Review the Existing Physical Structure

Updated: June 3, 2009

Applies To: Windows Server 2008

Review the current site topology for your organization to determine which sites will be candidates for read-only domain controllers (RODCs) and where to place the writable domain controllers that they will replicate from. Windows Server 2008 domain controllers can usually be integrated easily into your existing site topology. The following illustration from the Windows Server 2003 Active Directory Branch Office Guide shows an example of a site topology, including the location of domain controllers in each site.

sample site topology

We no longer recommend using a staging site for deploying domain controllers to branch offices when these domain controllers are RODCs, contrary to the recommendation in the Windows Server 2003 Active Directory Branch Office Guide ( This is because you can deploy RODCs by using a staged, delegated installation process. In this process, the RODCs are installed directly in branch office locations in the appropriate site by a delegated administrator. This differs from the process for Windows Server 2003, in which domain controllers were installed in the staging site by a member of the Domain Admins group and then moved to their respective branch sites. This action was followed by cleanup of the Knowledge Consistency Checker (KCC) connections.

As an alternative, you can continue to use a staging site to install RODCs in a centralized location before you transport them to a branch office, as described in the Windows Server 2003 Active Directory Branch Office Guide. However, this RODC guide focuses on the new, staged installation process.

In addition, review where Domain Name System (DNS) servers, global catalog servers, and operations master (also known as flexible single master operations or FSMO) roles are placed. The recommendation for deploying DNS servers and global catalog servers in branch offices is also changed from Windows Server 2003. Whereas the Windows Server 2003 Branch Office Guide provided no recommendation, in a Windows Server 2008 domain where writable domain controllers are deployed in hub sites and RODCs are deployed in branch offices, the best practice is to add the global catalog and DNS server role to the RODCs. This helps ensure that client computers in the branch offices can continue to log on and complete DNS lookups for local resources if wide area network (WAN) connectivity to a hub site domain controller is not available.

There are no changes to the recommendations for placing operations master roles. The following figure shows an example of a site topology with Windows Server 2008 domain controllers.

Branch Office Environment after RODCS are deployed

Community Additions