This step-by-step guide provides instructions for planning, installing, and using a read-only domain controller (RODC). An RODC is a new type of domain controller in the Windows Server® 2008 operating system. This new type of domain controller, as its name implies, hosts read-only partitions of the Active Directory® database.
An RODC makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role.
Organizations that can guarantee the physical security of a branch domain controller might also deploy an RODC because of its reduced management requirements that are provided by such features as unidirectional replication.
Because RODC administration can be delegated to a domain user or security group, an RODC is well suited for a site that should not have a user who is a member of the Domain Admins group.
An RODC is an additional domain controller for a domain that hosts read-only partitions of the Active Directory database. An RODC is designed primarily to be deployed in a branch office environment. Branch offices typically have relatively few users, poor physical security, relatively poor network bandwidth to a hub site, and little local IT knowledge.
The following figure illustrates the RODC branch office environment.