Read-Only Domain Controller
E724255
A Read-Only Domain Controller (RODC) is a type of Active Directory domain controller that hosts a read-only copy of the directory database to enhance security and performance in branch or untrusted locations.
All labels observed (1)
| Label | Occurrences |
|---|---|
| Read-Only Domain Controller canonical | 1 |
How this entity was disambiguated
This entity first appeared as the object of triple T8287769 — resolving that mention is where its identity was fixed. The disambiguator weighed these candidate entities and picked the highlighted one (or “None”, minting a new entity). This is how homonymy is resolved: the same surface form can point to different entities.
Target entity: Read-Only Domain Controller Context triple: [Windows Server 2008, includesComponent, Read-Only Domain Controller]
-
A.
Active Directory
Active Directory is Microsoft's centralized directory and identity management service used to authenticate and authorize users, computers, and resources in Windows-based networks.
-
B.
Active Directory Lightweight Directory Services
Active Directory Lightweight Directory Services is a flexible, standalone LDAP directory service from Microsoft that provides directory capabilities without requiring full Active Directory domain infrastructure.
-
C.
Windows Server Core (some versions)
Windows Server Core is a minimal-installation variant of the Windows Server operating system designed to reduce resource usage and attack surface by omitting most graphical user interface components.
-
D.
Active Directory Certificate Services
Active Directory Certificate Services is a Windows Server role that provides public key infrastructure (PKI) functionality for issuing, managing, and validating digital certificates within an organization’s network.
-
E.
Active Directory Rights Management Services
Active Directory Rights Management Services is a Microsoft server technology that protects sensitive information through encryption, access control, and usage policies integrated with Active Directory.
- F. None of above. chosen
- G. Unsure - the case is ambiguous/there is not enough information to decide.
Target entity: Read-Only Domain Controller Target entity description: A Read-Only Domain Controller (RODC) is a type of Active Directory domain controller that hosts a read-only copy of the directory database to enhance security and performance in branch or untrusted locations.
-
A.
Active Directory
Active Directory is Microsoft's centralized directory and identity management service used to authenticate and authorize users, computers, and resources in Windows-based networks.
-
B.
Active Directory Lightweight Directory Services
Active Directory Lightweight Directory Services is a flexible, standalone LDAP directory service from Microsoft that provides directory capabilities without requiring full Active Directory domain infrastructure.
-
C.
Windows Server Core (some versions)
Windows Server Core is a minimal-installation variant of the Windows Server operating system designed to reduce resource usage and attack surface by omitting most graphical user interface components.
-
D.
Active Directory Certificate Services
Active Directory Certificate Services is a Windows Server role that provides public key infrastructure (PKI) functionality for issuing, managing, and validating digital certificates within an organization’s network.
-
E.
Active Directory Rights Management Services
Active Directory Rights Management Services is a Microsoft server technology that protects sensitive information through encryption, access control, and usage policies integrated with Active Directory.
- F. None of above. chosen
Statements (49)
| Predicate | Object |
|---|---|
| instanceOf |
Active Directory domain controller role
ⓘ
Microsoft Windows Server feature ⓘ |
| adminRoleSeparationAllows | delegation of local RODC administration to non-domain admins ⓘ |
| alsoKnownAs | RODC NERFINISHED ⓘ |
| belongsTo | an Active Directory domain ⓘ |
| canHost | read-only DNS server role ⓘ |
| configuredUsing |
Active Directory Domain Services Installation Wizard
NERFINISHED
ⓘ
Server Manager (in newer Windows Server versions) NERFINISHED ⓘ dcpromo (in older Windows Server versions) ⓘ |
| hasCharacteristic |
can be configured to not cache any passwords
ⓘ
can be deployed in perimeter networks ⓘ can be deployed in physically insecure locations ⓘ designed for branch offices ⓘ designed for untrusted locations ⓘ does not allow direct changes to directory data ⓘ does not perform outbound replication to other domain controllers ⓘ enhances security in remote sites ⓘ hosts read-only copy of Active Directory database ⓘ receives inbound replication from writable domain controllers ⓘ reduces replication traffic from branch to hub ⓘ stores a subset of user credentials ⓘ supports administrator role separation ⓘ supports credential caching ⓘ supports filtered attribute set ⓘ supports read-only DNS zones when DNS is installed ⓘ |
| hasLimitation |
cannot be a source for writable replication
ⓘ
cannot perform updates to user or computer objects ⓘ depends on writable domain controller for password changes ⓘ |
| hasReplicationPartner | writable domain controller ⓘ |
| introducedIn | Windows Server 2008 NERFINISHED ⓘ |
| isSecuredBy |
Filtered Attribute Set configuration
ⓘ
Password Replication Policy ⓘ |
| managedBy | domain administrators ⓘ |
| partOf | Active Directory Domain Services NERFINISHED ⓘ |
| requires |
Windows Server operating system
NERFINISHED
ⓘ
existing writable domain controller in the domain ⓘ forest functional level Windows Server 2003 or higher ⓘ |
| securityBenefit |
limits credential theft risk if server is stolen
ⓘ
prevents unauthorized changes to Active Directory data at branch sites ⓘ supports granular control over which passwords are cached ⓘ supports separation of local server administration from domain administration ⓘ |
| stores | read-only copy of Active Directory database (NTDS.dit) ⓘ |
| supports |
Global Catalog role in read-only form
ⓘ
Kerberos authentication ⓘ NTLM authentication ⓘ |
| usedFor |
improving logon performance in branch offices
ⓘ
limiting impact of domain controller compromise ⓘ reducing exposure of domain credentials ⓘ supporting local authentication without full write capabilities ⓘ |
How these facts were elicited
The pipeline generated the facts above by prompting gpt-5.1 with this entity's name + description and the instruction below.
You are a knowledge base construction expert. Given a subject entity and a description of it, return factual statements that you know for the subject as a JSON list of dictionaries(triples), where keys must be "subject", "predicate" and "object". The number of facts may be very high, between 25 to 50 or more, for very popular subjects. For less popular subjects, the number of facts can be very low, like 5 or 10. # Requirements - If you don't know the subject at all, return an empty list. - If the subject is not a named entity, return an empty list. - Include at least one triple where predicate is "instanceOf". - Do not get too wordy. - Separate several objects into multiple triples with one object.
Subject: Read-Only Domain Controller Description of subject: A Read-Only Domain Controller (RODC) is a type of Active Directory domain controller that hosts a read-only copy of the directory database to enhance security and performance in branch or untrusted locations.
Referenced by (1)
Full triples — surface form annotated when it differs from this entity's canonical label.