Last Updated on October 15, 2014 by Dishan M. Francis

In enterprise level network its common to have HQ(Head Quarters)-Branch Office network. These branch offices may required  to connected with HQ resources for its operations. Most of the time this kind of setup uses WAN links to connect branch  Offices with HQ network. Let's assume we have company called ABC and its HQ is located in Canada Toronto. Due to the  Expansion its need branch office open in London, UK. So the requirement is more complicated as its 2 different countries. 
The users in London office still need to authenticate the company domain environment and access the resources. Let's Look in 
to some of the difficulties, challenges faces with typical this kind of setup.

Lack of Resources

To connect HQ with branch site its required secure, reliable connection. But these connections typically comes with high $$$$ cost. Even though its cost mostly these links will be with speed of 128kb, 256kb, 512kb etc. If users in branch site is authenticating company AD it will use WAN link for the all the authentication, resources access etc. if the number of  users increase in branch site the link utilization just for the AD activities will increased. Also since its between  different geographical locations, different ISP, many facts will affect the reliability of the link as well. what happen if  the WAN link went down on critical business day ? so solution is to deploy AD in branch site and it will be opening whole different range of concerns, problems.

Security Risks

Even though branch office dc will increase the authentication and resource access process its open potential security  risks to the network. some companies will have fully secure datacenter facilities in branch sites as well but majority  cant afford such investments. As we know regular DC is keeping critical data about users, resource authentications etc.  what if these branch office dc get compromised or stolen?. It will affect entire company network operations and some time  this kind of issue can cause millions of dollars lost to the company.


If we host a branch site DC, typically it will required maintenance time to time. it may be to deploy fail over dc, upgrade hardware, site-link changes, user credential changes etc. So some time company may need to keep a IT department  running on branch office which will increase the company operation cost. Also since its integrated directly with main  domain environment, any changes triggers in branch office DC will also directly affect entire domain environment.

So what is the answer then ?

With windows 2008 server Microsoft introduce the Read-Only domain controller feature to specially address these  difficulties company face in this kind of branch site scenario.


As its name says its by default Read-only copy of the company main DC. So the changes making on branch site RODC will not  affect DC operations. So basically its keep all the info about the DC attributes in Branch-DC as read-only copy and once  its receive request for authentication it directs the request to the RODC instead going via WAN link.

Password Replication Policy (PRP)

We can also control this "credential caching" in detail level by using Password Replication Policy. what it does is we can  define which users, group need the credential caching on that particular RODC. For example let's assume we have another  branch in India. The users in India office will not login from London office anyway. so why we should cache credential info  for India office users in London office RODC ? Also in this way it improve security of dc more. So if one of branch office  RODC compromised it will only hold limited data about the DC.

In windows 2012 server to configure we can use 2 security groups it creates with RODC setup. According to Microsoft its as  following,

Allowed RODC Password Replication Group : Members of this group are placed in the Allow list of the Password Replication  Policies of all RODCs by default. This group has no members when Windows Server 2012 is first installed.

Denied RODC Password Replication Group: Members of this group are placed in the Deny list of the Password Replication  Policies of all RODCs by default. Some of the groups include Administrators, Server Operators, Backup Operators, Account  Operators, and Denied RODC Password Replication Group.

Local Administrators Group

Some time the branch offices need some IT support for their users. It may have local IT staff or outsourced IT company for this. In typical DC environment to do the maintenance a particular user need to have domain admin rights or delegated permissions. But in RODC we can define Local administrator accounts which will give full control over the RODC environment and it still will not affect the parent DC setup.

In next post will look in to the configuration of a RODC.