Read Only Domain controllers in windows server 2008 are designed primarily for use in branch offices (satellite locations with no onsite IT staff and slower links back to HQ).

I have blogged previously about installing an RODC which is a nice straightforward dcpromo with an added tickbox at the end, and the purpose obviously of an RODC is to provide local authentication and if required a local DNS and global catalogue. One thing that is not stored within an RODC is passwords for user accounts which obviously results in WAN traffic when an authentication attempt is made.

However there are two ways in which local users passwords can be stored within the RODC’s db.

One way is to add the users at the branch office to the “allowed RODC password replication group” in a writable domain controller.

The other is to assign objects to the “password replication policy” tab in the RODC’s computer account in AD.
When I say object this can be a group or individual user accounts (although creating and assigning a group for this purpose if clearly easier).

It is quicker and easier to add the user accounts to the allowed RODC password replication policy group in AD however this presents a possible minor issue. By putting users into this group it will replicate the password data to all RODC’s in the domain. This is not a problem if you only have one branch office, but what about if you have more than one say you have 20 or more all over the world, and branch offices can have a decent number of staff in them. This could quickly balloon the Wan traffic in each branch office as they receive all the completely unnecessary password data for the other 19 branch offices in the organisation.

Of course even with a modest residential ADSL line it probably wont bring the connection crashing down around your ears but every meg counts.

So if you have more than one branch office or it seems expansion of the business is on the cards then taking a few extra minutes to set up new groups and assign them specifically to the RODC computer accounts.

Within the RODC’s computer account “PRP” tab you can also add other groups and accounts to the policy and also specify whether the group/user is allowed or denied the password replication policy, as always if a user is a member of several groups then a deny permission always over rides an allow.

Also dont forget that computer accounts also logon to the domain so adding computers to the policy is also a good idea as a prolonged wan outage may well cause issues for the computers if their passwords are not cached as well.