The RODC (Read-Only Domain Controller) in AD DS environments is designed specifically for the branch office scenario. RODC receives authentication requests from branch office users and forwards them to a domain controller in the hub site for authentication. There are two types of configuration scenarios, one option is to allow caching of branch office users login credentials and the other to prevent the caching of this sensitive information. To enable users to authenticate locally through the cache, will improve authentication time, and especially if the connection between the branch office and the hub site is slow, however, this scenario introduces some security risks. If an organization implements a RODC because the trust level at a particular branch office is low then if that RODC is compromised then the cached users' credentials can be exposed. From a recovery point of view, only the user accounts that had been cached on that RODC must have their passwords changed.
The high-level steps to install a RODC are as follows:
- Ensure that the forest functional level is Windows Server 2003 or higher.
- If the forest has any DCs running Microsoft Windows Server 2003, run Adprep /rodcprep.
- Ensure that at least one writable DC is running Windows Server 2008
- Install the RODC
Writable domain controllers maintain a list of all cached credentials on individual RODCs.