How Operations in a Branch Site with an RODC Are Affected When the WAN Is Not Available

Applies To: Windows Server 2008, Windows Server 2012

This topic describes common operations for client computers and applications against a read-only domain controller (RODC) when the wide area network (WAN) is online as opposed to when the WAN is offline.

  • Client operations

  • Application operations

Client operations

The following table shows the results that occur for directory operations by a client computer in a branch site that includes only an RODC, both when the WAN is online and when it is offline.

Operation WAN online WAN offline

Authentication

If the account password is not cached, the RODC forwards the request to a domain controller running Windows Server 2008 in the same domain. If the account is cached, the RODC satisfies the request locally.

Authentication fails if the account password is not cached and the user attempts to authenticate to the RODC. Offline authentication succeeds if the account password is cached and if the RODC is a global catalog server or the site with the RODC has the universal group membership caching feature enabled.

Password change

Either clients target a writable domain controller directly or the RODC forwards the request to a writable domain controller in the same domain.

Password change fails. It is important to change your password while connectivity to a writable domain controller is available because if the password expires while the WAN is offline, although the RODC will prompt the user to change the expired password, the password change request and logon will fail because a writable domain controller cannot be contacted.

Unlock a locked account

An account that is locked out on an RODC can be unlocked manually from any writable domain controller. Note that the account does not appear to be locked on any of the writable domain controllers, even if the WAN is online. For more information, see the section titled “Resolving an Account lockout in a Branch Office with an RODC” in Administering RODCs in Branch Offices.

There is no way to manually unlock an account that is locked out by an RODC while the WAN is offline. If the WAN remains offline, the account can be unlocked only after the account lockout duration has elapsed.

Note
Unless the account lockout policy is configured with an infinite lockout duration, the account will automatically unlock after the duration has elapsed and the correct password is presented for logon.

Application operations

WAN availability can affect some operations for applications. Perform specialized testing for the applications that you plan to use in the site with an RODC to see how specific operations are affected. You can use the guidelines in this section as a starting point and quick reference for issues that you might encounter.

When the WAN link between the RODC and a writable domain controller is available, operations succeed for most applications in the site with the RODC. However, some read operations that are performed by Active Directory Service Interfaces (ADSI) operations, for example, might continue to work but not take advantage of the RODC.

When the WAN is offline, Lightweight Directory Access Protocol (LDAP) read operations, which are the most common type of LDAP operations, and authentication for accounts whose passwords are cached succeed. However, other types of operations fail if the WAN is offline.

The following table lists the expected results for common operations that are performed by applications running in a branch site with an RODC. You can use this table as a checklist to help you anticipate possible issues with application operations. For operations that are marked as inefficient, review the usage of the DsGetDcName function and update the application if needed. For more details about potential issues that applications can encounter and possible resolutions of those issues, see Planning for Application Compatibility with RODCs.

Key:

√ = operation succeeds

Ineff = operation succeeds but not efficiently

X = operation fails

Operation Operation condition WAN online WAN offline

Authentication

Password cached

Authentication

Password not cached

X

Password change

 

X

LDAP read

Application targets a writable domain controller

Ineff

X

LDAP read

Application does not target a writable domain controller (default)

LDAP write

Application targets a writable domain controller

X

LDAP write

Application does not target a writable domain controller (default) and can chase a referral

X

LDAP write

Application does not target a writable domain controller (default) and cannot chase a referral

X

X

ADSI read

 

Ineff

X

ADSI write

 

X