Server 2008 and the RODC (Read-Only Domain Controller)

Speaking to several people about the Server 2008 migrations, there were a lot of questions and reactions to the new Read-Only Domain Controller (RODC) option. Some confusion too, as some thought this is similar to Windows NT 4.0’s Backup Domain Controller (BDC) type technology.

The difference between a RODC and a BDC is apparent when there are more than two DCs per domain. In Windows NT 4.0 you could only have 1 read-write Primary Domain Controller (PDC), and the other DCs had to be read-only BDCs. Windows Server 2008 allows you to choose which DCs are read-writable and which are read-only with a great degree of freedom. By example, if you have 30 DCs in your domain, you can have 26 regular DCs and 4 RODCs.

One reason for having an RODC is if you have a DC that is not physically secure. In that case, not only could data be obtained from the DC, but malicious data could be injected into the vulnerable DC. With a normal read-writable DC, such damage would replicate throughout the domain and maybe even through the entire forest. By having an RODC the damage could be localized.