A new feature available in Windows Server 2008 is the Read Only Domain Controller (RODC). Essentially, the RODC recreates the concept of the Backup Domain Controller. The RODC can validate users and objects as well as provide the location of resources within the Active Directory (AD). It isn't really read only in the sense that it cannot be updated. However, no new data can be written into the Active Directory by the RODC itself, it can only receive updates from a full Domain Controller.
When You Can't Provide Physical Security
The point of this is to provide a way to place a Domain Controller
at a location where physical security cannot be guaranteed, for example, a small satellite office with no server room and no IT personnel. In this way, if someone were to steal a domain controller from the unsecured location, the damage that could be done is minimized.
With a full domain controller, an unsavory character could spend weeks or months cracking into the controller. When they do, they can make whatever changes they wanted including adding several hard to find backdoor Domain Administrator accounts into the Active Directory. Then, when the Domain Controller is added back to the network, those changes will synchronize along with any other updates through the entire enterprise no matter how much the Directory has been updated. The only way to prevent something like that would be to completely redo the Active Directory, not a happy option in a large organization.
But with a RODC, if the controller were reattached after being compromised, nothing would happen, because with the next update, the RODC database would be overwritten without ever having propagated a single change. RODCs only take database updates; they do not sync them out.
Another scenario involves the all too common need for someone to perform a task locally on a Domain Controller. Again, at a remote location, that someone might just be anyone who happens to be able to follow directions. Considering how many processes require administrator level security to work correctly, the person might also have to be made, temporarily at least, a local administrator. On a regular server, this gives that person free reign on a single server, but on a Domain Controller, that local administrator access comes with the ability to make changes or additions to the Active Directory database. On a regular Domain Controller, those changes will be propagated throughout the enterprise. However, a RODC would limit the person's power to the next update when those changes will be wiped out.
When a Read Only Domain Controller is installed on a Core Install of Windows Server 2008, the footprint for attack becomes even smaller. Since the Active Directory itself cannot be compromised, even a determined hacker faces and uphill challenge to extra much use from a compromised Domain Controller.
Keep the RODC in Check
Obviously the RODC isn't the right move for every server. Servers that are locked inside a secure network room and only accessed by fully trained IT staff don't need to be RODCs. Indeed, because RODCs won't replicate with each other putting more than one per network segment begins to be problematic. Installing RODCs everywhere just leads back to the
bad old days when the Primary Domain Controller was overwhelmed trying to keep up with all the Backup Domain Controllers. So, limit the use of RODC to areas where physical security of the server cannot be maintained. Even this judicious use can add one more level of security to your network.