Windows Server 2008 introduced read-only domain controllers, which receive a full replica of the domain database but can't modify it, just like a good old Windows NT BDC.
I know all the technical ins and outs of how to run those semi-DCs (I just passed 70-646 and 70-647), but still I don't have a clear answer to the most important question of all: why should you use them?
This comment from TheCleaner really sums it up for me:
@Massimo – yes, you are correct. U are looking for a compelling reason for an RODC
and there isn't one. It has a few additional security features to help alleviate
branch office security and really only needs to be deployed there if you don't have
a DC there already and are anal about its security.
That was the same I was thinking… a little increase in security, yes, sure, but definitely not so much to be worth the hassle.
Best Answer
I'll give you a real-world scenario:
We use it because there isn't an IT dept there, we handle all requests for AD accounts, etc. here in the USA. By having a RODC there we know:
By having AD/DNS read-only we don't have to worry about attempts to manipulate the data on the DC there.
This is because of features found here: http://technet.microsoft.com/en-us/library/cc732801%28WS.10%29.aspx
It's more of "peace of mind" than anything else for us...plus it allowed for a very minimal server install since it was just server core with RODC role installed. We put it on an older 1U server with 2 Raid-1 18GB drives. We actually put 2 of them in...same exact configuration using older non-warrantied hardware we had in the racks.
Simple, does what it needs to do, and we don't have to worry about it. If one of the boxes fails, we would simply replace it again.