What's a read-only domain controller actually useful for?

windows-server-2008 active-directory domain-controller

Solution 1:

I'll give you a real-world scenario:

  • we have one in our branch office in China

We use it because there isn't an IT dept there, we handle all requests for AD accounts, etc. here in the USA. By having a RODC there we know:

  1. Nobody there can log onto it and try to "hack away" at AD.
  2. Nobody can steal it and get anything worthwhile to then come back with and "hack away" at the network later.

By having AD/DNS read-only we don't have to worry about attempts to manipulate the data on the DC there.

This is because of features found here: http://technet.microsoft.com/en-us/library/cc732801%28WS.10%29.aspx

It's more of "peace of mind" than anything else for us...plus it allowed for a very minimal server install since it was just server core with RODC role installed. We put it on an older 1U server with 2 Raid-1 18GB drives. We actually put 2 of them in...same exact configuration using older non-warrantied hardware we had in the racks.

Simple, does what it needs to do, and we don't have to worry about it. If one of the boxes fails, we would simply replace it again.

Solution 2:

I have a whole chapter on this feature in my book (www.briandesmond.com/ad4/). The long and short of it is that this is a security feature and for distributed organizations it is a huge deal.

There are two really big scenarios here:

--> RODCs store no passwords by default. This means that if someone physically gets the disks from the server, they don't get all your user (and computer) passwords.

The correct response if someone steals an RWDC is to reset ALL passwords in the domain as you can consider them all compromised. This is a major undertaking.

With an RODC you can say only cache the passwords for subset X of users and computers. When the RODC actually caches the password, it stores that information in AD. If the RODC is stolen you now have a small list of passwords which need to be reset.

--> RODCs replicate one-way. If someone stole you RWDC, made some changes to it, and plugged it back in, those changes would replicate back into the environment. For example they might add themself to the domain admins group or reset all the admin passwords or something. With an RODC this is simply not possible.

There's no speed improvement unless you're placing an RODC in a location which didn't have a DC there before and then there is likely to be a speed improvment in some scenarios.

TheCleaner's reply is really incorrect. There are ALOT of compelling scenarios for RODCs and I can think of several deployments of them at scale offhand. This is simple security stuff, not the "anal about security" stuff.

Thanks,

Brian Desmond

Active Directory MVP

Related

Linux: proc/sys/kernel vs /sys/kernel
Creating a tar file with checksums included
IT Audit checklist [closed]
How do I configure Nginx proxy_pass Node.js HTTP server via UNIX socket?
Making libmagic/file detect .docx files
How can I see my IOPS burst credits?
Ansible change default value according to a condition
Does NFS and SMB support sparse files?
What does the systemd-resolved service do and does it need to listen on all interfaces? [closed]
How to do regional DNS like a CDN does?
May I set multiple names in /etc/hostname?
Add a user to the "Team Foundation Service Accounts" group in TFS