Why doesn’t the KCC on writable domain controllers try to build connections from an RODC?

To build the replication topology, the Knowledge Consistency Checker (KCC) examines the following:

  • All the sites that contain domain controllers
  • The directory partitions that each domain controller holds
  • The cost that is associated with the site links to build a least-cost spanning tree

The KCC determines if there is a domain controller in a site by querying AD DS for objects of the NTDS-DSA category—the objectcategory attribute value of the NTDS Settings object. The NTDS Settings objects for RODCs do not have this object category. Instead, they support a new objectcategory value named NTDS-DSA-RO.

As a result, the KCCs on writable domain controllers never consider an RODC as part of the replication topology. This is because the NTDS Settings objects are not returned in the query.
However, the KCC on an RODC also needs to consider the local domain controller (itself) to be part of the replication topology to build inbound connection objects. This is achieved by a minor logic change to the algorithm that the KCC uses on all domain controllers running Windows Server 2008 that forces it to add the NTDS Settings object of the local domain controller to the list of potential domain controllers in the topology. This makes it possible for the KCC on an RODC to add itself to the topology. However, the KCC on an RODC does not add any other RODCs to the list of domain controllers that it generates.


Post a Comment

0 Comments