Read Only Domain Controllers

Discussion in 'Active Directory Exams' started by jvanassen, Mar 2, 2013.

  1. jvanassen

    jvanassen Kilobyte Poster

    322
    2
    47
    Hi Guys,

    Currently working my way through study material on the 70-640 and just after some clarification on replication with a RODC. I know the primary benefit of a RODC is it gives a bit of piece of mind when deploying a DC in an unsecured location. However im also aware that if its at a small branch location then this can also be a benefit as if you have just a couple of people working there then you don't really need the whole of your active directory deployment always replicating to this DC.

    I'm just wondering that if you have a few different sites all with fully writeable DC's and your constantly replicating out to these DC's when really there's no need to because you just have a handful of certain people working there will this be causing alot of unnecessary bandwidth across the network.

    I know this is probably quite an open ended question and there's alot to take into consideration such as internet speeds between sites and the amount of changes that happen in the AD schema but I think you can understand my thinking and perhaps give some guidance. Would it be beneficial to have these as RODC's to avoid pointless replication and needless bandwidth?
     
    Certifications: CompTIA A+, Network+, CCENT
    WIP: ICND2 200-101
  2. Adam Banner

    Adam Banner Poster Galore

     
  3. jvanassen

    jvanassen Kilobyte Poster

    322
    2
    47
    Anybody? :0
     
    Certifications: CompTIA A+, Network+, CCENT
    WIP: ICND2 200-101
  4. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,011
    258
    319
    Replication is scheduled so there isn't constant replication to RODCs.

    Also if you have RODC you need to make AD changes at a site that has a writeable DC and then wait for the changes to be replicated to a site with a RODC which can be a pain if a new user needs to log on at that site or you are waiting for group permissions to replicate.

    I’ve only ever used RODCs when it is a small office and the server will be hosting other applications that I wouldn’t want to install on a writable DC.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  5. Shinigami

    Shinigami Megabyte Poster

    886
    37
    84
    There will be a little less replication activity sent to RODC's, and they themselves replicate nothing to the writeable DC's. But other factors come into play and if you're worried about bandwidth, you need to look at many additional factors to keep it in check.

    The RODC is primarily used in situations where the local office risks being compromised and you don't want to leave a full DC with all passwords exposed, on that site.
     
    Certifications: MCSE, MCITP, MCDST, MOS, CIW, Comptia
    WIP: Win7/Lync2010/MCM
  6. jvanassen

    jvanassen Kilobyte Poster

    322
    2
    47
    Sure, i understand that. I was just wondering whether deploying a RODC at a remote site with set users was very beneficial in terms of bandwith or whether it wasnt really worth thinking about as the extra bandwith from a writeable DC was minimal. Im probably over thinking it and there probably isnt to much to worry about and like you say im sure there are many factors that come into play with this such as internet connections between sites etc.
     
    Certifications: CompTIA A+, Network+, CCENT
    WIP: ICND2 200-101
  7. Shinigami

    Shinigami Megabyte Poster

    886
    37
    84
    In absolutely massive environments that also run frequent identity management updates and the like, you may see a benefit. But you would also get results by making additional domains, choosing to selectively enable DNS zone synchronizations (especially AD integrated) only to those DC's that need them, carefully managing your IP site links and bridgeheads, selectively enabling the Global Catalog function (typically the hungrier component of a DC when we talk about replication overhead) and so on and so on.

    Don't forget that the RODC's won't provide a service to some applications that require a writeable DC on-site (e.g. Exchange, Lync...) and some queries will still go out from the site (for example, a password change will need to be sent to a PDCe which then send the new password downstream to the RODC).

    It's one of those things where you'd need to weight the pros and cons as RODC's whilst useful in many situations, may not be the best solution for reducing bandwidth usage (and if you're unlucky, all your queries to the writeable DC's may counteract the savings you get from having an RODC on the local site).

    It's an interesting concept to reduce bandwidth usage, but I would still sell it as a security feature even giving local admins logon rights for maintenance purposes whilst retaining Domain Admin rights for yourself. Also, RODC's may be an option for those Perimeter (DMZ) networks if you absolutely must extend your AD to that zone (once again, needs to be carefully weighted for pros and cons).
     
    Certifications: MCSE, MCITP, MCDST, MOS, CIW, Comptia
    WIP: Win7/Lync2010/MCM
  8. jvanassen

    jvanassen Kilobyte Poster

    322
    2
    47
    Thanks for the reponse dude, i had just read the chapter on RODC's and it just got me thinking outside the box about a few things hense my questions.
     
    Certifications: CompTIA A+, Network+, CCENT
    WIP: ICND2 200-101

Share This Page

Loading...