Windows Server 2008 introduces a new type of domain controller, the read-only domain controller (RODC). This provides a domain controller for use in branch offices where a full domain controller cannot be placed.
The primary reason for using an RODC is primarily for security purposes, while at the same time providing domain resiliency in remote offices. If a remote office has poor physical security or only serves a small number of very non-IT savvy employees, there’s no good reason to have a fully writable domain controller on-site.
The main advantages of an RODC are as follows: Reduced security risk for a writable copy of Active Directory. Better login times compared to authenticating over a WAN connection. Better access to the authentication resource on the network.
The main features of an RODC are as follows: A read-only AD Domain Services (AD DS) database – Applications that only need read access to the database can use the RODC; However, all database changes must be made to a Read-Writable DC (RWDC) and then replicated back to the RODC.
A typical DC contains details about the domain it resides in, but GC servers contain additional information about each domain in the forest. GCs are especially important to plan for properly when deploying multiple AD domains.
Click on the “Promote this server to a domain controller” link. In the Active Directory Domain Services Configuration Wizard, select Add a domain controller to an existing domain. In the next step, select the Read-only domain controller (RODC) check box and enter a Directory Services Restore Mode (DSRM) password.
It is possible to configure an RODC as a DNS server, allowing clients to query the RODC for DNS information. However, an RODC only has read-only copies of DNS information, and there is no way to replicate DNS changes to writable DNS servers. An RODC cannot make DNS changes.
The server’s read-only mode is designed to allow administrators to prevent changes to directory contents while performing tasks such as suffix re-indexing.