What's a read-only domain controller actually useful for?
Solution 1:
I'll give you a real-world scenario:
- we have one in our branch office in China
We use it because there isn't an IT dept there, we handle all requests for AD accounts, etc. here in the USA. By having a RODC there we know:
- Nobody there can log onto it and try to "hack away" at AD.
- Nobody can steal it and get anything worthwhile to then come back with and "hack away" at the network later.
By having AD/DNS read-only we don't have to worry about attempts to manipulate the data on the DC there.
This is because of features found here: http://technet.microsoft.com/en-us/library/cc732801%28WS.10%29.aspx
It's more of "peace of mind" than anything else for us...plus it allowed for a very minimal server install since it was just server core with RODC role installed. We put it on an older 1U server with 2 Raid-1 18GB drives. We actually put 2 of them in...same exact configuration using older non-warrantied hardware we had in the racks.
Simple, does what it needs to do, and we don't have to worry about it. If one of the boxes fails, we would simply replace it again.
Solution 2:
I have a whole chapter on this feature in my book (www.briandesmond.com/ad4/). The long and short of it is that this is a security feature and for distributed organizations it is a huge deal.
There are two really big scenarios here:
--> RODCs store no passwords by default. This means that if someone physically gets the disks from the server, they don't get all your user (and computer) passwords.
The correct response if someone steals an RWDC is to reset ALL passwords in the domain as you can consider them all compromised. This is a major undertaking.
With an RODC you can say only cache the passwords for subset X of users and computers. When the RODC actually caches the password, it stores that information in AD. If the RODC is stolen you now have a small list of passwords which need to be reset.
--> RODCs replicate one-way. If someone stole you RWDC, made some changes to it, and plugged it back in, those changes would replicate back into the environment. For example they might add themself to the domain admins group or reset all the admin passwords or something. With an RODC this is simply not possible.
There's no speed improvement unless you're placing an RODC in a location which didn't have a DC there before and then there is likely to be a speed improvment in some scenarios.
TheCleaner's reply is really incorrect. There are ALOT of compelling scenarios for RODCs and I can think of several deployments of them at scale offhand. This is simple security stuff, not the "anal about security" stuff.
Thanks,
Brian Desmond
Active Directory MVP