- RODC are used in non secure areas (Where the physical server can be compromised).
- You can establish which credentials can be cached on an RODC (Computer and User objects).
- When a user or computer authenticates against an RODC, the RODC will authenticate the user against a writable DC. If the object is allowed to be cached, the RODC will cache the credentials for future authentications.
- Should the RODC server be physically compromised, you will reset all objects passwords which were allowed to be cached – limiting the attack foot print and impact on your organization.
- Do not allow administrator accounts to be cached.
- RODC should be placed near a writable DC (Near being the lowest cost site)
- An RODC should not be considered as a resilient DC to a writable DC.
Tagged with: Read Only Domain Controllers