In our situation, we have several places where we wish to deploy domains but do not wish to allow full access to domain controllers by the workstations that authenticate to those DCs.

In our case, what we would do, is given that they would authenticate over a WAN (over 90 T1's) back to a DC or two, we would restrict access by CISCO ACL to only the Read Only Domain controllers with password caching on.

This would make sure that those workstation could not damage or cause harm to the rest of the network, but could provide Kerberos ticketing instead of the clear password authentication they have now with not being in the domain.

We could provide group policy enforcement, SUS updates, etc... without fear of compromising the system. The ACLs on the routers would make sure that they were restricted to only the R/O DCs and life is great.

A valuable feature. I look forward to exploring more uses perhaps in Development domains or QA domains as well.

Thanks TR...

THE Engineer
windowsmt60@hotmail.com