You are here


RODC or read-only domain controllers Windows NT 4.0 administratorswill remember the role of BDC on our networks. RODC is somewhat similar,and its purpose is to deliver cached copies of AD DS information to remotelocations. Unfortunately, remote locations often mean insecure serverdeployments, and security-conscious administrators out there will appreciatethe value of this long-forgotten approach. A key new differentiator of RODCis that we now can control whether password hashes should be replicated toRODCs, whereas with BDC you were getting a full read-only copy of a SAMdatabase. RODC can be configured in a way that limits exposure to risksassociated with data and hardware theft in remote or insecure locations, suchas satellite offices and demilitarized network zones. If an AD DS databaseis compromised on an RODC, it may not be possible to extract passwordhashes. Password hashes may be deciphered quickly using precomputed hashlookup tables, also known as rainbow tables.

Leave a Reply