Read-Only Domain Controllers Step-by-Step Guide

Updated: June 29, 2010

Applies To: Windows Server 2008

This step-by-step guide provides instructions for planning, installing, and using a read-only domain controller (RODC). An RODC is a new type of domain controller in the Windows Server® 2008 operating system. This new type of domain controller, as its name implies, hosts read-only partitions of the Active Directory® database.

An RODC makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role.

Organizations that can guarantee the physical security of a branch domain controller might also deploy an RODC because of its reduced management requirements that are provided by such features as unidirectional replication.

Because RODC administration can be delegated to a domain user or security group, an RODC is well suited for a site that should not have a user who is a member of the Domain Admins group.

Change History


Date Revision

June 29, 2010

Fixed broken link

Community Additions