Windows 2008 Read Only Domain Controllers and Exchange 2007…

  • Article

Alright so there is quite a lot of information out there now about Read Only Domain Controllers (RODCs) and Windows 2008 and it won’t be new to most that both Exchange 2003 and Exchange 2007 effectively ignore them.  See this excerpt from Exchange Server and Windows Server 2008.

“No version of Microsoft Exchange uses read-only domain controllers (RODCs) or read-only global catalog servers (ROGCs). However, Microsoft Exchange works in environments that include RODCs or ROGCs, as long as there are writeable domain controllers available. Exchange 2007 effectively ignores RODCs and ROGCs. Exchange 2003 also ignores RODCs and ROGCs in default conditions where Exchange components automatically detect available domain controllers. No changes were made to Exchange 2003 to make it read-only directory server-aware.”

Incidentally Exchange does this because it locates suitable domain controllers by querying AD for objects of the NTDS-DSA category—the objectcategory attribute value of the ‘NTDS Settings’ object. The ‘NTDS Settings’ objects for RODCs do not have this object category. They support a new objectcategory value named NTDS-DSA-RO. Therefore Exchange never considers an RODC as part of the available AD topology because the ‘NTDS Settings’ objects are not returned in the query.

..and I’ve seen quite a bit of negativity about the fact that Exchange ignores RODCs and the fact there doesn’t seem to be any likelihood of this situation changing in the near future. RODCs are designed to be used in branch offices with perhaps few users, lower levels of physical security, poor network bandwidth and where there may not be a local IT support presence.  In those circumstances it’s unlikely that it would make sense to stick an Exchange Server in that same location and so ignoring RODCs is, in my opinion, not a major problem for most RODC deployments.

However what about Outlook clients…?  If you’ve got a load of Outlook clients sitting in the branch office it might be beneficial if the client made use of its local RODC (ROGC). Well Outlook is listed here as an application that will work with an RODC.  It takes a registry setting to point it at a local ROGC and the ROGC will then be used for certain operations – specifically GAL lookups.

HKEY_CURRENT_USER\Software\Microsoft\Exchange\Exchange Provider
String Value: DS Server
Data: FQDN of ROGC

If you decide to make use of this registry setting then be aware that Outlook will still revert to a remote DC\GC for many operations and the use of the key does depend on the version of Outlook that you have chosen to deploy.

I think we are definitely going to see a lot more queries about how Outlook operates against a local read only DC in combination with remote domain controllers.  In my opinion the story isn’t very clear yet.  I’ll blog more as I know more.

…but for the moment by the power of Live Search:

Applications That Are Known to Work with RODCs
What Is an RODC?
2.166 Class nTDSDSARO
RODC Frequently Asked Questions