CertForums.com IT Certification Forum Homepage
Results 1 to 7 of 7

Read Only Domain Controllers

You are viewing a topic in the Active Directory Exams forum part of the Microsoft Certification Forums category.

  • Share:
  1. #1
    Megabyte Poster
    Posts
    315
    Join Date
    21 Jul 2009
    Location
    Essex
    Country
    UK Country Flag
    Age
    26
    Liked
    26 times
    Rep Power
    5

    Read Only Domain Controllers

    Drop Ship Lifestyle
    Hi Guys,

    Currently working my way through study material on the 70-640 and just after some clarification on replication with a RODC. I know the primary benefit of a RODC is it gives a bit of piece of mind when deploying a DC in an unsecured location. However im also aware that if its at a small branch location then this can also be a benefit as if you have just a couple of people working there then you don't really need the whole of your active directory deployment always replicating to this DC.

    I'm just wondering that if you have a few different sites all with fully writeable DC's and your constantly replicating out to these DC's when really there's no need to because you just have a handful of certain people working there will this be causing alot of unnecessary bandwidth across the network.

    I know this is probably quite an open ended question and there's alot to take into consideration such as internet speeds between sites and the amount of changes that happen in the AD schema but I think you can understand my thinking and perhaps give some guidance. Would it be beneficial to have these as RODC's to avoid pointless replication and needless bandwidth?

  2. Posts
    666
    Join Date
    6 June 2003
    Location
    Somewhere in Germany
     

  3. #2
    Megabyte Poster
    Posts
    315
    Join Date
    21 Jul 2009
    Location
    Essex
    Country
    UK Country Flag
    Age
    26
    Liked
    26 times
    Rep Power
    5

    Read Only Domain Controllers

    Anybody? :0

  4. #3
    Moderator Sparky's Avatar
    Posts
    9,942
    Join Date
    15 Dec 2005
    Location
    Scotland
    Liked
    61 times
    Rep Power
    98
    Replication is scheduled so there isn't constant replication to RODCs.

    Also if you have RODC you need to make AD changes at a site that has a writeable DC and then wait for the changes to be replicated to a site with a RODC which can be a pain if a new user needs to log on at that site or you are waiting for group permissions to replicate.

    I’ve only ever used RODCs when it is a small office and the server will be hosting other applications that I wouldn’t want to install on a writable DC.

  5. #4
    Gigabyte Poster Shinigami's Avatar
    Posts
    861
    Join Date
    18 Aug 2009
    Location
    Switzerland
    Age
    37
    Liked
    27 times
    Rep Power
    16
    There will be a little less replication activity sent to RODC's, and they themselves replicate nothing to the writeable DC's. But other factors come into play and if you're worried about bandwidth, you need to look at many additional factors to keep it in check.

    The RODC is primarily used in situations where the local office risks being compromised and you don't want to leave a full DC with all passwords exposed, on that site.

  6. #5
    Megabyte Poster
    Posts
    315
    Join Date
    21 Jul 2009
    Location
    Essex
    Country
    UK Country Flag
    Age
    26
    Liked
    26 times
    Rep Power
    5
    Sure, i understand that. I was just wondering whether deploying a RODC at a remote site with set users was very beneficial in terms of bandwith or whether it wasnt really worth thinking about as the extra bandwith from a writeable DC was minimal. Im probably over thinking it and there probably isnt to much to worry about and like you say im sure there are many factors that come into play with this such as internet connections between sites etc.

  7. #6
    Gigabyte Poster Shinigami's Avatar
    Posts
    861
    Join Date
    18 Aug 2009
    Location
    Switzerland
    Age
    37
    Liked
    27 times
    Rep Power
    16
    In absolutely massive environments that also run frequent identity management updates and the like, you may see a benefit. But you would also get results by making additional domains, choosing to selectively enable DNS zone synchronizations (especially AD integrated) only to those DC's that need them, carefully managing your IP site links and bridgeheads, selectively enabling the Global Catalog function (typically the hungrier component of a DC when we talk about replication overhead) and so on and so on.

    Don't forget that the RODC's won't provide a service to some applications that require a writeable DC on-site (e.g. Exchange, Lync...) and some queries will still go out from the site (for example, a password change will need to be sent to a PDCe which then send the new password downstream to the RODC).

    It's one of those things where you'd need to weight the pros and cons as RODC's whilst useful in many situations, may not be the best solution for reducing bandwidth usage (and if you're unlucky, all your queries to the writeable DC's may counteract the savings you get from having an RODC on the local site).

    It's an interesting concept to reduce bandwidth usage, but I would still sell it as a security feature even giving local admins logon rights for maintenance purposes whilst retaining Domain Admin rights for yourself. Also, RODC's may be an option for those Perimeter (DMZ) networks if you absolutely must extend your AD to that zone (once again, needs to be carefully weighted for pros and cons).

  8. #7
    Megabyte Poster
    Posts
    315
    Join Date
    21 Jul 2009
    Location
    Essex
    Country
    UK Country Flag
    Age
    26
    Liked
    26 times
    Rep Power
    5
    Thanks for the reponse dude, i had just read the chapter on RODC's and it just got me thinking outside the box about a few things hense my questions.

Similar Threads

  1. Domain controllers - Local user database
    By beaumontdvd in forum Windows Server 2003 / 2008 / 2012 Exams
    Replies: 10
    Last Post: 08-Feb-2010, 11:25 PM
  2. Replies: 1
    Last Post: 13-Apr-2008, 07:35 PM
  3. Spec for Domain Controllers
    By Boycie in forum Networks
    Replies: 10
    Last Post: 13-Jun-2006, 11:59 AM
  4. Domain Controllers in Windows 2000
    By Jakamoko in forum Active Directory Exams
    Replies: 9
    Last Post: 16-Oct-2004, 09:04 PM
  5. Domain Controllers
    By AJ in forum Windows Server 2003 / 2008 / 2012 Exams
    Replies: 5
    Last Post: 03-Mar-2004, 08:07 AM