Read-Only Domain Controllers Step-by-Step Guide
Applies To: Windows Server 2008
This step-by-step guide provides instructions for planning, installing, and using a read-only domain controller (RODC). An RODC is a new type of domain controller in the Windows Server® 2008 operating system. This new type of domain controller, as its name implies, hosts read-only partitions of the Active Directory® database.
An RODC makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role.
Organizations that can guarantee the physical security of a branch domain controller might also deploy an RODC because of its reduced management requirements that are provided by such features as unidirectional replication.
Because RODC administration can be delegated to a domain user or security group, an RODC is well suited for a site that should not have a user who is a member of the Domain Admins group.
In this guide
RODC Placement Considerations for Windows Server 2003 Domains
Prerequisites for Deploying an RODC
Known Issues for Deploying an RODC
Steps for Administering an RODC
RODC Frequently Asked Questions
Appendix B: How the Authentication Process Works with RODCs
Appendix C: Application Compatibility with RODCs
Appendix D: Steps to Add an Attribute to the RODC Filtered Attribute Set
June 29, 2010
Fixed broken link