none
Should I create a separate site for a RODC

    Question

  • I just took over as network admin.  The office has two locations (the main location has about 150 users and the branch office has about 10).  There is a RODC at the branch office.  The two locations are connected by VPN but all on the same AD site.  My question is, would it be beneficial to create a separate site for the branch office that has the RODC and what benefits/drawbacks would this provide?

    Thank you,

    Friday, September 06, 2013 3:44 PM

Answers

  • This is actually an AD question. Did you also post this in the Directory Services forum? If yes, please provide a link and maybe a moderator can merge the two.

    -

    As for answering the question, Yes. An AD Site's purpose is twofold:

    • Ensures that clients at that site will first select a local DC for authentication and logon traffic, otherwise it's a random pick among DCs, so the whole reason of choosing to place an RODC at that location won't work to your expectations.
    • Minimizes and control replication across a WAN (such as your VPN).

    More on that:

    The DC Locator Process, The Logon Process, Controlling Which DC Responds in an AD Site, and SRV Records
    Published by Ace Fekay, MCT, MVP DS on Jan 3, 2010 at 10:30 AM  1285  0
    http://msmvps.com/blogs/acefekay/archive/2010/01/03/the-dc-locator-process-the-logon-process-controlling-which-dc-responds-in-an-ad-site-and-srv-records.aspx

    How Domain Controllers Are Located in Windows XP:  _TCP.dc._msdcs.domainname.
    After the client locates a domain controller, the client establishes ... To
    troubleshoot the domain locator process: ...
    http://support.microsoft.com/kb/314861

    Jorge 's Quest For Knowledge! : DC Locator Process in W2K, W2K3(R2 ...This is the 2nd part of "DC Locator Process in W2K, W2K3(R2) and W2K8" Looking at this all, the DC locator process as explained above still applies to ...
    http://blogs.dirteam.com/blogs/jorge/archive/2007/06/30/dc-locator-process-in-w2k-w2k3-r2-and-w2k8-part-2.aspx

    -

    Of course, the RODC should be a GC and a DNS server for the clients to use at that site.

    I assume that an Exchange server is not located at the remote site because Exchange won't even pick it during AD topology and DSAccess enumeration.

    I assume you've already created a PRP (password replication policy) for only the user accounts in that site to use the RODC.

    Here are some notes on RODC design and deployment.

    Jane Lewis's Weblog : RODC Branch Office Guide Ready for download, Jun 5, 2009
    I have been working with 2008 Forests and customers moving towards this environment quite alot recently. Therefore I would like to bring ...
    http://blogs.technet.com/janelewis/archive/2009/06/05/rodc-branch-office-guide-ready-for-download.aspx

    Steps for Deploying an RODC
    http://technet.microsoft.com/en-us/library/cc754629(WS.10).aspx

    RODC Frequently Asked Questions, May 1, 2009 ...
    Because the DNS server that runs on an RODC cannot directly register client updates ... If the DNS client on the RODC attempts a DNS update, ...
    http://technet.microsoft.com/en-us/library/cc754956(WS.10).aspx

    -

    For Outlook clients at a site with an RODC:

    "However what about Outlook clients…?  If you’ve got a load of Outlook clients sitting in the branch office it might be beneficial if the client made use of its local RODC (ROGC). Well Outlook is listed here as an application that will work with an RODC.  It takes a registry setting to point it at a local ROGC and the ROGC will then be used for certain operations – specifically GAL lookups.

    HKEY_CURRENT_USER\Software\Microsoft\Exchange\Exchange Provider
    String Value: DS Server
    Data: FQDN of ROGC
     
    If you decide to make use of this registry setting then be aware that Outlook will still revert to a remote DC\GC for many operations and the use of the key does depend on the version of Outlook that you have chosen to deploy."
    http://blogs.msdn.com/b/douggowans/archive/2009/01/06/windows-2008-read-only-domain-controllers-and-exchange-2007.aspx


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Sunday, September 08, 2013 8:50 PM