Read-Only Domain Controller
E724255
A Read-Only Domain Controller (RODC) is a type of Active Directory domain controller that hosts a read-only copy of the directory database to enhance security and performance in branch or untrusted locations.
Statements (49)
| Predicate | Object |
|---|---|
| instanceOf |
Active Directory domain controller role
ⓘ
Microsoft Windows Server feature ⓘ |
| adminRoleSeparationAllows | delegation of local RODC administration to non-domain admins ⓘ |
| alsoKnownAs | RODC NERFINISHED ⓘ |
| belongsTo | an Active Directory domain ⓘ |
| canHost | read-only DNS server role ⓘ |
| configuredUsing |
Active Directory Domain Services Installation Wizard
NERFINISHED
ⓘ
Server Manager (in newer Windows Server versions) NERFINISHED ⓘ dcpromo (in older Windows Server versions) ⓘ |
| hasCharacteristic |
can be configured to not cache any passwords
ⓘ
can be deployed in perimeter networks ⓘ can be deployed in physically insecure locations ⓘ designed for branch offices ⓘ designed for untrusted locations ⓘ does not allow direct changes to directory data ⓘ does not perform outbound replication to other domain controllers ⓘ enhances security in remote sites ⓘ hosts read-only copy of Active Directory database ⓘ receives inbound replication from writable domain controllers ⓘ reduces replication traffic from branch to hub ⓘ stores a subset of user credentials ⓘ supports administrator role separation ⓘ supports credential caching ⓘ supports filtered attribute set ⓘ supports read-only DNS zones when DNS is installed ⓘ |
| hasLimitation |
cannot be a source for writable replication
ⓘ
cannot perform updates to user or computer objects ⓘ depends on writable domain controller for password changes ⓘ |
| hasReplicationPartner | writable domain controller ⓘ |
| introducedIn | Windows Server 2008 NERFINISHED ⓘ |
| isSecuredBy |
Filtered Attribute Set configuration
ⓘ
Password Replication Policy ⓘ |
| managedBy | domain administrators ⓘ |
| partOf | Active Directory Domain Services NERFINISHED ⓘ |
| requires |
Windows Server operating system
NERFINISHED
ⓘ
existing writable domain controller in the domain ⓘ forest functional level Windows Server 2003 or higher ⓘ |
| securityBenefit |
limits credential theft risk if server is stolen
ⓘ
prevents unauthorized changes to Active Directory data at branch sites ⓘ supports granular control over which passwords are cached ⓘ supports separation of local server administration from domain administration ⓘ |
| stores | read-only copy of Active Directory database (NTDS.dit) ⓘ |
| supports |
Global Catalog role in read-only form
ⓘ
Kerberos authentication ⓘ NTLM authentication ⓘ |
| usedFor |
improving logon performance in branch offices
ⓘ
limiting impact of domain controller compromise ⓘ reducing exposure of domain credentials ⓘ supporting local authentication without full write capabilities ⓘ |
Referenced by (1)
Full triples — surface form annotated when it differs from this entity's canonical label.