Q: Will the new read-only domain controller (RODC) feature in Windows Server 2008 address the risks of domain controllers (DCs) that are placed at remote sites, such as branch offices, that aren’t as physically secure as the corporate data center?
A: You can now configure DCs as RODCs in Server 2008, which will address some, but not all, the risks. RODCs receive one-way replication from other DCs, thereby maintaining a local replica of the Active Directory (AD) domain. RODCs will fill the need to have a replica of AD locally at branch offices for fault tolerance, conservation of bandwidth, and performance reasons. Because the DC is read-only, an attacker that takes over the DC can’t change group memberships or user accounts in such a way that they replicate back to DCs at the data center and beyond. However, RODCs don’t address every risk. Someone very skilled or equipped with malicious programs created by a skilled programmer still might be able to exploit physical access, take over the RODC, and succeed in making the DC authenticate them to other computers on the network as an administrator or other privileged user. Although an attacker won’t be able to exploit the RODC to permanently change anything in AD, he could temporarily exploit the RODC to break into other computers in the domain or forest. Nevertheless, RODCs are a very important step in the right direction.