Is it useful to enhance security by implementing RODC in the same site, which RWDC exist also? Pointing the site user the RODC instead of the RWDC.
Thanks.
Asked
Active
Viewed 241 times
4 Answers
7
I wouldn't consider implementing a RODC in the same site just so that users are primarily accessing a read-only DC, since all write operations will just be sent to the RWDC. From what I've read, it's best used when:
- The DC is deployed somewhere that is physically insecure. (e.g. on a tower PC under a desk at a branch office.)
- Non-IT users will have terminal services access to the DC (hopefully for a very good reason...)
Kyle Smith
- 9,683
- 1
- 31
- 32
-
I agree, these are the two scenarios MS describes for RODCs. For reduncandy reasons however you should keep a second RWDC at your site in case the first one goes down for patching, maintenance or a defect – leepfrog May 12 '12 at 22:18
0
Yes, it is useful ... having a RODC on the same site is useful when you have to power down your RWDC for maintenance.
Rory
- 597
- 1
- 6
- 23
-
1Why would you want the additional complexity of an RODC then? Why not just have two RWDCs? – MDMarra May 13 '12 at 00:05
-
0
A less common but still useful deployment is when you have application servers located in a DMZ that need read access to your internal Active Directory services. There's a few different security models but one involves extending your forest into the DMZ by placing an RODC there.
See: Active Directory Domain Services in the Perimeter Network
0
Placing RWDC in a site with RODC makes RODC's security features useless. Please read this: https://technet.microsoft.com/en-us/library/ee522995(v=ws.10).aspx#bkmk_placinganrwdcinasitewithanrodc
iPath
- 622
- 4
- 11