Well eventually you are going to remove an RODC and if you are running in a test lab sooner rather than later. Microsoft has a TechNet Article which covers removing the RODC with the claim that AD metadata is removed. I have not found that to be entirely accurate. This post reflects my experience and the additional items which needed to be removed. This post reflects how to remove the RODC when the server has been lost or stolen, or in my case restored to an earlier backup. Note: If the RODC is still connected to the domain follow the … Continue reading Branch Office: Removing an RODC from AD
A Read Only Domain Controller has the benefit of being able to perform administrative maintenance tasks without entering into Active Directory Restore Mode which previously required a reboot. The following command shows how to compact the Active Directory database from the command line. Before you start, remember not to leave the Active Directory Services stopped for a long period of time since replication of the active directory data will not occur during the period where it is shut down. Stop the Active Directory Services. From the command prompt with administrative privileges type ntdsutil and press enter type activate instance ntds … Continue reading RODC: How to Defrag or Compact the Active Directory Database
When you stop the Active Directory Domain Services you should make note that the following services also stop: File Replication Kerberos Key Distribution Center Intersite Messaging DNS Server DFS Replication Stopping the Active Directory Domain Services has wide ranging effect on an RODC’s ability to perform branch office duties. Jeff LoucksAvailable Technology Subscribe in a reader
A primary benefits of Read Only Domain Controllers is that the Domain Controller service can be managed like a regular service. It can therefore be stopped and started without rebooting the server. The effect of this is that the Active Directory database (NTds.dit) is offline. While the Domain Controller Services is stopped you can performs actions such as: Defragment the Active Directory Database Perform and authoritative restores of Active Directory objects. For more information on Active Directory Maintenance Tasks and command line, please see the following resource: How To Use Ntdsutil to Manage Active Directory Files from the Command Line in … Continue reading RODC: Effects of being able to start and stop the Domain Controller Service without reboot.
The following is a list of permissions which are supported or not supported for delegation to an RODC delegated administrator. Supported: Active Directory Users and Computers Domain Controller Service Kerberos Key Distribution Center Active Directory Sites and Services Not Supported: Global Catalog Bridgehead server PDC emulator RID Master Jeff LoucksAvailable Technology Subscribe in a reader
One of the benefits of of RODC is that you can add local administrators who do not have full access to the domain administration. This gives them the abiltiy to manage the server but not add or change active directory objects unless those roles are delegated. Adding this type of user is done using the dsmdmt.exe utility at the command prompt. The following graphic shows a few commands including: adding local roles showing local roles Remember, an RODC does not have all of the capabilities of a writeable domain controller. Consequently, an RODC cannot serve as the global catalog, operations … Continue reading RODC: Using the dsmgmt.exe utility to manage local administrators
The folowing is a list of features and benefits for read only domain controllers. Features: The deployment of RODC major features : Unattended installation and DCPROMO changes. You install an RODC by selecting Additional Options in the DCPROMO wizard. Read-Only Active Directory database. This prevents changes to the directory. Unidirectional replication. Since the directory is read-only, replication only occurs to the RODC. This reduces WAN traffic. Credential caching. The RODC does not store accounts but caches credentials for accounts that use it to log on. You can configure the caching policy using DCPROMO. Benefits: Here are the benefits of deploying … Continue reading Read Only Domain Controllers – Features and Benefits
Branch offices come with a whole set of considerations and not the least of which is they generally are less secure than the main office. This is a critical concern for putting a domain controller in each office. The primary issue in almost every branch office is managing bandwidth across the wide area network. If you lose authentication request because of network outages the office can be rendered unproductive and so having a domain controller in the branch can effectively relieve the need to authenticate back to the main office. RODCs are designed to be deployed in locations that have … Continue reading Branch Office: Creating a Read Only Domain Controller