Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

RODC not read only?

Status
Not open for further replies.

wiimike

IS-IT--Management
Mar 30, 2007
145
US
Setup: I have two domain controllers (2008 R2, forest functional 2008R2). One is my primary, and the other was set up recently as a read only domain controller (DCpromo, check the box for read only domain controller).

My problem: The read only domain controller isn't seeming all that read only. I can create user accounts on it, delete user accounts on it, and all of this propagates to my normal domain controller.

Work done thus far: I've deleted an account originally made on the read only, watched it propagate, deleted an account originally made on the regular domain controller and watched that propagate, created a user on the normal domain controller and watched it propagate (had to make sure I didnt botch my names). I've checked sites and services and the only connection I see under NTDS is named "RODC Connection (FRS)" going from my normal domain controller to the RODC.

Shouldn't this be working? How can I verify the setup was done correctly? Any ideas? Thanks in advance for any help, or for at least reading this =)
 
Changes can occur on the RODC, but it has to obtain permission from the standard DC to which it is connected.

PSC
[—] CCNP[sub][blue]x3[/blue][/sub] (Security/R&S/Wireless) [•] MCITP: Enterprise Admin [•] MCSE [—]

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --from "Hackers
 
Thanks for that explanation. It does not seem to me that I'd want the regular DC to approve changes to something I've marked read only however. How can I go about changing this? I thought that initial check mark would be the end of it.
 
Read-only doesn't mean that things don't change. There are a lot of attributes that change on a regular basis for most users.

The intent of an RODC is to limit the scope of damage that could be caused if the DC were compromised (think physically stolen). Only user's who authenticate to the DC have their passwords cached on it, and by default it doesn't cache the passwords for Domain or Enterprise Admins. This means that if the DC is stolen, you know the specific list of user's whose credentials are cached there, and you can quickly force password resets for them. This is a significant benefit to an organization with thousands or tens of thousands of users since the organization would not have to reset everyone's password, just the limited scope.

PSC
[—] CCNP[sub][blue]x3[/blue][/sub] (Security/R&S/Wireless) [•] MCITP: Enterprise Admin [•] MCSE [—]

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --from "Hackers
 
It seems I need to read up. While I figured read only way changeable by another DC, I had figured that it meant you could not make changes directly to the RODC. Thanks a lot for the info
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top