives Inbound Replication from a R/W copy at the Hub site. This is for DNS, AD DS, and Sysvol replication Limit and define exactly which credentials are cached locally on the RODC to minimize exposure in the eventuality the RODC is stolen via Password Replication Policy | Note: RODC cannot be a replication bridgehead server if placed in a site with other RW Domain Controllers. (The above is not a recommended configuration) RODC cannot hold any FSMO roles |
| RODC compatible Roles | AD DS (New name with Active Directory in Windows 2008) DNS server Role | |
| Reduced Management and Technical competance Level in Branch Office | No "Full" Domain Administrators in Branch Office required. Delegated Administration. Performs only local Admin Tasks on RODC No need to be a Domain Admin NO PERMISSIONS elsewhere in domain. Each RODC has a different KRBTGT Account | |
| Lower Specification Kit in Branch Office | RODC can be deployed as a Role on a Server Core platform. This has a minimal footprint and minimal attack vector. Plus this can be coupled with Bitlocker. | |
| Less load on Bridgehead Servers Required in Branch Office | This is because of inbound replication only and filtering what is actually replicated to RODC. "Filtered Attribute Set" | |
| Define what applications can be supported by an RODC in Branch office | Application needs to be able to do a write referral. . | See TechNet articles on RODC compatibility Applications That Are Known to Work with RODC |
| Awarenes of Known Compatibility Issues | Please refer to right hand column for more info. | 1.Not compatible with Exchange 200X Servers deployed in a site with only a RODC. 2.Issues with AutositeCoverage in a Windows 2003 domain. See following TechNet article. 4. Issues around Optimisation of Group Policy processing & WMI filters from a client running Windows 2003 Server https://support.microsoft.com/kb/931753 |
| Client Compatibility | Requires Windows XP, Vista, Windows Server 2000 or later |
|