Organizations’ Branch Office Concerns and Dilemmas

The next section illustrates typical branch office concerns about having domain controllers onsite. This section makes it evident why the RODC is becoming popular if not extremely necessary for branch offices.

Lack of Physical Security at the Branch Office
Typically, branch office locations do not have the facilities to host a data center. For that reason, it is common to find domain controllers hiding in closets, tucked away in the kitchen next to the fridge, or even in a restroom. As such, branch offices lack physical security when it comes to storing domain controllers, which results in these servers being prime targets for thieves.

Domain Controllers Stolen from the Branch Office
With inadequate physical security in the branch offices, it was very common for domain controllers to be stolen. This posed a major security threat to organizations because domain controllers contain a copy of all the user accounts associated with the domain. Confidential items such as highly privileged administrator accounts, DNS records, and the Active Directory schema could fall into the hands of the wrong people in this situation.

Removing Domain Controllers from the Branch Office
Because of a lack of physical security and concerns over domain controller theft, branch offices often had their domain controllers removed from their site. After being removed, users were forced to authenticate over the WAN to a domain controller residing at their corporate headquarters or to the closest hub site. Although this action solved the security issue, it also cultivated a new problem. If the WAN link between the branch office and hub site was unreliable or unavailable, users could not log on to the workstations at the branch office or the amount of time required to log on was greatly increased. This resulted in a loss of productivity for users in the branch office or outages that resulted in downtime if the WAN link was severed. These types of outages commonly lasted for days.

Lack of Administration Role Separation at the Branch Office
In small branch offices, it is also very common for multiple server functions to be hosted on a single server to reduce costs. For example, a single server might provide domain controller, file, print, messaging, and other line-of-business (LOB) functionality. In such cases, it is necessary for the administrators of these applications to log on to the system to manage their applications. By granting administrators privileges to the domain controller, these individuals also received full access to the Active Directory domain, which is considered to be a major security risk.

Lack of IT Support Personnel at the Branch Office
It is very common for secretaries, receptionists, or even high-level personnel such as managers and directors without any prior knowledge of IT management or maintenance to manage servers in a branch office. Typically, these individuals get nominated or promoted to a branch office IT support role because a local IT administrator does not exist. Unfortunately, even when conducting basic administration tasks like restarting an unresponsive server, these individuals can inadvertently wreak havoc on the Active Directory domain when granted administrator privileges on a domain controller. In a Windows Server 2003 environment, there was little that could be done about this situation. You just had to be careful about who you promoted to the exclusive club of domain administrators.

Source of Information : Sams - Windows Server 2008 R2 Unleashed