RODC - worth it?
Anyone deploy read only domain controllers in branch offices? I've thought about doing this. Is it worth it? What if your domain goes haywire... Can an RODC be promoted to a full fledged DC and rescue active directory with its last known good copy?
Or is it just a way to allow people to log onto the domain if the WAN is down? But even so, if my wan was down, so would the connection to a wireless LAN controller and NPS server at the headquarters...
beachintechThere's sand in my tool bagPremiumReviews:
I've never seen the point really, I just have full DC's at each remote site. Although, I have everything setup so sites become autonomous if their WAN connection is down. I can't take down a whole school because Verizon is having a bad day
Ex-Comcast Tech at the Beach. I speak for myself, not my former employer.
|reply to cypherstream |
I know MS sells the RODC concept if the server will be in a "high risk" area, but I can't quite figure out the real world threat.
1. If someone breaks in and steals the server, they are not going to fire it up somewhere on your network and then fiddle with AD.
2. If you have someone who "knows enough to be dangerous" at the remote site and may be inclined to (somehow) access the server and make any sort of changes, you have bigger problems than can be solved with a RODC.
|reply to cypherstream |
Yeah I dunno if RODC or a full fledged DC is worth it at a remote site. I have one remote site with a full fledged DC, but there is also a SAN there where the headquarters replicates too. Its essentially a DR site.
But other branch offices have their 2008 R2 file and print servers for their lan. They could easily be dcpromo'd to a full fledged DC or an RODC.
They are behind locked doors with card swipe access. The servers are headless. I mean if you plug in a monitor all you will see is the VMWare ESXi logon screen. You would have to hack it from the network through vSphere client or RDP to the windows server running on it.
So if the fiber WAN (Verizon) goes down we would change the routes to go over T1 mpls (windstream). The only thing I have to figure out is, though the Cisco AP's are in H-REAP mode (traffic terminates at the local site instead of tunneling down to the HQ)... they still keep in contact with a Cisco Wireless LAN Controller at the HQ, which has RADIUS authentication to 2 NPS servers at the HQ. So if the WAN was down and DC's were at each site... they could log on if wired, but most likely wireless would be down and the Internet itself would be down, as well as many mission critical servers. So they could log on and stare at their desktop icons. Ok maybe do some work in Word and Excel.
Having DC's in multiple sites for me is more of a redundancy thing. Say our building blows up... well at least Active Directory is replicated to a DC in another physical location. Seize the FSMO roles there and good to go (AD wise).
So just wondering if anyones ever deployed an RODC at all? Even in a test lab?