RODC not read only?

[wiimike]

Setup: I have two domain controllers (2008 R2, forest functional 2008R2). One is my primary, and the other was set up recently as a read only domain controller (DCpromo, check the box for read only domain controller).

My problem: The read only domain controller isn't seeming all that read only. I can create user accounts on it, delete user accounts on it, and all of this propagates to my normal domain controller.

Work done thus far: I've deleted an account originally made on the read only, watched it propagate, deleted an account originally made on the regular domain controller and watched that propagate, created a user on the normal domain controller and watched it propagate (had to make sure I didnt botch my names). I've checked sites and services and the only connection I see under NTDS is named "RODC Connection (FRS)" going from my normal domain controller to the RODC.

Shouldn't this be working? How can I verify the setup was done correctly? Any ideas? Thanks in advance for any help, or for at least reading this =)

 

[PScottC]

Changes can occur on the RODC, but it has to obtain permission from the standard DC to which it is connected.

PSC
[—] CCNP[sub][blue]x3[/blue][/sub] (Security/R&S/Wireless) [•] MCITP: Enterprise Admin [•] MCSE [—]

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --from "Hackers

 

[wiimike]

Thanks for that explanation. It does not seem to me that I'd want the regular DC to approve changes to something I've marked read only however. How can I go about changing this? I thought that initial check mark would be the end of it.

 

[PScottC]

Read-only doesn't mean that things don't change. There are a lot of attributes that change on a regular basis for most users.

The intent of an RODC is to limit the scope of damage that could be caused if the DC were compromised (think physically stolen). Only user's who authenticate to the DC have their passwords cached on it, and by default it doesn't cache the passwords for Domain or Enterprise Admins. This means that if the DC is stolen, you know the specific list of user's whose credentials are cached there, and you can quickly force password resets for them. This is a significant benefit to an organization with thousands or tens of thousands of users since the organization would not have to reset everyone's password, just the limited scope.

PSC
[—] CCNP[sub][blue]x3[/blue][/sub] (Security/R&S/Wireless) [•] MCITP: Enterprise Admin [•] MCSE [—]

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --from "Hackers

 

[wiimike]

It seems I need to read up. While I figured read only way changeable by another DC, I had figured that it meant you could not make changes directly to the RODC. Thanks a lot for the info