Can Read-Only Domain Controller in External location work when VPN tunnel is down?

windows-server-2008 site-to-site-vpn rodc

Solution 1:

When using a RODC you really have 2 options for DNS

  • A read only primary zone (yes I know that doesn't sound right, but it is) which is active directory integrated or
  • A standard secondary zone

Obviously having a writeable primary zone on a RODC (or in that office) is a security issue.

Assuming you have this, and you have setup cached credentials correctly in your Password Replication Policy then when the network goes down, your users should be able to continue working.

Assuming you have a read only DNS zone to go with your RODC then this should be safe. Obviously if you are caching credentials locally there is a slight risk there, but if you are using your PRP properly then you should be able to revoke these credentials should anything happen.

Related

Disable DNS Caching PHP
Apache: Automatic log splitting per Virtual Host?
Adding a acknowledgement Link to Nagios Alert Emails
Hadoop HDFS: set file block size from commandline?
Should every IP address be reverse and forward resolvable?
IPv6 and NAT, routing to multiple ISPs
Logging in from different computers using SSH keys
Is 'Include /path/to/*/live.conf' possible with Apache?
Strategies/tools for controlling spending in printing
Disaster Recovery Planning, tower or rack?
How to Install an executable as a Windows Service
Solaris ZFS volumes: workload not hitting L2ARC