Configurations for Domain Controllers from the Same Domain
Applies To: Windows Server 2008
The following sections explain operations for scenarios where the domain controllers are from the same domain and in the same site.
Scenario: Only an RODC in the branch site
The following table shows the results that occur for operations in a branch site that includes only an RODC, both when the WAN is online and offline.
| Operation | WAN online | WAN offline |
|---|---|---|
Authentication |
If the account password is not cached, the RODC forwards the request to a domain controller running Windows Server 2008 in the same domain. If the account is cached, the RODC satisfies the request locally. |
Offline authentication fails if the account password is not cached and the user attempts to authenticate to the RODC. Offline authentication succeeds if the account password is cached. |
LDAP Read Operations |
LDAP read operations succeed locally. |
LDAP read operations succeed locally. |
LDAP Write Operations |
LDAP write operations generate a referral to a writable domain controller. |
LDAP write operations generate a referral, but the client is not able to contact a writable domain controller. |
Password Change |
The RODC forwards the request to a writable domain controller in the same domain. |
Password change fails. |
Scenario: Writable Windows Server 2008 domain controller and RODC from the same domain in the same site
Offline authentication works for all accounts, regardless of which domain controller is contacted. This is because the RODC can forward authentication requests for account passwords that are not cached to the writable Windows Server 2008 domain controller.
LDAP read operations and write operations work, regardless of which domain controller is contacted.
Password change succeeds, regardless of which domain controller is contacted. This is because the RODC can forward authentication requests for account passwords that are not cached to the writable Windows Server 2008 domain controller.
Scenario: Windows Server 2003 domain controller and RODC from the same domain in the same site
Offline authentication works for accounts whose passwords are already cached, regardless of which domain controller is contacted.
Offline authentication fails if the account is not cached and if the user authenticates to RODC.
LDAP read operations and write operations work, regardless of which domain controller is contacted.
Password change fails if the RODC is contacted.