Introducing the Read-Only Domain Controller
Windows Server 2008 has a whole slew of new features that make it appealing to just about everyone. One of these new features is the introduction of the Read-Only Domain Controller.
If you have every planned the deployment of an Active Directory domain that requires multiple domain controllers, you are probably familiar with the concept of multimaster replication. What this means is that any change made on any domain controller on the network is replicated to others. While this makes administration very efficient, it does prove to be a bit of a security risk. In this model, all an intruder needs is access one domain controller to breach you network. In a distributed environment, this places all of your domain controllers in remote location as points of attack.
The read-only domain controller alleviates this risk because it only allows for one way replication. That is, active directory information is replicated to an RODC, but cannot be replicated back. This one way replication means that an attacker cannot modify active directory from the remote location and compromise the other servers in the network.
You can configure an RODC on your network by simply running the DCPROMO utility and selecting the RODC option during the domain controller promotion process.
Chris Sanders is a network consultant for KeeFORCE, one of the most popular network consulting firms in western Kentucky. Chris is the author of the book Practical Packet Analysis as well as several technical articles. His personal website at www.chrissanders.org contains a great deal of information, articles, and guides related to network administration, network security, packet analysis, and general information technology.