Understanding “Read Only Domain Controller” authentication

W2K8 - Doku ??ber Read Only DCs « Susanns Weblog

W2K8 - Doku ??ber Read Only DCs « Susanns Weblog — Sat, 19 Jan 2008 00:07:29 GMT

PingBack from http://susanneurich.wordpress.com/2008/01/18/w2k8-doku-uber-read-only-dcs/

re: Understanding “Read Only Domain Controller” authentication

Corpuscule — Sat, 19 Jan 2008 00:17:33 GMT

Great post ! You sum up all existing information and show the PROOF of what was said on the RODC.

[ sorry but i'm now used to reading incorrect or erroneous statements on the technet or KB articles. I've been in a technical support team for several years. ]

My current client was only pondering this question to decide on their RODC implementation in the year to come : "What will be the effect of bringing an RODC in my branch sites with dial-up-like bandwidth ?"

You finally bring the answer MS ought to give us in the "corp" documentation... Thanks :)

Understanding “Read Only Domain Controller” authentication

Microsoft Product's — Mon, 21 Jan 2008 12:28:39 GMT

Hello there. Bob Drake here to discuss how Windows Server 2008 “Read Only Domain Controllers” (RODC’s

re: Understanding “Read Only Domain Controller” authentication

cnschindler — Sat, 16 Feb 2008 16:50:56 GMT

Excellent Post! I have one question rearding auhtentication: After the RODC has authenticated a user over the WAN, does it "cache" the authenticated credentials in volatile RAM? So that further requests for the same account can be serviced without contacting a writable DC over the WAN? Thanks Christian

re: Understanding “Read Only Domain Controller” authentication

bobdrake — Mon, 18 Feb 2008 17:37:20 GMT

Hey there,

Once the users account is cached (local AD Database on the RODC and in RAM if recent enough) the local RODC will and does authenticate the user during subsequent logins and secondary logons (accessing network resources and such).

Remember the key here is the user acount is allowed to be cached, and that way the WAN bandwidth is saved. Once it is cached, the local RODC does it all.

~Bob

Windows 2008 RODC Tick List for Deployment

Jane Lewis's Weblog — Fri, 04 Apr 2008 23:51:07 GMT

Well I am sat in the departure lounge of Aberdeen Scotland Airport after a really interesting and enjoyable

4 methods to add Server Core RODCs to your environment

The things that are better left unspoken — Sun, 13 Jul 2008 10:55:10 GMT

The Read-only Domain Controller is one of the new and most existing features of Windows Server 2008.

re: Understanding “Read Only Domain Controller” authentication

Nazarevych — Thu, 15 Jan 2009 17:27:25 GMT

My RODC is behind WAN, and still authenticate some amount of users from my domaint but, even if is not in Allowed RODC Password replication Group, just authenticate not save this credentials.

How i must tune up my Active Directory to preven users authentication for my locally office in nearest AD controller, not throug WAN to RODC.

Thanks for the reply.

re: Understanding “Read Only Domain Controller” authentication

bobdrake — Thu, 15 Jan 2009 20:47:25 GMT

Hey Nazarevych,

If you are seeing users authenticate to the RODC that are not supposed to be, then most likely the client computers are discovering the RODC through a possible misconfiguration of the site coverage in AD Sites and Services. If you have the RODC configured to cover those computers' subnet then that could be the reason your users are authenticating to it (RODC) instead of thier local DC.

See "Procedures for Adding a Subnet":

http://technet.microsoft.com/en-us/library/bb727051.aspx

Check them subnets :)

re: Understanding “Read Only Domain Controller” authentication

bobdrake — Thu, 15 Jan 2009 21:04:58 GMT

You may also want to check and see if you need:

http://support.microsoft.com/kb/944043

Description of the Windows Server 2008 read-only domain controller compatibility pack for Windows Server 2003 clients and for Windows XP clients

re: Understanding “Read Only Domain Controller” authentication

Nazarevych — Fri, 16 Jan 2009 10:53:57 GMT

I think i understand, why it do so.

In DNS is records type

_kerberos._tcp.dc._msdcs.X

And each AD server have it in DNS, even RODC.

But each server have attribute "Priority" by default 100, deruce this value i think fix my issue.

Txh. ALL for fast reply :)

re: Understanding “Read Only Domain Controller” authentication

isyed1 — Fri, 29 May 2009 01:23:13 GMT

I realize the post is quite old but I do have one question.

Do you have to change your current replication topology in Sites & Services for RODC? (we have hub and spoke topology)

re: Understanding “Read Only Domain Controller” authentication

NedPyle — Fri, 29 May 2009 06:27:49 GMT

No, but you cannot have RODC's replicating with other RODC's, so that will need to be a consideration.