Q. How do you remove a read-only domain controller (RODC) from an environment that's been compromised?

A. New to Active Directory in Windows Server 2008 is the ability to create a (RODC) that only stores specific account passwords, limiting your exposure to malicious hacking if the physical RODC is compromised. You should place RODCs at remote locations you can't physically secure as well as you'd like but where you still need a local authentication source. The accounts with passwords stored on the RODC are normally only accounts for the people who sit at the RODC's physical location.

If an RODC is compromised (i.e., stolen) you can delete the RODC's computer account using the Active Directory Users and Computers MMC snap-in. The RODC account is in the Domain Controllers container. When you delete the computer object, you'll be prompted for confirmation, and once you confirm you'll be given the option to reset all passwords that were stored on the RODC, as shown here. Resetting the passwords effectively renders the stolen RODC useless from a malicious hacker's perspective. Note you can also reset the computer account passwords, but this generally isn't required. You can also export a list of all the accounts whose passwords are reset.

Once you click Delete, you'll be asked to confirm, as shown here.

Users whose passwords have been reset will have to contact support to get a new password. You can use the exported list of accounts from the delete phase to notify users in advance and proactively arrange new passwords.

Related Reading:

Check out hundreds more useful Q&As like this in John Savill's FAQ for Windows. Also, watch instructional videos made by John at ITTV.net.