Monday, November 22, 2010

Can a RODC be a GC?

Answer: Yes

One of the gotchas before an RODC will advertise as a GC in your domain is that domainprep needs to be run in each domain, regardless if there are Win2k8 DCs in the domain or not:

If the RODC will be a global catalog server, you must also run adprep /domainprep in all domains in the forest, regardless of whether the domain runs a Windows Server 2008 domain controller. When you run adprep /domainprep in all domains, the RODC can replicate global catalog data from all domains in the forest and then advertise as a global catalog server.

If you haven't looked at RODCs for your branch office deployments for the future now is a good time to do so. I think one of the best things coming for Win2k8 is the ability to run RODCs on Server Core, reducing the attack surface and patching requirements and only caching the passwords for the users needed in the branch site instead of all passwords for the domain.

No comments:

Post a Comment