Where can you use an RODC?

Applies To: Windows Server 2008

As a general rule, RODCs should be deployed at the perimeter of your network. In this context, the perimeter of the network can be a branch office location, extranet, or any location in which a domain controller is deployed primarily to support an application that requires directory access. RODCs are designed to be placed in locations that require rapid, reliable, and robust authentication services. However, these locations might also have security requirements that prevent deployment of a writable domain controller.

In addition to physical security limitations commonly found in branch offices, organizations might deploy an RODC for special administrative requirements. For example, it might be necessary to run a line-of-business (LOB) application on a domain controller. To administer the application, the LOB application owner must log on to the domain controller interactively or by using Terminal Services. By implementing the new Administrator Role Separation feature, RODCs provide a secure mechanism for granting nonadministrative domain users the right to log on to a domain controller without jeopardizing the security of AD DS. Furthermore, any AD DS data that is tampered with locally cannot replicate off the RODC.

The following figures illustrate how a network perimeter might appear today with domain controllers running the Microsoft Windows® 2000 Server operating system or the Windows Server 2003 operating system, and how that same network would appear with RODCs running Windows Server 2008.