Read Only Domain Control – RODC Configuration


  • Delegate a local administrator to the RODC – should not be a domain administrator.
  • Manage two security groups:
  • Denied RODC Password Replication Group
  • Members of this group are not allowed to cache credentials on the RODC
  • Allowed RODC Password Replication Group
  • RODC will only cache credentials of objects who are members of this group.
  • If the object is part of both the allowed and denied RODC password replication group, the credentials will not be cached.
  • RODC cannot function as an operations master or a bridgehead server.