One of the really exciting new ones is the concept of the read-only domain controller. Before with AD, as compared with NT 4.0 in particular, every domain controller has a writable copy of your directory. You can make a change anywhere and it will propagate throughout the environment. At the same time, all of [the domain controllers] have secrets like your password. Right now with [Windows Server] 2003, if that server is out in the field and gets stolen and it’s not secure, then you have a huge security issue in that all the password for that domain are in the DNCs. So the only approach you can take is to make everyone change their password. That’s a big deal if you have 100,000 people on that domain.

With the new read-only domain controller feature, [change] is two-fold. First you can now define which passwords are stored locally. Now if the server gets stolen, you only have to have 100 people change their passwords versus 100,000 Second, you can’t make any changes on that domain controller [DC], because it’s read only.

Advertisements