Awinish
RODC is the new feature introduced from the windows 2008 means domain controller with read only partitions which includes AD database and Sysvol/Netlogon folder. In order to introduce RODC in existing windows 2003 environment you need to prepare your existing environment Adprep /Rodcprep (Adprep32.exe or Adprep.exe is dependents on OS means Adprep32.exe required to be executed on 32bit OS and Adprep.exe on 64 bit OS). Adprep /rodcprep should be executed on the DC holding Domain Naming Master FSMO role not on any DC. It is not mandatory to run Adprep /rodcprep in existing windows 2000 or 2003 AD environment until you plan to deploy RODC may be now or in future. There is one more prerequisite you need at least one writable DC in windows 2008 before you can deploy RODC in existing windows 2003 AD environment, since RODC doesn’t consider windows 2003 DC.
Rodc is basically fitted to be deployed in the sites/locations where you can’t afford or don’t want to keep an AD Experts to manage/modify any changes in the AD. RODC hold the read only database means the location where RODC is deployed you can’t make any changes and changes made on the RODC is not replicated to any other DC since replication is unidirectional from RWDC to RODC only not vice versa.
RODC enhances the authentication locally where it is been placed, but again it should not be considered as replacement of writable DC. You can configure RODC as GC and DNS server too for enhancing authentication locally.
RODC can safely host RODC on virtual machine where as RWDC should not be because of performance issues. I’m not big fan of RODC, reason is RODC alone doesn’t work like a domain controller but for each and everything it relies on RWDC(Writable domain controller) causing heavy replication traffic.
The replication happens in RODC is unidirectional means changes made on RODC is not replicated to RWDC, but you can still connect to RWDC console from RODC and make modification on RWDC which is still vulnerable. RODC can’t provide substitute for a DC when WAN link is down and the reason is RODC can’t issue Kerberos ticket to the domain clients. RODC can’t navigate the trust and it only utilizes the RWDC in other domains.
One of the biggest drawback feature of RODC is that it doesn’t work with any version of Exchange servers(2000-2010 SP1), so if you have deployed a Exchange server in site or want to deploy you can’t utilize RODC in that site you need to have RWDC’s only. There are few other application too which doesn’t work with RODC.
RODC can actually enhance the local authentication but you need to cache the local computes password to form a secure channel with RODC else it will query RWDC.
RODCs don’t register the generic DClocator record by default & they only register the site specific locator records in DNS. RODC doesn’t point itself for SOA records like RWDC. RODC doesn’t register NameServer records in dns. When client wants to update/modify its records in DNS, it contacts RODC and using SOA record RODC find the best/suitable RWDC, update takes place on RWDC and back to RODC.
MSA(Managed service account) doesn’t support RODC’s but only writable domain controllers, but there is hotfix to resolve the issue.
RODC References
Read-Only Domain Controllers Step-by-Step Guide
http://technet.microsoft.com/en-us/library/cc772234%28WS.10%29.aspx
Chris has nice writeup on RODC integration with DNS .
Windows Server 2008 RODC Interview Questions !
http://techiebird.com/rodc.html
Read-Only Domain Controller Planning and Deployment Guide
http://technet.microsoft.com/en-us/library/cc771744%28WS.10%29.aspx
Windows 2008 RODC Tick List for Deployment
Steps for Deploying an RODC
http://technet.microsoft.com/en-us/library/cc754629%28WS.10%29.aspx
Read-Only Domain Controller (RODC) Branch Office Guide
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=3608
RODC Post-Installation Configuration
http://technet.microsoft.com/en-us/library/cc742490%28WS.10%29.aspx
Designing RODCs in the Perimeter Network
http://technet.microsoft.com/en-us/library/dd728028%28WS.10%29.aspx
Deploying RODCs in the Perimeter Network
http://technet.microsoft.com/en-us/library/dd728035%28WS.10%29.aspx
AD DS/RODC in the Perimeter Network (Windows Server 2008)
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=3957
Understanding “Read Only Domain Controller” authentication
RODC Frequently Asked Questions
http://technet.microsoft.com/en-us/library/cc754956%28WS.10%29.aspx
Read-Only Domain Controllers Application Compatibility Guide
http://technet.microsoft.com/en-us/library/cc755190%28WS.10%29.aspx
Performing a Staged RODC Installation
http://technet.microsoft.com/en-us/library/cc770627%28WS.10%29.aspx
Testing Application Compatibility with RODCs
http://technet.microsoft.com/en-us/library/cc771615%28WS.10%29.aspx
Known Issues for Deploying RODCs
http://technet.microsoft.com/en-us/library/cc725669%28WS.10%29.aspx
Troubleshooting RODC’s: Troubleshooting RODC location in the DMZ
http://blogs.technet.com/b/instan/archive/tags/rodc/
Microsoft KB’s and Hotfixes
You cannot create or delete managed service accounts in a perimeter network in Windows 7 or in Windows Server 2008 R2
http://support.microsoft.com/kb/978836
Description of the Windows Server 2008 read-only domain controller compatibility pack for Windows Server 2003 clients and for Windows XP clients and for Windows Vista
http://support.microsoft.com/kb/944043
Authentication fails when an external client tries to log on to a Windows Server 2008 server by using a read-only domain controller in a perimeter network
http://support.microsoft.com/kb/977510
Awinish's Tech Blog 