Differences Between Recommendations in the Windows Server 2003 Branch Office Guide and Default Settings for RODCs

Updated: June 3, 2009

Applies To: Windows Server 2008

In many cases, read-only domain controllers (RODCs) provide default settings that eliminate the need to implement complex configurations that are described in the Windows Server 2003 Branch Office Guide. The following table compares how some best practices are implemented in the Windows Server 2003 Active Directory Branch Office Guide (http://go.microsoft.com/fwlink/?LinkID=28523) and how you can achieve the same results using RODCs.

There are also best practices in the Windows Server 2003 Active Directory Branch Office Guide that still apply to RODCs. For more information, see Recommendations from the Windows Server 2003 Branch Office Guide That Still Apply to RODCs.

Best practice

Windows Server 2003 Active Directory Branch Office Guide

Windows Server 2008 RODC


Minimize replication that is required to install domain controllers in branch offices

Create branch office domain controllers in a staging site at corporate headquarters, and then ship the domain controllers to their final destination in branch offices.

Use the staged installation process to install RODCs directly in the branch office locations.

Using staged installation prevents exposure of Domain Admin credentials in branch offices, and Dcpromo.exe in Windows Server 2008 makes installation of RODCs directly into an Active Directory site possible. In addition, you can use the Install from Media (IFM) feature to reduce the replication requirements for installation of Active Directory Domain Services (AD DS). For more information about using staged installation, see Performing a Staged RODC Installation (http://go.microsoft.com/fwlink/?LinkID=133259). For more information about IFM, see Installing AD DS from Media (http://go.microsoft.com/fwlink/?LinkID=132630).

A client computer should always first try to communicate with a local domain controller.

Configure client computers to communicate with a local domain controller by using a Group Policy setting that disables automatic site coverage that domain controllers perform for other sites.

By default, RODCs do not perform automatic site coverage.

Group Policy for disabling automatic site coverage is no longer necessary for RODCs. If you maintain only RODCs in your branch offices, you can revert the corresponding changes that were recommended in the chapter “Planning a DNS Structure for the Branch Office Environment” in the Windows Server 2003 Active Directory Branch Office Guide (http://go.microsoft.com/fwlink/?LinkID=28523).

Client computers in branch offices query Domain Name System (DNS) servers to update resource records, locate servers, and query global catalog servers for network logons.

Client computers queried DNS servers and global catalog servers in hub sites, or universal group membership caching could be enabled for branch office sites instead of global catalog server placement.

Make all RODCs in branch offices be DNS servers and global catalog servers.

By default, Dcpromo.exe makes RODCs DNS servers and global catalog servers. This ensures that when wide area network (WAN) connectivity to a hub site is not available, branch office client computers can query DNS locally to locate other servers in the same site and query the global catalog locally for network logon.

Hub site client computers and resources should never have to use a domain controller in a branch office location for DNS or Lightweight Directory Access Protocol (LDAP) queries, authentication, and so on.

Create a Group Policy object (GPO) so that non-site-specific records (including delegation entries and name server (NS) resource record registrations) are not registered, and manage the GPO by using computer groups.

By default, RODCs register only site-specific resource records. They do not register delegation or name server (NS) resource records.

Group Policy for name server (NS) resource record registration is no longer necessary if you maintain only RODCs in branch offices. If you maintain writable domain controllers in branch offices, you can re-enable name server (NS) resource record registration by using a registry key and access control list (ACL) changes in DNS.

To avoid overloading the bridgehead servers for File Replication Service (FRS) replication, enable Branch Office Mode for the Knowledge Consistency Checker (KCC). For more information about Branch Office Mode, see the Windows Server 2003 Active Directory Branch Office Guide (http://go.microsoft.com/fwlink/?LinkID=28523).

Turn off KCC failover on branch office domain controllers, and enable redundant connection objects.

RODCs should not use Branch Office Mode for redundancy because they automatically redistribute connection objects. For more information, see Review Bridgehead Server Load-Balancing Improvements with Windows Server 2008 RODCs.

A best practice is to use Distributed File System (DFS) Replication to replicate SYSVOL. For more information, see Plan for DFS Replication for SYSVOL.

When you add a new bridgehead server, redistribute connection objects to utilize the new capacity.

Run Adlb.exe manually to redistribute connections across bridgehead servers. (Move a maximum of 10 connections at a time.)

By default, RODCs automatically redistribute connections when a new bridgehead server is added. Redistribution works without having to use preferred bridgehead server lists.

Adlb.exe is not needed or supported for RODCs. However, you can continue to use it to redistribute connection objects between writable domain controllers.