8

My organization has deployed 2008 RODCs on multiple seagoing platforms. The idea was to extend our shore-based domain onto our ships to better control security policies. RODCs were selected with the assumption they would consume less bandwidth. There were also security concerns, but these were secondary.

Internet connectivity at sea is provided by a very expensive satellite link. Speeds range from slow to non-existent. Managing users, computers, group and permission changes and GPO updates is excruciatingly slow.

I am beginning to believe that we have developed tunnel vision in regard to RODCs and that having a writable domain controller might be a better alternative. I am thinking one RWDC and one RODC per ship for redundancy. It is a small user base, but it's critical to have redundancy.

There is a lot more to this, but I cannot sum it up with any brevity. I am curious if anyone has ever tested the difference in bandwidth consumption between an RODC and a RWDC? Would replacing one of the RODCs with a RWDC significantly increase bandwidth consumption? I would be redirecting the RODC to replicate from the RWDC. This would mean one domain controller connecting back to shore.

As things sit right now, it can take hours to do things that would normally take minutes. Having admins aboard the ships working on a RWDC would make life much better. The fear is that RWDC chatter would fill the pipe.

So, anyone ever test the difference?

Mathias R. Jessen
  • 24,907
  • 4
  • 62
  • 95

2 Answers2

7

No, I've never tested the difference in bandwidth consumptions between a RODC and RWDC, but let me offer some observations none the less:

If security is the "least of concerns" in you considerations and network connectivity is paramount, RODC's might actually be a really bad choice.

Remember that, since it's read-only, any operation that requires updating data in the directory (including account lockouts, authentication failures etc.) will only succeed by re-targeting a writable domain controller and consuming bandwidth bi-directionally (originate write offsite + replicate on RODC).

You're probably better off with 2 RWDC's and a dedicated Site per vessel/platform.

Be sure to configure the Site Link between the off-shore Sites and the on-shore hub with the following characteristics:

  • Configure a replication schedule that only allows replication during times of the day/week/month where connection speed is assumed to be best, (and dial-up prices low, if fluctuating)
  • Configure a replication interval that's fairly high, to prevent the site bridgehead from polling every 15 minutes during its schedule
  • Enable Two-way sync (also known as "Reciprocal Replication") to reuse the same underlying connection bi-directionally
  • Change the Domain Controller used in GPMC to one in the local off-shore site, when you are working on-premises (otherwise it defaults to the PDC emulator, hopefully located at your hub site)
  • Leave intra-site replication settings as default (15-second delayed change notification), to avoid data loss in the event you lose one DC at an off-shore site
Mathias R. Jessen
  • 24,907
  • 4
  • 62
  • 95
  • 1
    I would count operations that use RSO (replicate single object), like DNS dynamic updates, password sync etc. So I think RODCs in general cause more traffic. – iPath Aug 04 '15 at 00:03
  • @iPath Definitely, the list in my answer is non-exhaustive. RSO or partition sync, doesn't really matter. Any write operation initiated by a client on the platform *will* incur a connection out and subsequently back for replication on the RODC – Mathias R. Jessen Aug 04 '15 at 10:05
2

RODC's are a TERRIBLE option for remote locations with a dodgy network.

Also, RODC's should NOT be deployed in a site that has an RWDC.

The only reason an RODC would consume less bandwidth is due to no outbound changes would be replicated (no outbound replication partners).

You can't edit/manage objects using an RODC with applications such as AD Users and Computers or Group Policy Management Console, they need to connect to a writable domain controller. Not surprisingly, this is slow for you due to you need to connect to an RWDC over a slow WAN link.

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • RODCs are terrible option if you need to do administration (i.e. writable operations). RODCs are good option in common. – iPath Aug 04 '15 at 00:02
  • RODC's are a good option IF you have the business case for them, and IF you have good network connectivity. If you don't have good network connectivity, there will be additional problems. One red flag way to tell if they have the business case is if they want to put an RWDC in the same site. If so, they NEVER had a legitimate business case for an RODC. I've seen organizations implement RODC's the wrong way so often it is tragic, including putting Authenticated Users or Domain Users in the Password Replication Policy or Allowed RODC Password Replication Group. – Greg Askew Aug 04 '15 at 00:18