I was working late tonight to finish my session “Incorporate RODCs (Read Only Domain Controllers) to your existing Active Directory” that I’m going to present at Microsoft TechDays 17-18 mars in Västerås. If you’re interested in a deep dive session (level 400+) about Read-Only Domain Controllers, then my session is for you, read more at: http://www.microsoft.com/sverige/techdays09/sv/about.aspx
However, I was about to reproduce a bug that we have found with “adprep /rodcprep” to include it in the session, and how to correct and avoid it to happen, when I was reviewing the security of my NCs I noticed a strange group: NT AUTHORITYENTERPRISE READ-ONLY DOMAIN CONTROLLERS BETA. It’s a part of the NT AUTHORITY and my guess is that this group was introduced in my forest in the early days of Longhorn Server when there was still a requirement to have the PDC running Longhorn Server in order to incorporate RODCs to your forest. Now days (Post Beta 3) Enterprise Read-Only Domain Controllers and Read-Only Domain Controllers (Domain specific) is created in your domain using a trigger that happens on the promotion of the first RODC or the first Pre-Stage of an RODC.