Getting ready

Read-only domain controllers have requirements that we need to adhere to, before we can deploy and use them:

• At least one domain controller running Windows Server 2008 (or a newer version of Windows Server)
• The Windows Server 2003 FFL, or a higher FFL
• The Windows Server 2008 DFL, or a higher DFL, for the Active Directory domain(s) in which you intend to implement read-only domain controllers

• ADPrep/rodcprep needs to have run at least once on the domain controller holding the Domain Naming Master FSMO role, but this step may be skipped when the Active Directory environment was never set up or has never run with pre-Windows Server 2008-based domain controllers
• When implementing read-only domain controllers for branch offices, create the corresponding Active Directory sites and site connections first

As read-only domain controllers allow for scoped replication, as a Getting ready step, it's a recommended practice to determine the user accounts and computer accounts that are strictly needed in the branch office location. The read-only domain controller will be able to cache the passwords for these accounts to speed up authentication for these accounts in the branch office. The Allowed RODC Password Replication Group is the default group to add (groups of) user accounts and computer accounts to for this functionality.

Another way to think about security before promoting the first read-only domain controller is to determine the privileged accounts and otherwise sensitive accounts for which you do not want passwords replicated to the read-only domain controller you intend to create. These (groups of) accounts can be specified as the accounts that are denied from replicating passwords to the RODC.