Read-only
Domain Controller:
A RODC or Read-Only Domain Controller can be defined as the
domain controller of the Active Directory Domain Services database
in windows server 2008 or higher environment which has read-only
partitions and its main aim is to increase the security in office
branches.
Some of its main purposes are the
following:
- Read-Only: An unauthorized person will not be
able to manipulate the active directory data. The sensitive data
gets caught when it is accessed by authorized persons. If somebody
needs the write permissions then RODC will send a response to
redirect the application to the write domain controller.
- Administration role separation: An
administration on RODC doesn't need to be a domain admin. It can be
any user that can be granted with administration permissions and
they can carry out the maintenance work like installing or
upgrading applications. Even the administrations will not have the
permissions to make changes in the RODC which helps to improve
security to a great extent.
- Unidirectional Replications: In some rare
cases, Even if someone gets access to RODC, the changes will not
get reflected in the DCs.
- Password Protection: In default settings, the
RODC doesn't store any passwords or user credentials but it can
cache the passwords for temporary uses.
- Domain Name System(DNS) Protection: A DNS
which is running on RODC will not support any dynamic changes as it
has to pass through the DNS in Domain Controllers and only then it
can update the DNS server.
We can summarize it as the security of DCs is
enhanced by RODC and it provides better and faster access to the
resources with strong authentication techniques.
If you liked my answer then please give me a thumbs up.