Read only domain controller
| Read only domain controller | |
|---|---|
| Basic data
|
|
| developer | Microsoft Corp. |
| Current version | stable |
| operating system | Windows |
| category | server |
| License | proprietary |
| German speaking | Yes |
| [1] | |
The read only domain controller ( RODC for short ) is a controller type in the domain controller concept of Windows Server 2008 . It represents a domain controller without write authorization and without security-relevant data. It can therefore be used as a domain controller in potentially unsafe locations.
Core functionality
The RODC is a full-fledged domain controller. However, this type of controller can only read. Write access to the Active Directory DS database is prevented.
By default, no security-critical data and attributes (e.g. account passwords) are stored in the AD DS database.
The domain controller can only be replicated unidirectionally. In order to change data, the domain controller from which the RODC is replicated must be changed.
Separate roles can be assigned for the administration of the RODC, which means that administrative maintenance can be delegated. In addition, the RODC has a write-protected DNS .
In order to additionally secure the RODC, attributes can be excluded from the replication .
application areas
The RODC is designed to be used in units with a low security level (e.g. branches, small remote offices). Due to the role model and the reduced administration effort compared to a full-fledged domain controller, little or no IT know-how has to be tied up on site. The physical presence of a domain controller on site at sites connected via WAN improves the access speed to resources (e.g. a network share for files).
Another scenario for use is server software that requires a domain controller at a physically identical location. Here, too, the added value is applied to the lower administration work and the increased security.