Here’s a short one: I’ve come across this question in one of the Newsgroups and really didn’t know the answer exactly. I knew it had to be some sort of LDAP query magic, since by some means, both RWDC and RODC need to compile a list of possible rep partners every time KCC runs and generates the rep topology.
I did some tracing and this is what I found:
* NTDS SettingsÂ of RODCs inÂ CN=NTDS Settings,CN=<DCname>,CN=Servers,CN=<Site name>,CN=Sites,CN=Configuration,DC=domain,DC=tldÂ have a different objectCategory than writable DCs’ NTDS setting objects have. Where NTDS settings of writable DCs have an objectCategory of ntds-dsa, RODCs use ntds-dsa-ro, where RO stands for “read only”. 2008+ DCs and newer have learned to look for ntds-dsa rep partners as well as for ntds-dsa-ro rep partners. That’sÂ why RODCs are included in 2008’s rep topology.
* RODCs look for 2008+ DCs to replicate from. Only from those, they get the (filtered attribute set) FAS and can replicate single objects (like passwords to cache if Password Replication Policy allows so). So they look for ntds settings objects that have a objectCategory of ntds-dsa and a ms-DS-behaviorVersion>=3 (3 = Win2008). The query would look similar to the following:
(& (objectClass=nTDSDSA) (objectCategory=nTDS-DSA-RO) (ms-DS-behaviorVersion>=3) )
Besides looking pretty technical at the problem, my friend Rich (see the CB5 blog at http://cbfive.com/blog/Â for more great content) had a good explaination what’s going on - without being too technical here.Â He said that RODCs and RWDCs just have different “views” on the replication topology. I think that’s a great explaination. Since all DCs have knowledge about what DCs are around (think of the Configuration partition being shared among all DCs in allÂ domains!), it is easy for DCs to look at the whole topology and pick the correct DCs to replicate with. KCC does a great job there.
Flo - “I wear my RTFM shirt today” - rian