RODC Placement Considerations
Applies To: Windows Server 2008, Windows Server 2012
With respect to placement of a read-only domain controller (RODC) in a site, consider how the RODC will replicate scheduled updates. An RODC can replicate updates of the domain partition only from a writable domain controller running Windows Server 2008 in the same domain. The RODC can replicate other partitions, including application directory partitions and global catalog partitions, from any writable domain controller that runs either Windows Server 2003 or Windows Server 2008. An RODC cannot be a source domain controller for any other domain controller because it cannot perform outbound replication.
An RODC must replicate the domain partition from a writable domain controller running Windows Server 2008 because only a writable domain controller that runs Windows Server 2008 can enforce the Password Replication Policy (PRP) for an RODC.
To replicate the domain partition to the RODC, you typically place a writable domain controller running Windows Server 2008 in the nearest site in your network topology to the site that contains the RODC. The nearest site in this sense is defined as the site that has the lowest-cost site link for the site that contains the RODC.
Security Note |
---|
An RODC that is placed in the same site as a writable domain controller does not provide security benefits. Some RODC features such as Administrator Role Separation can provide an administrative benefit. But to obtain security benefits, RODCs are intended to be placed in sites that are not as trustworthy as sites that have writable domain controllers. |
If you cannot place a writable Windows Server 2008 domain controller in the nearest site to the RODC, RODC replication depends on a site link bridge between the site links that contain the site of the RODC and the site of the writable Windows Server 2008 domain controller.
By default, a new Windows Server 2008 forest has the Bridge all site links option enabled, which means that all site links are bridged. You can configure this setting in the properties of the Inter-Site transport in the Active Directory Sites and Services snap-in.
For most existing branch office deployments that use Windows Server 2003 domain controllers, however, the Bridge all site links option is disabled. If you are adding RODCs to an existing deployment where Bridge all site links option is disabled, consider how RODC replication will work if you cannot place a writable Windows Server 2008 domain controller in the nearest site.
The following sections in this topic explain how domain partition replication works in scenarios in which the Bridge all site links option is either enabled or disabled. For more information about how RODC placement affects other operations, see the following topics:
Placing RODCs with site link bridging
If the Bridge all site links option is enabled, as shown in the following illustration, a writable domain controller running Windows Server 2008 can be placed in Site A rather than Site B. This is because physical connectivity between Site A and Site C is available implicitly. If the site link schedules overlap and the wide area network (WAN) links are available for a time that is sufficient to complete replication, the RODC in Site C can replicate from the writable domain controller running Windows Server 2008 in Site A.
Placing RODCs without site link bridging
In the following illustration, Sites A, B, and C have site links A–B and B–C and the Bridge all site links option is disabled. In this example, there are Windows Server 2003 domain controllers in Site A and Site B, and there is an RODC in Site C.
So that an RODC can be placed in Site C, a writable domain controller running Windows Server 2008 for the same domain should be placed in Site B to replicate the domain partition to the RODC. Otherwise, the RODC in Site C can replicate the schema, configuration, and application directory partitions, but not the domain partition.
In general, the introduction of an RODC should require minimal, if any, replication topology changes. For example, consider a multitier replication topology in which:
The Bridge all site links option is disabled.
RODCs are placed in edge (or spoke) sites (Site C and Site D).
A writable domain controller running Windows Server 2008 is placed in a hub site (Site A).
A domain controller running Windows Server 2003 is placed in an intermediary site (Site B).
This topology is shown in the following figure.
In this scenario, you can do any of the following options to accommodate the need for direct replication between the RODC and the writable domain controller running Windows Server 2008.
Create an additional site link between site A and site C and between site A and site D.
Create a site link bridge that includes site link A-B, site link B-C, and site link B-D.
Add a writable domain controller running Windows Server 2008 in the intermediary site (site B).