What is the use of RODC in Windows 2012?
An RODC is a new type of domain controller that hosts read-only partitions of the Active Directory database. Except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the RODC.
How do I setup my 2012 RODC?
Preparing the RODC
- Launch Server Manager.
- Click the Manage link at the top-right of the Server Manager console.
- On the Before you begin screen, click Next.
- On the Select installation type screen, ensure Role-based or feature-based installation is selected, and then click Next.
Why would you deploy an RODC?
In short, RODC enhances the security of the DC, provides faster logon, and better access to the resources from a remote location. In order to leverage the functionalities of RODC, it is recommended that the FFL be set at Windows Server 2008 or later.
How does a RODC work?
To wrap it up, when a user account is not cached, the RODC forwards the authentication to a writable Domain Controller which does the authentication. If the Users password is allowed to be cached, then the RODC will pull that through a replication request.
Should RODC have DNS?
An RODC that’s a DNS server should point to itself for the primary DNS server. DNS servers in a hub location should be the secondary/alternate DNS servers. By default, when you promote a RODC that’s a DNS server, the RODC adds itself at the end of the alternate DNS server list as 127.0.
How does RODC improve security?
RODCs provide the following: Read-only Active Directory Database – Read-only copy of Active Directory provides a more secure option for distant locations such as a branch office. Changes attempted against the RODC are referred to the next upstream DC.
How do I know if a server is RODC?
In ‘Active Directory Users And Computers’ browse to the RODC’s computer object the DC Type should contain say ReadOnly if it is a RODC. The computer object properties on tab ‘Managed by’ should also show what type of DC it is.
How does DNS work on RODC?
The RODC will try to find a writable DNS server in the client’s local site and send the client a name server resource record for the writable DNS server so the client can make the update. If no DC can be found in the local site, the RODC will refer the client to any writable DNS server in the environment.
Can RODC authenticate users?
If the password is cached, the RODC will authenticate the user account locally. If the user’s password is not cached, then the RODC forwards the authentication request to a writable Windows Server 2008 Domain Controller which in turn authenticates the account and passes the authenticated request back to the RODC.
Can I join computer to RODC?
To join a domain that has a read-only domain controller: Create a computer account for the computer in the DMZ that will connect to the read‑only domain controller using a writable domain controller as described in Creating computer objects for the target set of computers.