Active Directory (carried on DC Servers) is required to authenticate a user logging on to a domain within a domain environment. AD issues service tickets to users, allows users to connect to and use services such as File and Print services etc. A user thus requires access to a DC Server (which hosts Active Directory) in a domain LAN.
The more DCs in a domain there are, the greater the AD replication traffic back and forth between them using Replication Partner technology.
There is a balance to be made between the number of DCs required and positioned appropriately to quickly authenticate user logons and provide service tickets, and keeping AD replication to a minimum to prevent excessive use of available bandwidth. The latter is of particular importance for users\systems connecting to a DC over a slow link (a WAN link), where excessive AD replication traffic can readily congest the bandwidth as shown in the image below.
Read Only Domain Controller (RODC):
To help with the issue of user logons and AD replication in branch office scenarios with relatively few users and limited bandwidth, Windows Server 2008 onwards has the option to create RODCs (Read Only Domain Controllers). A RODC (typically deployed in a branch office scenario) is a DC with non editable AD data that maintains only a subset of AD information and caches username and credentials locally. While Windows 2008 and 2012 server are the only operating systems that this functionality can be installed on, RODCs will function on networks with Windows 2003 servers.
As the RODC does not contain editable AD data, replication between this DC and others is only one way, thus reducing network traffic, while cached user details allows for user logon authentication from that point of the RODC Server. The following image shows the use of a RODC across a slow WAN link.
User information is selectively cached on a RODC using a PRP (Password Replication Policy) setup on a writable DC. PRP determines which AD users can have their usernames and passwords cached locally on the RODC.
Installing a RODC:
A RODC installs like a writable DC using DCPromo. The only requirement is to have a writable Windows 2008\2008 R2, 2012 DC already running. If not, the Active Directory Domain Services role will need to be installed first. If the domain has any Windows 2003 DCs you will need to first prepare the forest\domain schema using ADPrep /RoDCPrep (as shown below), and then complete the previously mentioned step if necessary.
This ensures the RODC can receive replicated AD data from the writeable DCs, including DNS data (if selected as a DNS server also) from any DNS Application partitions from within the AD database. Next, run DCPromo from the command line.
The DCPromo wizard starts.
We need to add a DC to the existing domain for RODCs.
Specify the domain the new DC is in.
Specify the site for the new DC.
Check the "Read-only Domain Controller (RODC) checkbox, and also the checkboxes for DNS Server and GC Server if appropriate for your situation.
Next, give a user or group administrative permissions to this server (Administrators only).
Specify suitable locations for the AD database, log files, and the public SYSVOL volume. The default locations are shown in the next image.
Enter an administrator password for accessing the server in Directory Services Restore Mode.
Next, is a summary of the settings that you selected. Double-check them to avoid have to undo and redo these steps.
Next, AD data will begin replicating from a writable DC to the new RODC.
After replication, the installation is complete. If we launch Active Directory Users and Computers, the new RODC should appear there. In this example, Server3 is there and shows as an RODC.
Password Replication Policy (PRP):
PRP (Password Replication Policy) determines which users credentials can be cached on a RODC Server. If set to Allow, a user’s authentication and services tickets can be processed by the RODC Server. If set to Deny, the user’s authentication and services tickets are referred to any writable DC by the RODC Server.
Configure PRP for the RODC on a writable DC via AD Users and Computers. Select the "Password Replication Policy" tab in the RODC Server Properties. Keep in mind that because the RODC is not writeable, account creation and modification must occur on a server that is.
Note that the following steps could have been achieved during the installation of the RODC above if we had selected "Use advanced mode installation" in the first step of the wizard. The following steps are for configuring PRP after the fact.
Use the built-in Groups, or specify your own users or groups, and Add them in to give them Allow or Deny permissions to cache passwords on the RODC.
This user below has been added and allowed to have their passwords cached on the RODC. If that is nearest to a unit they logon from this will improve logon times for them.
Select the "Advanced" button to allow users to have their passwords cached in advance (pre-populated) on the RODC even before the first time they attempt to logon to the domain via the RODC.
The user was successfully added with a pre-populated password on the RODC.
