Share via


Configurations for Domain Controllers from the Same Domain

Applies To: Windows Server 2008

The following sections explain operations for scenarios where the domain controllers are from the same domain and in the same site.

Scenario: Only an RODC in the branch site

The following table shows the results that occur for operations in a branch site that includes only an RODC, both when the WAN is online and offline.

Operation WAN online WAN offline

Authentication

If the account password is not cached, the RODC forwards the request to a domain controller running Windows Server 2008 in the same domain. If the account is cached, the RODC satisfies the request locally.

Offline authentication fails if the account password is not cached and the user attempts to authenticate to the RODC. Offline authentication succeeds if the account password is cached.

LDAP Read Operations

LDAP read operations succeed locally.

LDAP read operations succeed locally.

LDAP Write Operations

LDAP write operations generate a referral to a writable domain controller.

LDAP write operations generate a referral, but the client is not able to contact a writable domain controller.

Password Change

The RODC forwards the request to a writable domain controller in the same domain.

Password change fails.

Scenario: Writable Windows Server 2008 domain controller and RODC from the same domain in the same site

  • Offline authentication works for all accounts, regardless of which domain controller is contacted. This is because the RODC can forward authentication requests for account passwords that are not cached to the writable Windows Server 2008 domain controller.

  • LDAP read operations and write operations work, regardless of which domain controller is contacted.

  • Password change succeeds, regardless of which domain controller is contacted. This is because the RODC can forward authentication requests for account passwords that are not cached to the writable Windows Server 2008 domain controller.

Scenario: Windows Server 2003 domain controller and RODC from the same domain in the same site

  • Offline authentication works for accounts whose passwords are already cached, regardless of which domain controller is contacted.

  • Offline authentication fails if the account is not cached and if the user authenticates to RODC.

  • LDAP read operations and write operations work, regardless of which domain controller is contacted.

  • Password change fails if the RODC is contacted.