none
With a local site RODC, will my clients ever need direct access to a writable Domain Controller (DC)

    Question

  • Dear Community

    I am considering placing an RODC in one of my sites. Client computers in that site does not have access to any of my remote site Domain Controllers. My client VLAN does not have access to anything across my VPN tunnel. The VLAN where my RODC will be located will have full access to a remote writable DC.

    Will such a setup work or will my client computers ever require access to a writable Domain Controller for anything?

    I have read that DNS registrations will always be redirected to a writable DC, and the clients themselves will perform this.

    Can anyone confirm this and whether there are other functions which requires that the clients have access to a remote writable DC?

    Regards,
    Thomas

    Tuesday, April 25, 2017 7:34 AM

All replies

  • Hi Thomas,
    An RODC only replicates data from a writable domain controller, the database on an RODC is read only. Applications can only read data from the directory when they target an RODC; they cannot write data in the directory. However, RODCs automatically forward certain write operations to writable domain controllers, and they can send referrals to writable domain controllers when necessary.

    When a client makes a write request of DNS, they first make a request for an authoritative server to their configured DNS server, which would be the RODC in this scenario. The RODC will try to find a writable DNS server in the client's local site and send the client a name server resource record for the writable DNS server so the client can make the update. If no DC can be found in the local site, the RODC will refer the client to any writable DNS server in the environment.
    After about five minutes, the RODC will try to perform a replication of the single object from the writable DNS server that was updated so its database has the data that was written by the client.
    Best regards, 
    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Friday, April 28, 2017 6:08 AM
    Moderator
  • Hi Thomas,

    Was your issue resolved? If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions. If no, please reply and tell us the current situation in order to provide further help.
    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, May 1, 2017 4:57 AM
    Moderator
  • Hi Wendy

    Thank you for the reply.

    So from your response, I take this is as a confirmation that my client computers will need direct access to a writable DC?

    I was kind of hoping not having to allow client computer communication over my VPN, but it looks like it won't work without it.

    Regards,

    Thomas

    Tuesday, May 2, 2017 8:26 AM
  • Hi Wendy

    You mentioned
    The RODC will try to find a writable DNS server in the client's local site and send the client a name server resource record for the writable DNS server so the client can make the update. If no DC can be found in the local site, the RODC will refer the client to any writable DNS server in the environment.

    I interpret the word 'refer' here as the RODC will provide the client with the IP address of the writable DC so the client itself can perform the update. That means the client will need access to a writable DC.

    If this not correctly assumed?

    Regards,

    Thomas

    Tuesday, May 9, 2017 5:18 AM
  • Hi Thomas,
    Yes, clients access writable DC not only for updating DNS records, but also authenticating to log in domain if RODC is down.
    Best Regards,
    Wendy Jiang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, May 11, 2017 2:15 PM
    Moderator
  • Hi Wendy

    Yes, the authentication part is clear.
    What's not clear is whether the computers will need access to a writable DC for DNS updates?

    I mean, I am quite sure they will need access to this writable DNS server for DNS record updates, however your comments on that topic was confusing.

    Regards,

    Thomas

    Friday, May 12, 2017 10:47 AM
  • Hi Thomas,
    Sorry confusing you, based on my knowledge, client is the “one” to update the DNS record, so as you said, clients need to access to a writable DC if clients have a DNS update request, also including the authentication part.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, May 15, 2017 1:48 AM
    Moderator