Application Compatibility: Read Only Domain Controllers (RODC)

Read-Only Domain Controllers (RODC)

Feature Impact

Moderate

Brief Description

A Read-Only Domain Controller (RODC) is a new type of domain controller under the Windows Server 2008 operating system. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed. An RODC hosts a read-only replica of the database in Active Directory® Domain Services (AD DS) for a given domain.

Before the release of Windows Server 2008, if users had to authenticate with a domain controller over a wide area network (WAN), there was no real alternative. In many cases, this solution was not efficient. Branch offices often cannot provide adequate physical security that is required for a writable domain controller. Furthermore, branch offices often have poor network bandwidth when connected to a hub site. This limitation can increase the amount of time required to log on; it can also hamper access to network resources.

Beginning with Windows Server 2008, an organization can deploy an RODC to address these problems. As a result, users in this situation can benefit from:

  • Improved security.

  • Faster logon times.

  • More efficient access to resources on the network.

Manifestation

Any application that writes to the Active Directory is potentially impacted by RODCs and might see compatibility issues involving failed writes or failed reads of newly written data.

Remedies

Applications that write data might locate a domain controller using methods that do not differentiate between writable and read-only domain controllers.

There are two methods that applications typically use to request the nearest domain controller:

In Windows Server 2008, a domain controller Locator call can return any domain controller, including a domain controller running Windows 2000 Server or Windows Server 2003 or a writable or read-only domain controller running Windows Server 2008.

Problems can occur if an application needs to write to directory objects and it gets an RODC from calling a serverless bind. In that case, the write operations are referred to a writable domain controller running Windows Server 2008 at the hub site. Depending on the WAN connection to the hub site at that time, the application can fail to connect to the hub and can report errors. The application must also correctly handle these referrals. Even if the write operation succeeds, any subsequent reading of the data that was just written might fail because of inherent latency that is required to replicate this data back to the RODC.

Applications that must run on a domain controller should be aware of RODCs. These applications must determine if the domain controller is writable or if it is an RODC. Checking the registry or using OSVERSIONINFOEX, as discussed in OSVERSIONINFOEX Structure, does not distinguish an RODC from a writable domain controller. An RODC still advertises itself as a domain controller.

To making this determination, check the supportedCapabilities attribute on the rootDSE class. For more information, see Serverless Binding and RootDSE. The presence of object identifier value 1.2.840.113556.1.4.1920 indicates that the specified domain controller is an RODC.

You can also use the DsRoleGetPrimaryDomainInformation function to determine if the domain controller is an RODC. A new flag has been added to the DSROLE_PRIMARY_DOMAIN_INFO_BASIC structure.

Application Compatibility with RODCs

The Future of Active Directory (February 22, 2006) chat

The Future of Windows: Directory Services in Windows Server 2008

See Also

Concepts

Application Compatibility