Branch Office: 5 Ways Server 2008 Improves WAN Utilization.

Bandwidth utilization, latency, and the reliability of the Wide Area Network are three major concerns when administering a branch office environment. Windows Server 2008 helps to address these concerns through the following 5 technologies.

  • RODC
    • Since the RODC does not accept changes, writable domain controllers that are replication partners do not have to pull changes from the RODC. This reduces the workload of bridgehead servers in the main site and the effort required to monitor replication.
    • RODC unidirectional replication applies to both AD DS and distributed file system (DFS) replication. The RODC performs normal inbound replication for AD DS and DFS replication changes.

  • Group Policy

    • New XML-based format for policy-definition files called ADMX in Windows Server 2008 addresses policy file replication issues.
    • The ADMX format supports a central store for information relating to all policies. Specific Group Policy Object (GPO) settings associated with previous policy-definition file formats are no longer replicated as a result.
  • SMB 2.0
    • SMB 2.0 protocol enhances communication by:
      • :Multiple SMB commands within the same packet. This reduces the number of packets sent between an SMB client and server, which was a common complaint against SMB 1.0
      • Larger buffer sizes compared to SMB 1.0.
      • Larger number of concurrent open file handles on the server.
      • Larger number of file shares for a server.
      • Durable handles that can withstand short interruptions in network availability.
  • Next Generation TCP/IP stack
    • The Next Generation TCP/IP stack optimized for use in the variety of networking environments that exist today. Branch office environments benefit from enhancements to performance, connectivity, and reliability. The new TCP/IP stack includes or enhances:
      • Receive Window Auto-Tuning
      • Compound TCP
      • Enhancements for high-loss environments
      • Neighbor Unreachability Detection for IPv4
      • Changes in dead gateway detection
      • Changes to path maximum transmission unit (PMTU) black hole router detection
      • Routing compartments
      • Network Diagnostics Framework support
      • Windows Filtering Platform (WFP)
      • Explicit Congestion Notification (ECN)
  • DFS
    • Adopts all of the changes made in Windows Server 2003 R2 including:
      • New state-based, multimaster replication, which is optimized for WAN environments and which supports replication scheduling, bandwidth throttling, and a new byte-level compression algorithm known as remote differential compression (RDC).
      • DFS namespaces, which help administrators group shared folders that are located on different servers. The shares can then be presented to users as a virtual tree of folders.
      • Read-only DFS, which enables members to access data without the ability to change it.

Jeff Loucks
Available Technology
Available Technology
  Subscribe in a reader 

RODC: How to Defrag or Compact the Active Directory Database

A Read Only Domain Controller has the benefit of being able to perform administrative maintenance tasks without entering into Active Directory Restore Mode which previously required a reboot. The following command shows how to compact the Active Directory database from the command line. Before you start, remember not to leave the Active Directory Services stopped for a long period of time since replication of the active directory data will not occur during the period where it is shut down.

  1. Stop the Active Directory Services.
  2. From the command prompt with administrative privileges
    1. type ntdsutil and press enter
    2. type activate instance ntds and press enter
    3. type files and press enter
    4. type info and press enter
    5. type compact to c:\TEMP and press enter 
  3. If you have successfully compacted the database you can now copy the files back to the proper location and delete the temp files. To do so execute the following command from the command prompt
    1. type copy “c:\TEMP\ntds.dit” “c:\Windows\NTDS\ntds.dit” and press enter
    2. When prompted press Y to overwrite and press enter.
  4. Restart the Active Directory Services

Jeff Loucks
Available Technology
Available Technology
  Subscribe in a reader 


RODC: What Services Stop when you stop the Active Directory Domain Service

When you stop the Active Directory Domain Services you should make note that the following services also stop:

  • File Replication
  • Kerberos Key Distribution Center
  • Intersite Messaging
  • DNS Server
  • DFS Replication

Stopping the Active Directory Domain Services has wide ranging effect on an RODC’s ability to perform branch office duties.

 Jeff Loucks
Available Technology
Available Technology
  Subscribe in a reader 

RODC: Effects of being able to start and stop the Domain Controller Service without reboot.

A primary benefits of Read Only Domain Controllers is that the Domain Controller service can be managed like a regular service. It can therefore be stopped and started without rebooting the server. The effect of this is that the Active Directory database (NTds.dit) is offline. While the Domain Controller Services is stopped you can performs actions such as:

  • Defragment the Active Directory Database
  • Perform and authoritative restores of Active Directory objects.

For more information on Active Directory Maintenance Tasks and command line, please see the following resource:

How To Use Ntdsutil to Manage Active Directory Files from the Command Line in Windows Server 2003

Jeff Loucks
Available Technology
Available Technology
  Subscribe in a reader 

RODC: Administrative Permisions Available for Delegation

The following is a list of permissions which are supported or not supported for delegation to an RODC delegated administrator.


  • Active Directory Users and Computers
  • Domain Controller Service
  • Kerberos Key Distribution Center
  • Active Directory Sites and Services

Not Supported:

  • Global Catalog
  • Bridgehead server
  • PDC emulator
  • RID Master

 Jeff Loucks
Available Technology
Available Technology
  Subscribe in a reader 

RODC: Using the dsmgmt.exe utility to manage local administrators

One of the benefits of  of RODC is that you can add local administrators who do not have full access to the domain administration. This gives them the abiltiy to manage the server but not add or change active directory objects unless those roles are delegated. Adding this type of user is done using the dsmdmt.exe utility at the command prompt. The following graphic shows a few commands including:

  • adding local roles
  • showing local roles


Remember, an RODC does not have all of the capabilities of a writeable domain controller. Consequently, an RODC cannot serve as the global catalog, operations masters, or bridgehead server.

For more information see this Technet Article:

 Jeff Loucks
Available Technology
Available Technology
  Subscribe in a reader 

Read Only Domain Controllers – Features and Benefits

The folowing is a list of features and benefits for read only domain controllers.


The deployment of RODC major features :

  • Unattended installation and DCPROMO changes. You install an RODC by selecting Additional Options in the DCPROMO wizard.
  • Read-Only Active Directory database. This prevents changes to the directory.
  • Unidirectional replication. Since the directory is read-only, replication only occurs to the RODC. This reduces WAN traffic.
  • Credential caching. The RODC does not store accounts but caches credentials for accounts that use it to log on. You can configure the caching policy using DCPROMO.


Here are the benefits of deploying RODC:

  • Reduced security risk to a writable copy of Active Directory.
  • Better logon times compared to authenticating across a WAN link.
  • Better access to the authentication resource on the network.
  • Better performance of directory-enabled applications.

Jeff Loucks
Available Technology
Available Technology
  Subscribe in a reader