Environment with more RODCs than RWDCs is a good design?

  • Last Post 09 February 2017
syam posted this 07 February 2017

Good Day Everyone!!
I would like to ask a query about the number of RODCs I can place in my environment. 
We are getting migrated from the parent company and a new one is being set up. The migration of user, computers and applications will take another year to complete. 
Now we have offices in all continents and I would say no remote offices at all. But there are many offices without administrators to manage the servers. 
The design plan includes a large number of RODC, about 30 and DCs only 8 once we are in full swing. 
Would you recommend this plan? Why i am objecting is RODCs can present its own issues such as account lockouts and replication issues. 
Please let me know if an environment with more RODCs than RWDCs is a good design. 
Many thanks!!

Order By: Standard | Newest | Votes
idarryl posted this 07 February 2017

It all depends on the environment, there is no wrong answer, or right ratio between RO and RW.  
I once managed an environment with 84 remote offices, all with only one network line going into them, and they all had file servers on site, a large number of people, and those offices made us money, so they each had an RODC to ensure no down time, I had ~six RWDC across three data centres.  I now run an office with 100+ offices, most of which have an environment that I'm happy to support without RODC's.  To that end I've band them, and every time one falls over, we're asked to migrate or upgrade, I take it out.
I good general source of information is of course Microsoft, this Branch Office guide is what you want: https://technet.microsoft.com/en-us/library/dd734758%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
What I did for my current company was to take the flowchart in this document: https://technet.microsoft.com/en-us/library/cc731569(v=ws.10).aspx and adjusted it my needs.  I made a policy that stated that an office with fewer than 30 people would never get an RODC, that the 'risk of a WAN outage' meant dual lines going in the office meant there was low risk.  That the 'performance of applications and user logons over the WAN link acceptable' was number of users / link speed, if that number was greater than X they didn't get a DC.
As you can see with both these examples, I can justify the cost of running each DC, because it is right for the environment.
Just a couple of more points: 

  • you say 'only 8 DC's', what makes you think only? Again depending on your environment that might be plenty, how many users and data centres do you have?
  • you talk of no administrators on site to manage the servers. Why does that affect whether or not you put an RODC on site?  If the link to site goes down, it won't matter if there's a DC there or not to help in administration.
One last thought, there's a security risk of putting a DC on site, that should also be taken into account in your decision
Hope this helps a little


SmitaCarneiro posted this 09 February 2017

We currently have 10 DCs on our main campus. The College of Agriculture has an extension office in every county in the state and so we have 106 RODCs.  The number

of users in each office is small – an average of about 20 - and this design works pretty well for us.


Smita Carneiro, GCWN

Active Directory Systems Engineer

IT Security and Policy

Ross Enterprise Center

3495 Kent Avenue, Suite 100

West Lafayette, IN 47906



daemonr00t posted this 09 February 2017

I’ve seen a few scenarios where due to misunderstanding and misconfigurations RODCs end up being removed.

These are a great option given the delegation and security advantages they offer.

Now I suggest you make sure you are clear in regards to the password replication matters and also which products can/can’t work with RODCs. Bear in mind that these folks can’t honor trust relationships so if you depend on them that’s a

thing to consider.


~danny CS

Sent from Mail for Windows 10