how do I know and confirm client use read only domain controller to login active directory?

Question

1. how do I know and confirm client use read only domain controller to login active directory? is there need to configure DNS and DHCP to tell client computer to use read only domain controller to login and how?
2. If previous question using at least 8 VM to use forest model, add 4 read only domain controller to parent organization forest, restricted access forest and resource forest? then need 12 VM to use forest model?
3. document said read only domain controller in branch office, does it mean whole branch office is in restricted access forest?

Remark:

parent organization forest first domain: 2 VM for all operation masters domain servers + 1 VM read only domain controller

resources forest join parent organization forest: 1 VM resources forest domain server + 1 VM read only domain controller

1 VM client computer join resources forest domain server and hold Exchange server, SQL server , file servers

second new domain join parent organization forest and build trust with first domain: 2 VM for all operation masters domain servers + 1 VM read only domain controller

restricted access forest join second new domain: 1 VM restricted access forest domain server + 1 VM read only domain controller

1 VM client computer join restricted access forest domain server

Answer 1

Hello 2AI,

Thank you for posting in Microsoft Community forum.

1. how do I know and confirm client use read only domain controller to login active directory? is there need to configure DNS and DHCP to tell client computer to use read only domain controller to login and how?

A1: You can run set on client and check "LOGONSERVER".

If you have multiple DCs(RWDCs and RODCs) in the same site, each client in this site will find one DC to authenticate each time randomly.

2. If previous question using at least 8 VM to use forest model, add 4 read only domain controller to parent organization forest, restricted access forest and resource forest? then need 12 VM to use forest model?
A2: As I mentioned before, you can add Domain Controllers in any domain or forest based on your requirements.

3. document said read only domain controller in branch office, does it mean whole branch office is in restricted access forest?

A3: No, it does not mean whole branch office is in restricted access forest. Usually, branch offices are different sites in the same domain (or in the same forest).

I hope the information above is helpful.

If you have any question or concern, please feel free to let us know.

Best Regards,

Daisy Zhou

Answer 2

if I put DNS servers, DHCP servers and read only domain controllers in the same subnet bastion only these servers have routes to read write domain controllers,

core switch router blocked the route between subnet A and subnet B and only allow IP address of DNS servers, DHCP servers and read only domain controllers to read write domain controllers. May be even there is no route between subnet A and subnet B

subnet A - read write domain controllers,

subnet B - Bastion - only servers have static route to subnet A - DNS servers, DHCP servers and read only domain controllers

subnet B - User network same subnet with DNS servers, DHCP servers and read only domain controllers

Can this network topology to make client computer find read only domain controllers only to prevent randomly find read write domain controllers?

Answer 3

Hello 2AI,

Good day!

If you want to make client machine to find read-only Domain Controllers to authenticate, you can put these client machines into the site with RODCs including specific subnet. The IP addresses of the client machines belongs to the specific subnet.

Best Regards,
Daisy Zhou