An RODC
also has the added restriction that it cannot act as a Global Catalog server, but it does
support caching of universal groups. In addition to this, the functional level of the forest
must at minimum be Windows Server 2003 before an RODC can be installed.
TIP Universal groups are groups that are available and can be used throughout an entire forest. They
can contain other groups and users and can be assigned to resources. Universal group membership
is stored in the global catalog (or cached on an RODC) and affects replication.
The RODC Active Directory database stores all the same objects and attributes that
any regular domain controller would store??”except it doesn??™t store account passwords.
Read-only Active Directory queries to domain controllers using LDAP are processed
normally, whereas any requests to write to the database using LDAP will be returned
with a referral to a writable DC. Only downstream replication occurs on an RODC. This
includes replication data related to both the Active Directory database and to DFS replication
traffic. This simplifies the replication process and optimizes any work that needs
to be done by the bridgehead servers in the same site.
Passwords are not stored on RODCs by design, since it is assumed that the RODC
will reside in a potentially less secure environment than the rest of your domain controllers.
If a user or computer attempts to authenticate to an RODC and it determines that
the account exists, the password is then forwarded to a writable DC for authentication.
Pages:
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185