Q. Can a read-only domain controller (RODC) write to its database?
April 6, 2008
A. The name "read-only domain controller" implies that its database is read-only, and it is in nearly all situations, except for one group of attributes.
If a user requests a write operation to an RODC, the RODC forwards the request to a read-writable domain controller (RWDC), which then replicates the changes back to the RODC. If an application tries to write to an RODC, the RODC responds with a referral notifying the application that it needs to write to an RWDC (which will crash some applications that don't handle referrals).
Now, imagine that you have a branch-location RODC that loses its hub connectivity, so it can't contact an RWDC, and during this outage, someone tries to hack an account. With normal connectivity, the BadPwdCount would increment, and, after a password-policy designated number of attempts, the account would lock out. If the RWDC can't be contacted, and the RODC can't write to its database, the BadPwdCount would never increment and the account would never lock out, leaving the RODC vulnerable. For this reason, an RODC can write logon-count attributes—such as BadPwdCount and LastLogon—to its database, allowing an account to lock out.
About the Author
You May Also Like