Read-Only Domain Controllers Step-by-Step Guide

Applies To: Windows Server 2008

This step-by-step guide provides instructions for planning, installing, and using a read-only domain controller (RODC). An RODC is a new type of domain controller in the Windows Server® 2008 operating system. This new type of domain controller, as its name implies, hosts read-only partitions of the Active Directory® database.

An RODC makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role.

Organizations that can guarantee the physical security of a branch domain controller might also deploy an RODC because of its reduced management requirements that are provided by such features as unidirectional replication.

Because RODC administration can be delegated to a domain user or security group, an RODC is well suited for a site that should not have a user who is a member of the Domain Admins group.

In this guide

Who Should Use This Guide?

What Is an RODC?

RODC Placement Considerations for Windows Server 2003 Domains

Prerequisites for Deploying an RODC

Known Issues for Deploying an RODC

Steps for Deploying an RODC

Steps for Administering an RODC

RODC Frequently Asked Questions

Appendix A: Client Operations

Appendix B: How the Authentication Process Works with RODCs

Appendix C: Application Compatibility with RODCs

Appendix D: Steps to Add an Attribute to the RODC Filtered Attribute Set

Change History

Date Revision

June 29, 2010

Fixed broken link