Most domain controllers (DCs) hold a full copy of Active Directory, including all of the administrative accounts and their passwords. Also, most domain controllers enjoy a safe lifetime locked behind doors to a server room or server closet. As long as a DC is well protected with physical security, this arrangement works perfectly.

However, domain controllers sometimes need to be deployed to other locations to support users working in branch offices or remote locations. Ideally, these branch offices enjoy the same physical security as the main location, but in reality this just isn't true.

In the past, administrators have had to weigh the risk of a DC being stolen or attacked after ...