Forum Search: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Rodc
Rodc [message #348355] Sat, 19 December 2009 11:09 Go to next message
aconti  is currently offline aconti  United States
Messages: 113
Registered: August 2009
Senior Member
Hello why does the PDC has to be server 2008 when installing an RODC in
the domain ?

Thank you

------------------------------------------------------------ ------------
aconti's Profile:
View this thread:
Re: Rodc [message #348566 is a reply to message #348355] Sat, 19 December 2009 17:46 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"aconti" <> wrote in message
> Hello why does the PDC has to be server 2008 when installing an RODC in
> the domain ?
> Thank you

AD DS: Read-Only Domain Controllers:
"The RODC must forward authentication requests to a writable domain
controller running Windows Server 2008. The Password Replication Policy is
set on this domain controller to determine if credentials are replicated to
the branch location for a forwarded request from the RODC."

Also, I believe it has to do with password changes and using a Fine Grain
Password Policy, which also means the domain has to be in 2008 FL. Remember,
the PDC Emulator handles password functions. This link implies the PDC
Emulator should be a 2008 machine for successful password updates, however
it does not explicitly state this, from:

Appendix A: RODC Technical Reference Topics:

Password changes on an RODC
Users change their passwords on a regular basis as specified by the Default
Domain policy or a fine-grained password policy (FGPP). After each
authentication attempt that is serviced by an RODC, the RODC performs a
replicate single object (RSO) operation to replicate the account credentials
if it does not have the current credentials stored locally. In a site that
has an RODC and no writable domain controller, one of two actions can occur
when users try to change their passwords:

- The password change request is sent directly to a writable domain
- In this case, the password change is written locally and then forwarded by
the writable domain controller to the domain controller that holds the
primary domain controller (PDC) emulator operations master (also known as
flexible single master operations or FSMO) role in the domain. This is the
same behavior as in Windows Server 2003.
- The password change request is sent to the RODC, which in turn forwards
the request to a writable Windows Server 2008 domain controller.
- The next steps are the same as would occur if the password change happened
directly on the writable domain controller.

Here are some good links on RODC: requirements

AD DS: Read-Only Domain ControllersAug 26, 2009 ... However, your
organization may also choose to deploy an RODC for special administrative
requirements. For example, a line-of-business (LOB) ...

Read-only Domain Controllers (RODC) Step-by-Step GuideMay 1, 2009 ... An
RODC is a new type of domain controller in the Windows Server® ... also
deploy an RODC because of its reduced management requirements ...

Screencast: How to Install Read-Only Domain Controller – pre ...Before you
proceed with the installation of an RODC in your network, you have to make
sure that it covers certain requirements. Here is a brief overview: ... o-stages/

[PPT] Title Goes Here Name of Presenter Title of Presenter Day, Month,
YearFile Format: Microsoft Powerpoint - View as HTML
RODC - Requirements for Deployment. Raise Forest Functional Level. Forest
functional level must at Windows Server 2003 or above ... ve_Directory_Domain_Services-final.pptx


This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check for regional support phone numbers.
Previous Topic:Anonymous LDAP queries on one DC?
Next Topic:Tombstone Period
Goto Forum:

Current Time: Wed Jan 17 05:57:27 MST 2018

Total time taken to generate the page: 0.01968 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software