But headquarters is safer as a result. Not only do RODCs keep a hacker from accessing headquarters' user credentials from a branch office, they also let you limit the stolen users' ability to access headquarters' resources. Here's how: Windows Server 2008 lets a domain administrator grant local admin rights on the RODC to a normal domain user. Therefore, if the RODC becomes physically compromised, none of the accounts stolen will have elevated rights anywhere else in the domain. That confines the breach to that branch office.
However, having a server stolen out of a server room isn't that common. In my 15 years in IT, I haven't even heard of it happening anecdotally.
If you decide you want the extra protection of RODCs, be aware that you need at least one Longhorn domain controller on the network and that the domain compatibility level has to be at least Windows 2003.
Longhorn provides several clustering enhancements as well. One of the most important is the new quorum model. In Windows 2003, the typical clustering scenario depends on the quorum node — essentially, the master disk — being available to the nodes that share the clustered data. This need for a quorum node thus presents the very single point of failure that clustering is designed to prevent. Although Windows 2003 provides the alterative majority-node clustering model, in which each node has a local copy of the quorum data, most implementations of Windows 2003 use the shared-node approach because they have just two nodes — not enough for a majority-mode approach.
Longhorn's new quorum model merges the shared-node and majority-node models. Instead of a quorum node that the cluster must have to function, all nodes can have the quorum data. And in the case of a two-node cluster, each node plus the shared-storage device get a vote, assuring that if any one fails there is still a majority to constitute a quorum.
Clustering in Longhorn is now SAN-friendly as well. In Windows 2000, failover clustering used SCSI resets regularly. (A SCSI reset is a command that breaks the reservation on the target device. These bus resets affect the entire bus and all devices connected to it, so a SCSI reset causes all the devices on the bus to be disconnected.) Windows 2003 improved on that by using SCSI resets only as a last resort. In Longhorn, failover clustering doesn't use SCSI resets at all. Coupled with the new quorum model, this change goes a long way to making your cluster more stable.
Microsoft has also overhauled hardware compatibility for clustering. In Windows Server 2003, IT had to check a static Hardware Compatibility List or the Windows Server Catalog, which pretty much covered just entire clustering solutions from various vendors, not their individual components. But with Longhorn, Microsoft provides tools so you can test your hardware yourself. That shifts hardware compatibility to a best-practices model, and gives vendors as well as users more control over the choices they make. (Vendors still have to conform to the Windows Logo Program's requirements.) This doesn't mean that Microsoft recommended that you piece together a clustering solution from mismatched hardware, but you can if you want or need to.
There is a big caveat to the clustering enhancements: You may not be able to just upgrade your current cluster to Longhorn. The new enhancements come with new hardware requirements, and there's no guarantee that your current hardware will be supported. And if you upgrade your current environment to Windows Server 2008 as is, it may become unstable or even unavailable. Be sure to download and run Microsoft's compatibility tools on your current hardware before upgrading your cluster.