- Active Directory Administration Cookbook
- Sander Berkouwer
- 177字
- 2021-06-24 14:42:07
Promoting a server to a read-only domain controller
Read-only domain controllers were introduced with Windows Server 2008. They have been hugely popular for providing Active Directory Domain Services to branch offices and small perimeter networks.
Read-only domain controllers are the ideal type of domain controllers for environments with the following:
- Poor physical security
- Relatively few user accounts and/or devices
- Relatively poor bandwidth to central datacenters with domain controllers
- Little local IT knowledge and/or experience
These characteristics are typically true for branch offices. Before read-only domain controllers, administrators had to make the hard choice between doing nothing, placing fully (read-write) domain controllers in these locations, or upgrading the available bandwidth and/or resiliency of the networking connections between the branch offices and the head office or central datacenter(s).
Some organizations have opted to deploy read-only domain controllers in perimeter networks. Microsoft supports only one read-only domain controller per Active Directory site. This way, any perimeter network deployment would not have much Active Directory resiliency. Many organizations have, therefore, opted for a separate Active Directory forest, for these implementation scenarios.