RODC/PDCe dependences.

Mark Parris, on his latest blog entry mentions the removal of the dependency of the PDCe to be on a Windows 2008 DC for the deployment of RODCs in the Windows Server 2008 operations guide.

Whilst this is true for the AD upgrade of the RODC, you will still have issues if the PDCe is not on a Windows 2008 DC (especially in a single domain environment. See: Keeping the Domain on time). This is because the RODC will not be able to use a Windows 2003 DC, if this holds the PDCe role for the domain, as an authoritative time source or find an authoritative time source and time skew will occur eventually as the PDCe for the domain is used by all DCs as the Auth time source. This time skew can and will affect clients authenticating to the RODC and replication from Windows 2008 DCs to the RODC.

The work around for this is to:

1. Move the PDCe role for the domain to a Windows 2008 DC or

2. configure the RODC as a reliable time source for authenticating clients using the command: w32tm /config /reliable:yes /update

It seems to me the mention that the RODC can synchronise time with a writable Windows 2008 Domain controller assumes that DC to hold the PDCe role unless the RODC is created in a child domain which has a non-PDCe Windows 2008 DC and the Windows 2008 DC that the RODC is synchronising its time with is in the Parent Domain of the forest but that is not inferred in any of the texts I have seen.

So, my advice is, if you are installing RODCs, make sure you move the PDCe role to the writable Windows 2008 DC. It’ll make your life a lot easier!