Microsoft INF200.1x, Windows Server 2012 Fundamentals: Infrastructure - Physical Component - Domain Controller

What is Active Directory Domain Services (AD DS)?

Active Directory Domain Services (AD DS) is a scalable, secure, and manageable infrastructure for user and resource management. AD DS is a Windows Server role that's installed and hosted on a server known as a domain controller. AD DS uses Lightweight Directory Access Protocol (LDAP) to access, search, and change the directory service. LDAP is a based on the X.500 standard and TCP/IP.

AD DS provides a centralized system for managing users, computers, and other resources on the network. AD DS features a centralized directory, single sign-on access, integrated security, scalability, and a common management interface.

What is a domain controller?

A domain controller hosts the AD DS role

A domain controller is a server that has the AD DS role installed and has been promoted to a domain controller. By default, it's configured to store a copy of the AD DS directory database. All domain controllers, except Read Only Domain Controllers (RODCs), store a read/write copy of the AD DS database.

Replication keeps the domain controllers in sync

Domain controllers use a multi-master replication process; for most operations, data can be changed on any domain controller, except on RODCs. The AD DS replication service then synchronizes the changes that are made to the AD DS database to other domain controllers in the domain.  

You should always have at least two domain controllers

As a best practice, an AD DS domain should have at least two domain controllers. This makes the AD DS database more available, and spreads the authentication load during peak sign-in times.

What is a Read Only Domain Controller (RODC)?

An RODC improves security

An RODC contains a read‑only copy of the AD DS database.  If an RODC is compromised, the potential loss of information is much less than with a full read/write domain controller. By default, an RODC does not cache any user passwords. This improves security.

When should you use a RODC?

There are several reasons to consider an RODC instead of a regular domain controller.

• Security. A site where there isn't a physically secure facility to house the server, and there is few, if any, local IT staff to support and monitor the server.
• Users and Services. You would like users to be provided services and authentication locally, rather than have to contact a domain controller in the data center.
• Network Latency. Users typically connect to multiple services during a workday. So, service ticket activity happens regularly. Authentication and service ticket activity over a WAN link between a branch office and a hub site can result in slow or unreliable performance.

What is the most common scenario for an RODC?

The most common scenario for using an RODC is a branch office.

Data Center	Branch Office
Writable domain controller Specifies the password replication policy	Read-only domain controller Caches passwords, if allowed Contains all domain objects Has a subset of the object attributes Authentication is through the data center Has a local Administrator group