Q. I read that I should never log on to a Read-Only Domain Controller (RODC) with a domain administrator account. Why?

A. The fact that it's a RODC is not the crucial factor. It's more that because it's a RODC, it's probably not considered a secure machine because it's sitting out in a branch office somewhere relatively exposed to physical attack.

So why should we not log on as a domain administrator? Even if the RODC is caching passwords, the domain administrator accounts are expressly denied from being cached so there's no danger. Wrong. Your administrator credentials should be used only on secure terminals (servers or workstations). Someone who has control of a box can run a keylogger to capture plain text passwords, or someone could hijack the session with local control, or someone could have configured a policy to run at logon as the logging on user and then run something bad. There are many risks so only protected workstations should ever see administrator credentials. The best practice is to not log on to a RODC as a full domain admin or RDP into it. Instead, use WinRS/WinRM to run commands on a RODC or Microsoft Management Console (MMC) in remote mode. Otherwise, you could be giving away credentials if the box is compromised. This should not apply to just RODC boxes but to any potentially unsecure box.

You need to judge how practical this is for your environment as obviously it's far easier to just RDP into a box than run remote commands and MMC snap-ins.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.