Active Directory Domain Services (AD DS)
Lesson 9

understanding domain controllers and rodc

By Sai Kurada
September 12, 2023
Domain Controllers (DCs) and Read-Only Domain Controllers (RODCs) are integral components of an Active Directory (AD) environment. They serve specific roles in the management and authentication of users, computers, and resources within a network.
Domain Controllers (DCs):

  • A Domain Controller is a server that authenticates users, enforces security policies, and manages access to network resources within a Windows domain.
  • Authentication: DCs verify the credentials of users and computers attempting to log in to the domain. They ensure that the provided username and password are correct.
  • Authorization: Once authenticated, the DCs grant appropriate access rights and permissions to users and computers based on their group memberships and policies.
  • Replication: DCs replicate Active Directory data (like user accounts, group memberships, etc.) with other DCs in the domain to maintain consistency.
  • Maintain the Global Catalog: The first DC in a domain is designated as the Global Catalog server, which maintains a partial replica of all objects in the forest. This is used for forest-wide searches.
  • DCs can serve as any of the FSMO (Flexible Single Master Operations) roles, including PDC Emulator, RID Master, Infrastructure Master, Schema Master, and Domain Naming Master. These roles are responsible for specific operations within the domain.
  • DCs require a Windows Server operating system, and it's recommended to have multiple DCs for redundancy and fault tolerance.

Read-Only Domain Controllers (RODCs):

  • An RODC is a domain controller that holds a read-only copy of the Active Directory database. It's designed for use in branch offices or locations where physical security may be a concern.
  • Read-Only Access: As the name suggests, an RODC can only perform read operations. It does not allow changes to the Active Directory database.
  • Authentication for local users: RODCs can authenticate local user accounts, but they forward authentication requests to writable DCs for domain accounts.

  • Security: RODCs are typically deployed in environments where physical security may be an issue. They contain a filtered copy of AD data, reducing the risk of unauthorized changes.
  • Reduced Bandwidth: In branch offices with limited network bandwidth, RODCs can reduce the amount of replication traffic by only requesting necessary data.

Deployment Scenarios:
  • RODCs are commonly deployed in branch offices, retail locations, or places where there might not be dedicated IT staff to manage the server.

Preventing Unwanted Changes:
  • By default, RODCs do not allow any changes to the AD database. However, administrators can selectively allow certain users or groups to make changes if necessary.

Domain Controllers are the core servers responsible for authenticating users and managing resources in a domain, while Read-Only Domain Controllers provide a secure and efficient solution for branch offices or locations with limited IT resources. RODCs offer read-only access to the AD database, reducing the risk of unauthorized changes and improving security.