Hi everyone,
I'm new to RODCs and have been looking into them as an ideal replacement for the current read/write Windows 2003 domain controllers at our branch sites. Ideally I'd like to replace all branch DCs with RODCs, leveraging a central core of read/write doman controllers at our hub site.
I can see one issue with replication. At our branch sites we typically use a 3 hour replication interval to reduce replication traffic over the network. Our central helpdesks currently work around this by creating new accounts and resettng passwords on the DC at the branch. In addition domain joins of new computers are done using the local read/write DC at the branch.
Now my thinking is that switching the branches to RODCs will cause problems in this situation as changes cannot be written to them. I understand though that they will forward write operations to read/write DCs in the hub. My question - are such "referred" changes immediately available to the branch via the RODC?
A scenario:
- A branch worker locks their password
- The central helpdesk attempts to reset the password using the RODC
- The RODC fowards the request to a read/write DC in the hub site
Another scenario
- A computer is "flattened" and the O/S reloaded at a branch site with an RODC
- The scripted provisioning process attempts to delete/add the computer account using the RODC
- The RODC forwards the request to a read/write DC in the hub site
My question: Would the password reset / updated computer account be immediately available on the branch RODC (as would be the case with a targetted local read/write DC) or will the branch have to wait up to 3 hours for scheduled replication from the hub?
Clarification on this point would be most greatly appreciated.