However, the local server will attempt to keep its copy of the respective zone up to date, by reaching out to the referenced server and requesting replication of the most recent change.With no originating writes to the replica of the database and to the content of SYSVOL (hosting file system portion of Group Policies Templates), there is no reason for the RODC to participate in traditional multimaster replication, which has been one of the core principles in earlier implementations of Active Directory.Going forward, we will focus on features specific to the latest operating system, describing their characteristics in a more detailed fashion.
Any accidental corruption (not unlikely in environments lacking qualified local support) or a malicious hack propagating back to the rest of the network could easily lead to an enterprisewide disaster.Recent Articles About Windows Server 2008 » Win Server 2008 Directory Services, Windows Server 2008 Functional Levels Overview » Win Server 2008 Directory Services, Functional Levels Overview » 10 Coolest Features in Windows Server 2008 Read More About Windows Server 2008 On the other hand, relaying authentication requests to domain controllers residing within properly protected main office or internal network frequently was not feasible due to security, performance or reliability implications.Password Replication Policy settings are revealed during setup of an RODC via the Active Directory Domain Services Installation Wizard.This allows you to designate security principals (users, groups and computers), for which the credentials caching allow or deny rules will apply.In the case of conflicting settings, deny rule always takes precedence.
During a local computer startup or user logon, RODC reaches out to a writeable Windows Server 2008 domain controller to verify its credentials.
By default, the denied list includes four domain built-in groups (Administrators, Server Operators, Backup Operators and Account Operators) and the Denied RODC Password Replication Group (containing Cert Publishers, Domain Admins, Domain Controllers, Enterprise Admins, Group Policy Creator Owners, Read-only Domain Controllers and Schema Admins domain groups, as well as krbtgt domain-level user account).
Allowed consists of a single Allowed RODC Password Replication Group (initially empty), but you can customize each to match your preferences, either directly from the same page or after the wizard completes.
To address these issues, Microsoft customized some of standard Active Directory mechanisms, bundled them together and released the resulting combination as part of the new product feature set in the form of Read Only Domain Controller (or simply RODC).
The main purpose of this customization was to reduce the range and severity of vulnerabilities associated with hosting full-fledged domain controllers in environments where they could be easily compromised.
command button, allowing you to proactively cache credentials of arbitrarily chosen users or computers, provided that you point the Active Directory Users and Computers to a writeable Windows Server 2008 domain controller.