AZ-800 Administering Windows Server Hybrid Core Infrastructure Exam
Eager to master hybrid server management? Discover how to administer Windows Server Hybrid Core Infrastructure on Azure, setting your path towards the Microsoft Certified: Azure Hybrid Infrastructure Administrator Associate certification!
Practice Test
Intermediate
Practice Test
IntermediateDeploy read-only domain controllers
Plan and Secure Read-Only Domain Controller Deployment
Deploying a Read-Only Domain Controller (RODC) is a way to provide directory services in locations where physical security is limited. An RODC holds a read-only copy of the Active Directory database, which protects the main directory and limits potential damage. These servers are ideal for branch offices or remote sites that cannot guarantee full security. Because the database is read-only, changes must be made on a writeable domain controller. This design helps maintain a secure hybrid environment.
Before deploying an RODC, administrators must verify that Active Directory meets the necessary prerequisites. The forest functional level must be at least Windows Server 2003, and the domain functional level must support RODCs. Additionally, a writeable domain controller running Windows Server 2016 or later must be available for replication. Key items to check include:
- Forest functional level at Windows Server 2003 or above
- Domain functional level compatible with RODC
- Presence of a writeable domain controller
Configuring an RODC requires careful policy settings to protect credentials and control replication. Use Password Replication Policies to define which credentials can be cached on the RODC, ensuring only necessary accounts are stored. Implement Filtered Attribute Sets to exclude sensitive attributes from the RODC database. Finally, apply a Delegated Administrative Model so local IT staff can manage the RODC without full domain privileges.
When placing RODCs in untrusted locations, follow strict measures to secure them. Limit the credentials cached on the RODC to reduce the risk if it is compromised. Control the replication scope so that only essential data is shared with the RODC. Delegate administrative responsibilities to trusted personnel and use role-based permissions to maintain a balance between local management and overall security.
Conclusion
Deploying an RODC involves understanding and meeting specific Active Directory prerequisites, such as forest and domain functional levels and the presence of a writeable domain controller. Key configurations include setting password replication policies, filtered attribute sets, and delegated administrative models to protect credentials and control replication. By limiting cached credentials and carefully delegating tasks, IT teams can secure domain controllers in branch offices or untrusted sites while maintaining a resilient hybrid infrastructure.