Search This Blog

Thursday, March 17, 2016

Placing two RODC in the same AD site

Several times I have heard that my customers have placed two Read-Only Domain Controllers (RODCs) in the same AD site thinking that no special considerations should be taken.

Here is Technet article https://technet.microsoft.com/en-us/library/ee522995(v=ws.10).aspx  which describes implications of placing two RODCs in the same site or placing a RODC in the same site with Read-Write Domain Controller (RWDC).

If you place two RODC in the same site then be informed that they will not replicate between each other, they will only replicate with a RWDC.
Second RODC will cache only passwords for accounts which have authenticated to the RODC, so it is very likely that cached passwords for accounts will be different on RODCs, because computer will stick to the same RODC if it has successfully authenticated. A workaround for this is to use a script on RWDC which prepopulates cached passwords on RODCs. This way RODCs will be consistent. But this is an extra thing to take care of.

No comments:

Post a Comment