Awinish's Technical Blog

Lets continue the journey of learning & Share.!!

All About (RODC)Read Only Domain Controllers

Posted by Awinish on October 4, 2011

RODC is the new feature introduced from the windows 2008 means domain controller with read only partitions which includes AD database and Sysvol/Netlogon folder. In order to introduce RODC in existing windows 2003 environment you need to prepare your existing environment Adprep /Rodcprep (Adprep32.exe or Adprep.exe is dependents on OS means Adprep32.exe required to be executed on 32bit OS and Adprep.exe on 64 bit OS). Adprep /rodcprep should be executed on the DC holding  Domain Naming Master FSMO role not on any DC. It is not mandatory to run Adprep /rodcprep in existing windows 2000 or 2003 AD environment until you plan to deploy RODC may be now or in future. There is one more prerequisite you need at least one writable DC in windows 2008 before you can deploy RODC in existing windows 2003 AD environment, since RODC doesn’t consider windows 2003 DC.

Rodc is basically fitted to be deployed in the sites/locations where you can’t afford or don’t want to keep an AD Experts to manage/modify any changes in the AD. RODC hold the read only database means the location where RODC is deployed you can’t make any changes and changes made on the RODC is not replicated to any other DC since replication is unidirectional from RWDC to RODC only not vice versa.

RODC enhances the authentication locally where it is been placed, but again it should not be considered as replacement of writable DC. You can configure RODC as GC and DNS server too for enhancing authentication locally.

RODC can safely host RODC on virtual machine where as RWDC should not be because of performance issues. I’m not big fan of RODC, reason is RODC alone doesn’t work like a domain controller but for each and everything it relies on RWDC(Writable domain controller) causing heavy replication traffic.

The replication happens in RODC is unidirectional means changes made on RODC is not replicated to RWDC, but you can still connect to RWDC console from RODC and make modification on RWDC which is still vulnerable. RODC can’t provide substitute for a DC when WAN link is down and the reason is RODC can’t issue Kerberos ticket to the domain clients. RODC can’t navigate the trust and it only utilizes the RWDC in other domains.

One of the biggest drawback feature of RODC is that it doesn’t work with any version of Exchange servers(2000-2010 SP1), so if you have deployed a Exchange server in site or want to deploy you can’t utilize RODC in that site you need to have RWDC’s only. There are few other application too which doesn’t work with RODC.

RODC can actually enhance the local authentication but you need to cache the local computes password to form a secure channel with RODC else it will query RWDC.

RODCs don’t register the generic DClocator record by default & they only register the site specific locator records in DNS. RODC doesn’t point itself for SOA records like RWDC. RODC doesn’t register NameServer records in dns. When client wants to update/modify its records in DNS, it contacts RODC and using SOA record RODC find the best/suitable RWDC, update takes place on RWDC and back to RODC.

MSA(Managed service account) doesn’t support RODC’s but only writable domain controllers, but there is hotfix to resolve the issue.

RODC References

Read-Only Domain Controllers Step-by-Step Guide

http://technet.microsoft.com/en-us/library/cc772234%28WS.10%29.aspx

Chris has nice writeup on RODC integration with DNS .

http://itbloggen.se/cs/blogs/chrisse/archive/2009/01/25/how-read-only-domain-controllers-and-dns-works.aspx

Windows Server 2008 RODC Interview Questions !

http://techiebird.com/rodc.html

Read-Only Domain Controller Planning and Deployment Guide

http://technet.microsoft.com/en-us/library/cc771744%28WS.10%29.aspx

Windows 2008 RODC Tick List for Deployment

http://blogs.technet.com/b/janelewis/archive/2008/04/04/windows-2008-rodc-tick-list-for-deployment.aspx

Steps for Deploying an RODC

http://technet.microsoft.com/en-us/library/cc754629%28WS.10%29.aspx

Read-Only Domain Controller (RODC) Branch Office Guide

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=3608

RODC Post-Installation Configuration

http://technet.microsoft.com/en-us/library/cc742490%28WS.10%29.aspx

Designing RODCs in the Perimeter Network

http://technet.microsoft.com/en-us/library/dd728028%28WS.10%29.aspx

Deploying RODCs in the Perimeter Network

http://technet.microsoft.com/en-us/library/dd728035%28WS.10%29.aspx

AD DS/RODC in the Perimeter Network (Windows Server 2008)

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=3957

Understanding “Read Only Domain Controller” authentication

http://blogs.technet.com/b/askds/archive/2008/01/18/understanding-read-only-domain-controller-authentication.aspx

RODC Frequently Asked Questions

http://technet.microsoft.com/en-us/library/cc754956%28WS.10%29.aspx

Read-Only Domain Controllers Application Compatibility Guide

http://technet.microsoft.com/en-us/library/cc755190%28WS.10%29.aspx

Performing a Staged RODC Installation

http://technet.microsoft.com/en-us/library/cc770627%28WS.10%29.aspx

Testing Application Compatibility with RODCs

http://technet.microsoft.com/en-us/library/cc771615%28WS.10%29.aspx

Known Issues for Deploying RODCs

http://technet.microsoft.com/en-us/library/cc725669%28WS.10%29.aspx

Troubleshooting RODC’s: Troubleshooting RODC location in the DMZ

http://blogs.technet.com/b/instan/archive/2009/03/24/troubleshooting-rodc-s-troubleshooting-rodc-location-in-the-dmz.aspx

http://blogs.technet.com/b/instan/archive/tags/rodc/

Microsoft KB’s and Hotfixes

You cannot create or delete managed service accounts in a perimeter network in Windows 7 or in Windows Server 2008 R2

http://support.microsoft.com/kb/978836

Description of the Windows Server 2008 read-only domain controller compatibility pack for Windows Server 2003 clients and for Windows XP clients and for Windows Vista

http://support.microsoft.com/kb/944043

Authentication fails when an external client tries to log on to a Windows Server 2008 server by using a read-only domain controller in a perimeter network

http://support.microsoft.com/kb/977510

 

Advertisements

2 Responses to “All About (RODC)Read Only Domain Controllers”

  1. madasameee said

    thanks for the document. I am doing the same with windows 2008 R2. But when i tried to add the client to the domain controller, it shows that

    Note: This information is intended for a network administrator. If you are not your network’s administrator, notify the administrator that you received this information, which has been recorded in the file C:\Windows\debug\dcdiag.txt.

    The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain “celvpint8507.com”:

    The error was: “DNS name does not exist.”
    (error code 0x0000232B RCODE_NAME_ERROR)

    The query was for the SRV record for _ldap._tcp.dc._msdcs.celvpint8507.com

    Common causes of this error include the following:

    – The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

    127.0.0.1
    144.20.190.70
    192.135.82.132

    – One or more of the following zones do not include delegation to its child zone:

    celvpint8507.com
    com
    . (the root zone)

    I am not able to proceed this. can you please help me out. if you are ok to reach me, please send out an email to madasamy.murugan@gmail.com or madasamy.murugaboopathi@oracle.com . I am on an implementation currently. thanks

  2. maxwell said

    Hi Awinish

    I just installed RODC. when i make changes it changes the original content as well. any idea to stop that coz whole idea to install RODC is the opposite.

    thanks in advance

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s