Read-Only Domain Controller or RODC is a type of domain controller which holds a read-only copy of active directory database.
Why We Need an RODC?
RODC is deployed in branch offices because of the following important reasons.
- Physical security is not guaranteed in branch offices so read-only DCs are preferred instead of write-able DCs. If someone get an access to RODC, they won’t be able to make any changes because it holds a read-only copy of AD database. If they somehow change the database, they won’t be able to compromise the whole AD database because changes from RODC are not replicated to write-able DCs.
- There is a lack of trained IT staff in branch offices. An RODC is preferred, it is only used for users’ authentication and does not have time to time maintenance requirements including hardware updates, site-link changes, and user credential changes etc.
- Branch offices have poor network bandwidth connectivity with the head quarter. An RODC is deployed so the branch office users need not authenticate themselves from a write-able DC over a WAN link. This reduces the amount of time required to log on for branch office users.
RODC is available in Windows server 2008 OS and in its succeeding versions.