What is a Read-Only Domain Controller (RODC)?
Information Technology Directorate (ITD) has deployed Read-Only Domain Controllers (RODC) to schools since 2009. The aim was to reduce network traffic on the Wide Area Network (WAN) by offering local authentication. In plain terms, an RODC is a copy of DoE’s main user database and directory (DETNSW.WIN) stored locally on the school’s eT4L server.
A need to review
Since 2009, many changes are challenging the ongoing need for RODCs including substantial growth of the DETNSW.WIN directory:
- 1.4 million users to 2.4 million (42% growth)
- 106,700 groups to 272,930 (256% growth)
- 152,800 computers to 432,946 (283% growth)
- 14Gb AD database to 70Gb (500% growth)
- Increased WAN link speeds to schools
- Centralisation of more services
Following testing at 40 sites earlier this year, approval was granted to remove RODCs from all school sites.
RODC removal schedule
Due to the time of year, sites scheduled for RODC removal will generally fit in to the following periods:
- Monday 11 September - Friday 8 December 2017 OR
- Monday 12 February - Thursday 29 March 2018
Schools with active RODCs running on their eT4L Server can confirm their removal date by checking this online schedule.
What does the school need to do?
Take note of your school's scheduled date. ITD will complete all the necessary reconfiguration work of the services it provides to the school. There will be no outage as part of this reconfiguration work. The school should continue to access services as normal, however it is important to report any problems or incidents that are related to the user logon process and performance, using the EdConnect on-line form or on ph 1300 32 32 32.
Technical risks to consider
It’s not common, but some schools may be running custom or 3rd-party applications or systems that leverage the RODC for authentication purposes. If your school has any local applications configured to point directly at the RODC they will need to be reconfigured. Examples might include:
- manual DNS configuration (not via DHCP) on any school-owned devices such as servers
- LDAP configuration using the RODC for authentication (eg a local Moodle instance, Sentral)
If you have local applications configured to use the RODC, they may stop working when it is removed from your eT4L server. Reconfiguration work may be required to update settings to use the Read-Write Domain Controllers (RWDC) within the ITD data centres. If you think your school is leveraging the RODC for local services or applications and need assistance, please log a call with EDConnect.
Further information
If you require further advice, please contact your local Schools ICT Support Team.