Q. Which values can a read-only domain controller (RODC) write locally?

John Savill

August 7, 2008

1 Min Read
ITPro Today logo in a gray background | ITPro Today

A. By definition, an RODC can't write data to its local database. Any write operations are forwarded to a read-write domain controller (DC). However, there are exceptions to protect an RODC from attack when the RODC can't communicate with a read-write DC.

Imagine a scenario in which a branch-office RODC loses connectivity with the data center and its read-write DCs. Normally, if someone attempts an account-password attack, the accounts would be locked for a period of time after a set number of failed attempts to protect the account from constant attack. But if the RODC doesn't know when to lock the accounts because it can't write logon failures to a read-write DC, you might have a major problem. RODCs have the following limited write capabilities for protection against attacks:

  • The msDS-LastSuccessfulInteractiveLogonTime attribute—tracks the most-recent successful logons. It isn't forwarded to a read-write DC.

  • The msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon attribute—tracks the number of failed interactive logons during the most-recent successful logons. It isn't forwarded to a read-write DC.

  • The msDS-LastFailedInteractiveLogonTime attribute—tracks the most-recent failed interactive logon attempts. It's forwarded to a read-write DC, which then replicates the attribute back to the RODC during the next replication cycle.

  • The msDS-FailedInteractiveLogonCount attribute—tracks the number of failed interactive logon attempts. It's forwarded to a read-write DC, which then replicates the attribute back to the RODC during the next replication cycle.

About the Author

John Savill

John Savill

https://savilltech.net

See more from John Savill
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

You May Also Like

Editor's Choice

the interface of the PowerShell search tool with a hand holding a magnifying glass on a background of a blue sky and clouds in the shape of gears
PowerShell
How I Built My Own PowerShell Multi-File Search Tool
How I Built My Own PowerShell Multi-File Search Tool

Oct 22, 2024

burnout gif featuring a mannequin surrounded by office technology on fire
Career Tips
Am I Burned Out? How To Identify and Address Burnout in IT
Am I Burned Out? How To Identify and Address Burnout in IT

Oct 24, 2024

MLOps
Ops and More
Choosing Between Cloud and On-Prem MLOps: What's Best for Your Needs?
Choosing Between Cloud and On-Prem MLOps: What's Best for Your Needs?

Oct 23, 2024

Exclusive ITPro Resources
See all ITPro Resources

Featured Technical Explainers

AI chip
Cloud Computing
Cloud vs. On-Prem AI Accelerators: Choosing the Best Fit for Your AI Workloads
Cloud vs. On-Prem AI Accelerators: Choosing the Best Fit for Your AI Workloads
SaaS concept on a tablet
Cloud Computing
Why SaaS Backup Matters: Protecting Data Beyond Vendor Guarantees
Why SaaS Backup Matters: Protecting Data Beyond Vendor Guarantees
DevOps logo on top of code
DevOps
DevOps: Key to Faster, More Efficient Government Software Development
DevOps: Key to Faster, More Efficient Government Software Development
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

Recent What Is

cartoon shows a person next to a checklist and several icons that represent disaster scenarios
Disaster Recovery
BCDR Basics: A Quick Reference Guide for Business Continuity & Disaster RecoveryBCDR Basics: A Quick Reference Guide for IT Pros
technology interface with a person's hand drawing gears and cogs
PowerShell
Introduction To PowerShell Environment VariablesIntroduction To PowerShell Environment Variables