Chapter 7. Read-Only Domain Controllers
One of the most significant Active Directory features introduced in Windows Server 2008 was the Read-Only Domain Controller (RODC). Deploying domain controllers into untrusted locations has always been a substantial security risk for Active Directory deployments. The risk of a domain controller becoming physically compromised and having password hashes for that domain stolen or the risk of a database (ntds.dit) being modified offline and placed back on the network are both important risks to measure. The RODC brings the ability to mitigate both of these risks.
By default, RODCs do not store any passwords locally in their database. If a user authenticates to an RODC, the RODC will need to contact a writeable domain controller (sometimes called an RWDC) upstream in order to validate that user’s password. This, of course, also applies to other objects with passwords, such as computer and trust accounts. Through the use of Password Replication Policies, you can define what passwords are allowed to be cached locally on an RODC. You can also examine a real-time view of what passwords are currently cached on an RODC.
In order to ensure that an RODC cannot impact the integrity of an Active Directory forest, all replication to RODCs is one way. This means that if someone manages to make a change, Active Directory will not replicate that change to other Domain Controllers. Figure 7-1 shows the replication paths in a network with RODCs deployed.
Figure 7-1. RODC ...