I currently have a lab running that contains a RWDC, a RODC and a Client PC. Both Domain Controllers are running W2K8 R2.
The RODC currently functions as a LAN Router, VPN Server, IIS Server and Certificate Authority. The RWDC is only running ADDS. The problem I am having is that although the the second Domain Controller is a RODC I can still create user accounts via 'Active Directory Users and Computers' on the RODC.
The account I am using to create these users is the domain admin account. I read online that the fact that I can still create AD objects is related to the DNS referral system. Not sure on what that does or means though.
Can anyone shed some light on the situation?
Best Answer
You can open AD Users and Computers on a RODC, and it still will be pointed to a writable domain controller... and you can create user accounts remotely.
Look at the top of the left pane in ADUC, and it should tell you what DC you are currently targeting with the ADUC console.
If you are still convinced that you're creating accounts on the RODC, then you didn't create an RODC. You truly can't create user accounts on an RODC.
The two main security benefits of an RODC:
The fine grained password replication policy. Not all users of the domain should have their passwords stored on an RODC. The idea being that if someone compromised or even physically lifted the RODC out of the office, they will not have access to all your domain's passwords. Only a subset that you control.
You can make a local administrator of an RODC without also making them a domain admin. Whereas with a regular writable DC, administrators of the DC have to be Domain Admins. This is handy when you want to delegate administrative tasks of the machine such as backups, patching, etc., to a technician in a remote branch office that you don't necessarily want to be a domain admin.