Re: Rodc

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

"aconti" <aconti.43genb@xxxxxxxxxxxxx> wrote in message
news:aconti.43genb@xxxxxxxxxxxxxxxx

Hello why does the PDC has to be server 2008 when installing an RODC in
the domain ?

Thank you



From:
AD DS: Read-Only Domain Controllers:
http://technet.microsoft.com/en-us/library/cc732801(WS.10).aspx
"The RODC must forward authentication requests to a writable domain
controller running Windows Server 2008. The Password Replication Policy is
set on this domain controller to determine if credentials are replicated to
the branch location for a forwarded request from the RODC."

Also, I believe it has to do with password changes and using a Fine Grain
Password Policy, which also means the domain has to be in 2008 FL. Remember,
the PDC Emulator handles password functions. This link implies the PDC
Emulator should be a 2008 machine for successful password updates, however
it does not explicitly state this, from:

Appendix A: RODC Technical Reference Topics:
http://technet.microsoft.com/en-us/library/cc754218(WS.10).aspx#BKMK_PWD

======
Password changes on an RODC
Users change their passwords on a regular basis as specified by the Default
Domain policy or a fine-grained password policy (FGPP). After each
authentication attempt that is serviced by an RODC, the RODC performs a
replicate single object (RSO) operation to replicate the account credentials
if it does not have the current credentials stored locally. In a site that
has an RODC and no writable domain controller, one of two actions can occur
when users try to change their passwords:

- The password change request is sent directly to a writable domain
controller.
- In this case, the password change is written locally and then forwarded by
the writable domain controller to the domain controller that holds the
primary domain controller (PDC) emulator operations master (also known as
flexible single master operations or FSMO) role in the domain. This is the
same behavior as in Windows Server 2003.
- The password change request is sent to the RODC, which in turn forwards
the request to a writable Windows Server 2008 domain controller.
- The next steps are the same as would occur if the password change happened
directly on the writable domain controller.
======


Here are some good links on RODC: requirements

AD DS: Read-Only Domain ControllersAug 26, 2009 ... However, your
organization may also choose to deploy an RODC for special administrative
requirements. For example, a line-of-business (LOB) ...
http://technet.microsoft.com/en-us/library/cc732801(WS.10).aspx

Read-only Domain Controllers (RODC) Step-by-Step GuideMay 1, 2009 ... An
RODC is a new type of domain controller in the Windows Server® ... also
deploy an RODC because of its reduced management requirements ...
http://technet.microsoft.com/en-us/library/cc772234(WS.10).aspx

Screencast: How to Install Read-Only Domain Controller ? pre ...Before you
proceed with the installation of an RODC in your network, you have to make
sure that it covers certain requirements. Here is a brief overview: ...
http://www.netometer.com/video/tutorials/2008-server-rodc-two-stages/

[PPT] Title Goes Here Name of Presenter Title of Presenter Day, Month,
YearFile Format: Microsoft Powerpoint - View as HTML
RODC - Requirements for Deployment. Raise Forest Functional Level. Forest
functional level must at Windows Server 2003 or above ...
http://www.rmwtug.org/Talks/2009-04_Windows_Server_2008_Active_Directory_Domain_Services-final.pptx


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.


.

Relevant Pages

  • Re: Missing one of the "default Password Replication Policy groups
    ... first time you try to add a RODC (assuming you're NOT trying to do a staged ... After you upgrade the Windows Server 2003-based domain controller holding ...
    (microsoft.public.windows.server.active_directory)
  • Re: Read only domain controllers and .NET
    ... apps might write (using a referral of the RODC to a RWDC) and suddenly wanna read the info back in. ... to the Read Only Domain Controller to write to Active Directory, ...
    (microsoft.public.windows.server.active_directory)
  • Re: RODC Referral Process
    ... writeable domain controller that the RODC is partnered with (As seen ... of the RODC. ... You can assume that the DC the RODC has connection objects with is the one that handles the authentication requests. ... If it is that much of user data, I'd probably think about a seperate forest and domain for the DMZ and create a forest trust with selective auth and let only those accounts really needed into the corp forest. ...
    (microsoft.public.win2000.active_directory)
  • Re: Read only domain controllers and .NET
    ... apps might not accept referrals handed out by the RODC when writes are ... apps might write (using a referral of the RODC to a RWDC) and suddenly wanna ... to the Read Only Domain Controller to write to Active Directory, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Client performance problem windows 2003 server...
    ... >Subject: Re: Client performance problem windows 2003 server... ... >Deploying Active Directory for Branch Office Environments ... >results from not having a domain controller in a particular site. ... incorrectly applied site coverage will be bad for clients ...
    (microsoft.public.windows.server.networking)