Click here for important information about

Uqestion regarding DC AND RODC - Win2008 r2

July 26, 2012 at 09:39:25
Specs: win 288 64bit r2, 8

Could you please correct me if I am wrong.

As I understand in a forest, you can have multiple domains, in 1 domain you must have at least 1 single Domain controller as a global catalog, all subsequent Domain Controllers will have to be Read Only Controllers, am I correct? You cannot have 2 primary DC in one domain?

Now, when you expand your network and add a second domain(child domain), how does it works? Do you have to create another primary Domain controller or can still have RODCs?

If we are allowed to have 1 primary controller in each forest, will this not create conflicts in the database?

Thank you


See More: Uqestion regarding DC AND RODC - Win2008 r2

July 26, 2012 at 10:28:11
No, you are wrong. There is no such thing as a Primary Domain Controller. All DCs are equal apart from minor differences. Read Only DCs are relatively new and have special uses; for a normal setup ignore them and just make every DC a regular DC.

I emphasize - there is no such thing as a Primary DC.

Report •

July 26, 2012 at 10:41:05
In NT there were PDC and BDC. With the advent of Active Directory all servers became peers with no pdc/bdc.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's

Report •

July 26, 2012 at 10:48:28
If you didn't already know this, don't complicate your network further by adding another domain. The only good reason to make another domain in the same forest these days is to completely delegate its administration to someone else. If one person/department/group is going to be managing them, keep it as the same domain and separate them using OU's.

Andrew Leonard
BL Technical Services
IT Support Maryland

Report •

Related Solutions

July 26, 2012 at 11:12:56
Hi everyone,

Thank you for the reply.
I am really confused now, all the MCITP books I have + videos all speak about Primary Domain Controllers and RODC(Read Only Domain Controllers).

This is the purpose of my MCITP course chapter, to differentiate the Primary DC from the others below. Now you are telling me that there is not such thing confused my learning quiet a lot :-)

Also regarding hollowmans521 reply, I know I am complicating things but this is what the exercise in the MCITP books speaks about and I am trying to test lab all the exercises to understand all the basics. Right now the chapter speaks about replications between 2 domains, I did some test exam today and they were speaking a lot about this(replication between domains).



Report •

July 26, 2012 at 11:22:47
Sorry, didn't realize this was for a lab. In that case, go for it. I just hate to see companies that rely on people like me and get screwed by stupid decisions.

From your Wikipedia article "In Active Directory domains, the concept of primary and secondary domain controller relationships no longer applies." The RODC concept is relatively new, but you still don't call the fully functioning DC's primary, that's terminology from Windows NT, which was primarily in use up until 1999, and then replaced with Windows 2000. Since Windows 2000 and Active Directory, there is no such thing as a PDC and a BDC.

Andrew Leonard
BL Technical Services
IT Support Maryland

Report •

July 26, 2012 at 11:35:24
Thanks Hollowman,

The test labs are a pain for beginners....:-(
Regarding the pdc, this is shocking because they teach a lot of things which are totally wrong then.
With a MCITP server administrator certificate everything is based around win 2008 r2.

Now I understand, in the MCITP 2008, they speak a lot about RODCs, I believe that the "primary DC" is actually the one who holds the first copy (read and write) of Active Directory. Because RODCs are read only Domain Controllers, it kind of make sense why they would be called "secondary DC" or "Read Only" DCs.

I found a good explanation here:

Probably this is a terminology not being used much with the MSCA and older certificate courses.

Thanks for your help.


Report •

July 26, 2012 at 11:50:35
Read Only Domain Controllers are exactly what they say they are. They contain a copy of the Active Directory database (actually a subset) that can be read but cannot be changed (other than via one-way replication from a full DC). This means they can be used in less secure locations to provide Active Directory services without the risk that information can be altered and replicated back to other DCs. In that sense they are "secondary", but this is very different fro the primary/secondary relationship described in the Wiki article.

A major problem with the NT4 model of networking was that failure of the PDC was a major problem. With the multiple, equal DCs of modern Windows Server implementations a failed DC is not a huge problem; all DCs (apart from RODCs, which have very specialized and limited uses) are essentially equal. It is essential that in an AD domain you have at least two full DCs; that way if one fails the network keeps working. A RODC is useless for this purpose because (a) you can't alter information on it or replicate changes from it, and (b) it doesn't include essential information such as passwords.

I am surprised that the documents you are studying from make such a big thing of RODCs. Although they have their uses, a small to medium size company located on a single site would have little, if any, use for them. And this probably represents the vast majority of Windows Server installations.

Report •

July 26, 2012 at 12:04:06
Thanks iJack For the great explanation.

Yes I totally agree with you, I have no idea why they want us to learn such thing and why not keeping it a little more simple by just going to the point...unfortunately, that's the way they are...

I have a personal question about real life win2008, I would love to know more about your experience on real networks.

1)Do you actually go to the DCs or just access them via remote from another office? I always believed that DCs where securely kept away in a locked room.

2)If you have a problem with the power in the business, do they normally have generators for the IT equipments?

3)Regarding the security of a network, I can see a lot of people hiring tech who have CCNA, do you normally take care of both the server side of the business or also secure the routers and work on CISCO firewalls. What most bosses are asking for for a small to medium business, any idea please?

4)I heard of a new server 2012, do you think there are major changes from 2008 to 2012?



Report •

July 26, 2012 at 13:04:09
I'm actually retired now, but:

1. Almost all administration is done away from the server, either using Terminal Services or just using server administration apps on a workstation. My servers were close at hand (in a locked room) but I hardly ever needed to log on directly to them.

2. We had a very expensive UPS that protected about 30 Windows servers, some Sun equipment and an IBM mid-range (AS/400). It could power that lot for about an hour; plenty of time for most power-cuts and enough time to shut everything down in an orderly fashion if required.

3. I just looked after the servers; other people handled the routers and firewalls. But in a smaller business you would likely need to do the lot. And it never hurts to know about these things. Qualifications weren't so important when I started, but now there are plenty of able people so the more bits of paper you have the better.

4. I have had a play with the betas of the latest Windows Server (whatever it is now called). It's pretty good, particularly with regard to hosting Virtual Machines. That's quite an important subject nowadays. Worth downloading the beta and having a play if you have a spare machine - or even just run it in VMWare or VirtualBox.

From the posts that you have made so far I would say that it was worth investing in a Server 2008 book, if only to get a different perspective from the formal training courses. I can recommend "Mastering Windows Server 2008" by Mark Minasi.

Report •

July 26, 2012 at 13:32:03
Thank you so much for taking the time to reply and explain your past work experiences.

I am a technician for pharmaceutical machinery, my wages are pretty good but when I see what a server administrator gets, I just cannot believe it. This is one of the reason I would like to pass a few new qualifications and become an IT Professional.
I have always loved PCs, softwares and I think it is the right time to take it one step further.

I will for sure have a look at this book on Amazon. At the moment I have the Microsoft learning book/kit, this has apparently everything that is covered in the exam. I also have 200 hours of video to watch...between this, the kids and work, it is very hard, this is why speaking to people like you in the forum is a great way to advance faster in my courses. I come everyday here to ask a few questions, having someone explaining the solutions in a different manner than the book does really helps.
Reading books is goo, watching videos too, but having someone explaining the exact solutions you are looking for is even better. Thanks to you all for sharing your knowledge, I am sure you all remember the old days when you first touched a server, well I am in that case and I can say that it is not an easy task :-)

My apology for the English, this is not my first language.


Report •

July 26, 2012 at 13:55:53

Your English is far better than my - whatever your first language is - would be. you have no need to apologize for it.

Report •

July 26, 2012 at 14:26:33
ahaha, thank you! (I am from Malta in EU and not USA)

Thanks again for your time, 11.30pm here, time to sleep:-)


Report •

July 28, 2012 at 17:44:19
What your MCITP books and videos are probably referring to is the PDC Emulator FSMO role.


Report •

Ask Question