![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 6%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
7,023 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello Thank you for your question and reaching out. I can understand you are having query\issues related to Domain controller best practice. The suggested solution is to install a read-only domain controller (RODC) at places with insufficient physical security. Plan to install the fewest number of regional domain controllers possible to guarantee cost effectiveness. Review "Geographic Locations and Communication Links" first. For each domain that is represented at each hub site, local domain controllers are placed on the local area network. Consider whether regional domain controllers need to be installed at satellite locations once you have installed them in each hub location. The cost of supporting a remote server architecture is reduced by removing unused regional domain controllers from satellite locations. Additionally, make sure that domain controllers in hub and satellite locations are physically secure to prevent unauthorised access. Avoid installing writable domain controllers at hub and satellite sites where you cannot ensure the domain controller's physical security. A person who has physical access to a writable domain controller can attack the system by:
- Accessing physical disks by starting an alternate operating system on a domain controller.
- Removing (and possibly replacing) physical disks on a domain controller.
- Obtaining and manipulating a copy of a domain controller system state backup. Reference : https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/planning-regional-domain-controller-placement --If the reply is helpful, please Upvote and Accept as answer--