Applications that are compatible with RODCs in Windows Server

Applies to: Windows Server 2016Windows Server 2012 R2 EssentialsWindows Server 2012 R2 Datacenter


This article updates and supersedes the archived TechNet article Applications That Are Known to Work with RODCs. This article adds known issues that affect the Network Policy Server (NPS).

More information

The following applications are known to be compatible with Read-only Domain Controllers (RODCs). However, some applications may not work correctly if they are installed directly on an RODC.

  • Microsoft Internet Security and Acceleration (ISA) server
  • Microsoft Office Live Communications Server

    Important If you plan to install Microsoft Office Live Communications Server directly on an RODC, you may have to create groups and service accounts that are necessary for the underlying SQL database.
  • Microsoft Systems Management Server (SMS)
  • Microsoft Office Outlook

    Note Microsoft Exchange Server does not use RODCs. However, you can configure Outlook clients in a branch office that is serviced by a read-only global catalog server to use the read-only global catalog server for global address book lookups.
  • Microsoft Operations Manager (MOM)
  • Windows SharePoint Services

    Note You can download Windows SharePoint Services from the Microsoft Web site. It is not included in Windows Server 2008.
  • Microsoft SQL Server 2005

    Important If you plan to install Microsoft SQL Server 2005 directly on an RODC, you may have to create the appropriate users and groups and make sure that they are replicated to the RODC before the installation.
  • Windows Server services, including the following:

    • Active Directory Certificate Services (AD CS).

      Note A certification authority (CA) will have to contact a writeable domain controller in the following circumstances:

      • When the CA reads templates. This is because CA may have to add superseded templates to the CA object.
      • When the CA queries AD DS for user and computer objects.
      • If the CA is configured to publish a certificate revocation list (CRL) to LDAP.
      • If the CA issues a certificate that is configured to be published to AD DS.
    • Active Directory Rights Management Services (AD RMS)
    • Credential Roaming
    • Distributed File System (DFS)
    • Distributed File System Replication (DFSR) and File Replication Service (FRS)
    • Domain Name System (DNS)
    • Dynamic Host Configuration Protocol (DHCP)

      Important If you plan to install DHCP directly on an RODC, you must create the appropriate users and groups and make sure that they are replicated to the RODC before the installation. For more information, see DHCP Users Group Configuration.
    • Group Policy
    • Internet Authentication Service (IAS) and NPS

      Note NPS targets a writeable domain controller for password changes. Additionally, the following issues apply to NPS:

      • Registration in Active Directory fails.

        NPS requires a writable domain controller (RWDC) for registration. Registration basically means that the NPS server is added to the "RAS and IAS Servers" group. To register the NPS server in Active Directory, move it to a network that has RWDC access, and then register it.
      • You cannot use a Domain Administrators account to configure NPS.

        The account that is used to configure NPS must be a local administrator on the NPS server. Usually, domain administrators are in the "Denied RODC Password Replication Group." Therefore, their passwords usually are not replicated to the RODC, and you cannot log on as a domain administrator on the RODC if the server has no connection to an RWDC. The same is true for an NPS, on which you can log on by using cached credentials. 

        You must create a special account to administer the RODC. Make this account a local administer on the NPS, as required for the configuration of the NPS policies. For more information, see Administrator Role Separation Configuration and the "Administrator role separation" section in RODC Features.
      • Opening the NPS console on the NPS server takes a long time and shows an error message: "The snap-in is not responding."

        When you open the NPS console or run the netsh nps show registeredserver command, the NPS server tries to query a domain controller for the members of the "RAS and IAS Servers" security group. This is done by the Multiple Provider Router (MPR).

        The call uses the default values, which include DS_WRITABLE_REQUIRED, instead of clearing that flag and stating that only the ADS_READONLY_SERVER read access is required.

        For more information, see Developer Guidance for Resolving Compatibility Problems Between Your Applications and an RODC.
      • Authentication fails.

        The NPS can authenticate the  Routing and Remote Access Service (RRAS) connection only for accounts that are replicated to the RODC. See Password Replication Policy.
    • Internet Information Services (IIS)
    • Network Access Protection (NAP)
    • Terminal Services (Users and Computers snap-in)
    • Terminal Services Licensing server