Configurations for Domain Controllers from the Same Domain

Updated: May 1, 2009

Applies To: Windows Server 2008

The following sections explain operations for scenarios where the domain controllers are from the same domain and in the same site.

The following table shows the results that occur for operations in a branch site that includes only an RODC, both when the WAN is online and offline.

 

Operation WAN online WAN offline

Authentication

If the account password is not cached, the RODC forwards the request to a domain controller running Windows Server 2008 in the same domain. If the account is cached, the RODC satisfies the request locally.

Offline authentication fails if the account password is not cached and the user attempts to authenticate to the RODC. Offline authentication succeeds if the account password is cached.

LDAP Read Operations

LDAP read operations succeed locally.

LDAP read operations succeed locally.

LDAP Write Operations

LDAP write operations generate a referral to a writable domain controller.

LDAP write operations generate a referral, but the client is not able to contact a writable domain controller.

Password Change

The RODC forwards the request to a writable domain controller in the same domain.

Password change fails.

  • Offline authentication works for all accounts, regardless of which domain controller is contacted. This is because the RODC can forward authentication requests for account passwords that are not cached to the writable Windows Server 2008 domain controller.

  • LDAP read operations and write operations work, regardless of which domain controller is contacted.

  • Password change succeeds, regardless of which domain controller is contacted. This is because the RODC can forward authentication requests for account passwords that are not cached to the writable Windows Server 2008 domain controller.

  • Offline authentication works for accounts whose passwords are already cached, regardless of which domain controller is contacted.

  • Offline authentication fails if the account is not cached and if the user authenticates to RODC.

  • LDAP read operations and write operations work, regardless of which domain controller is contacted.

  • Password change fails if the RODC is contacted.

Community Additions

ADD
Show: