Separation of administrator capabilities–An RODC can designate users as server administrators without granting any domain or other DC permissions. The main benefits of an RODC are as below: Reduced security risk to a writable copy of Active Directory. Better logon times compared to authenticating across a WAN link.

What is RODC and explain its purpose?

An RODC is a new domain controller (DC) mode in Windows Server 2008. It lets you store an Active Directory (AD) domain database read-only copy on the DC, but it has much more functionality than just a database read-only copy.

What is RODC in Active Directory?

An RODC is a new type of domain controller that hosts read-only partitions of the Active Directory database. Except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the RODC.

What is RODC and how it authenticates?

If the password is cached, the RODC will authenticate the user account locally. If the user’s password is not cached, then the RODC forwards the authentication request to a writable Windows Server 2008 Domain Controller which in turn authenticates the account and passes the authenticated request back to the RODC.

What is RODC Why do we configure RODC?

The RODC is designed specifically to address the branch office scenario. An RODC is a domain controller, typically placed in the branch office, that maintains a copy of all objects in the domain and all attributes except secrets such as password-related properties.

What are the benefits of using an RODC in a branch office?

Here are the benefits of deploying RODC:

  • Reduced security risk to a writable copy of Active Directory.
  • Better logon times compared to authenticating across a WAN link.
  • Better access to the authentication resource on the network.
  • Better performance of directory-enabled applications.


What is the difference between DC and RODC?

RODC & writable DC differences: Active Directory Database – DCs host the only writable copies of the Active Directory database and therefore can perform read and write operations against the directory database. RODCs host read-only copies of the AD database which do not include security principal secrets (passwords).

When should you use RODC?

The main reason to introduce RODCs is to allow a Domain Controller to exist in a remote office that may have few users or less physical security as well network security requirements while not sacrificing performance for the remote location.

How do I identify my RODC server?

In ‘Active Directory Users And Computers’ browse to the RODC’s computer object the DC Type should contain say ReadOnly if it is a RODC. The computer object properties on tab ‘Managed by’ should also show what type of DC it is.

Which Windows Server has the RODC?

Windows Server 2008

Windows Server 2008 introduces a new type of domain controller, the Read-only Domain Controller (RODC). This provides a domain controller for use at branch offices where a full domain controller cannot be placed.

When was RODC introduced?

One of the most significant Active Directory features introduced in Windows Server 2008 was the Read-Only Domain Controller (RODC).

How do you deploy a RODC?

Deploy a Read-Only Domain Controller in Windows Server 2016

  1. Verify the tasks listed in the window and then click Next.
  2. Choose Role-based or feature-based installation and click Next.
  3. Choose desired destination server from servers pool and click Next.
  4. Choose active directory domain services from server roles. …
  5. Click Next.

How do you set up a RODC?

Click on the “Promote this server to a Domain Controller” link. In the Active Directory Domain Services Configuration Wizard, select Add a domain controller to an existing domain. In the next step, check the Read-only domain controller (RODC) box and provide a password for Directory Service Restore Mode (DSRM).

What two default groups exist when the RODC is installed?

Accounts that are not allowed to cache passwords on the RODC and cannot connect and authenticate to a writable domain controller cannot access resources or functionality provided by Active Directory. If not modified, the default groups and settings are used: Administrators – Deny. Server Operators – Deny.

How do you convert a RODC to a writable DC?

There is no conversion between a full (read/write DC–RWDC) and a RODC. The DC type is set during the DCPROMO process. To switch between RWDC and RODC modes, you need to DCPROMO the DC down to a member server, then promote it, selecting the new desired DC type.

What is Allowed RODC Password replication Group?

The Allowed RODC Password Replication Group is given the permission to replicate the passwords (in this case for computer accounts) to the read-only domain controller. This is also a good way to specify which computer accounts will be permitted to log on to the read-only domain controller.

Which type of replication is performed by an RODC?

RODCs contain a read-only copy of the Active Directory database. An RODC replicates updates to the domain from a writable domain controller using inbound-only replication. Password replication policy defines whether the credentials of the user or computer are cached on an RODC.

How can password replication to an RODC be controlled?

To change the PRP, go to the RODC’s Computer Properties and access the Password Replication Policy tab. Click the Allowed RODC Password Replication option to get the Add Groups, Users and Computers dialog box. Next, select the “Allow passwords for the account to replicate to this RODC” check box, as shown below.

Which user credentials are cached on an RODC?

Branch users’ credentials are not cached on RODC by default and it relies on writable DC for login authentications.

Which of the following are the functions of PDC emulator role?

Primary Domain Controller (PDC) Emulator



The role of this DC is to respond to authentication requests, managed password changes and manages Group Policy Objects (GPO).

What is PDC Emulator domain controller?

PDC Emulator: The DC with the Primary Domain Controller Emulator role is the authoritative DC in the domain. The PDC Emulator responds to authentication requests, changes passwords, and manages Group Policy Objects. And the PDC Emulator tells everyone else what time it is! It’s good to be the PDC.

Where is the PDC emulator in my domain?

Click Start, click Run, type dsa. msc, and then click OK. Right-click the selected Domain Object in the top-left pane, and then click Operations Masters. Click the PDC tab to view the server holding the PDC master role.