When should we install RODC?

When should we install RODC?



if you need a domain controller in a dmz, read-only can be placed there



if you need a domain controller in a dmz, read-only can be placed there



Or if you have a site that should have a domain controller but isn't physically secured.



@Seth
if you need a domain controller in a dmz, read-only can be placed there

Have a DC in the DMZ is a security risk even with a RODC. A DC should not be required in a DMZ.

One of the main reasons why you would use an RODC in a remote site is for physical security restrictions, no technical users at the site, faster logon times because of network latency, or only a few users a at single site.

Personally I would not use an RODC because with Networks today they are robust enough to handle multiple user authentication to a hub site. This also minimized server licenses a long with maintenance of the server itself.

Below is a technet which explains where they would be useful.
https://technet.microsoft.com/en-us/library/cc732801%28v=ws.10%29.aspx

Will.



RODC are meant for smaller branches with few users, not secured, no backup infrastructure in place or there is low bandwidth. Under no circumstances should a DC be placed in the DMZ. If there are systems that needs authentication in the DMZ then there solutions such as ISA (firewall rules, etc.) that could be used.



So if I have good bandwidth capacity and have just 50 users at site is it preferable to mount RODC or normal DC?

Share this

Related Posts