Steps for Deploying & Installing an Read-Only Domain Controller (RODC)

Steps for Deploying & Installing an Read-Only Domain Controller (RODC)

Installing a Read-Only Domain Controller (RODC) isn’t much different than installing a regular domain controller.

However, there is one important factor to keep in mind. A RODC can only be installed into an existing Active Directory Domain with at least one full (non-read-only) Windows 2008 Server Domain Controller.

Why Read-only domain controllers (RODC)

Read-only domain controllers are ideal in remote location where system security cannot be guaranteed. They allow the remote site to have local authentication point, without storing vulnerable data about every object in the domain. The only information stored on a read-only domain controller is that of users and computers it has been authorized to authenticate. Any other object that is queried or authorized against is forwarded by the read-only DC to writable domain controller.

  • Unidirectional replication
  • Special krbtgt account
  • Password Replication Policy (PRP)
  • RODC filtered attribute set (FAS).

Differences Between an RODC and a Writable Domain Controller

As an additional domain controller for a domain, a read-only domain controller (RODC) performs the same operations as a writable domain controller.

For example, because an RODC contains a copy of the directory database and a copy of the SYSVOL folder that contains the Group Policy objects (GPOs) and logon scripts for client computers, it can respond to authentication requests just as a writable domain controller does.

Read:

However, there are a number of differences between an RODC and a writable domain controller. The following table lists the important differences in the characteristics of an RODC and a writable domain controller.

Steps for Deploying & Installing an Read-Only Domain Controller (RODC)-1

Here are the Links for complete Details about the Active Directory concepts and step by step installations procedures.

Before install a RODC in a domain environment it need to meet the following requirements,

  • Forest function level should be windows 2003 server or higher
  • Needs at least one writable domain controller running windows server 2008 or higher
  • If there is windows server 2003 environment, the Active Directory schema needs to be extended for RODC installation by running the command: adprep /rodcprep
  • PDC emulator operation master should be on Windows server 2008
  • Execute the following command to find out which machine is the PDC emulator if you are unsure: dsquery server -hasfsmo pdc

After you have installed Windows Server on your new machine and completed all the Initial Configuration Tasks, open up Server Manager and click on the Roles section.

Active Directory on Windows Server 2008

We will need to install the Active Directory Domain Services (ADDS) Role first. So go ahead and check the box next to it and click Next and proceed further.

Active Directory on Windows Server 2008

Review the confirmation and click on “Next”

Active Directory on Windows Server 2008

Review the installation confirmation and click on “Next”

Active Directory on Windows Server 2008

It will take few minutes to complete and when it’s done you will get this confirmation. And then click on “Close”

Active Directory on Windows Server 2008

Now we can start deploying the RODC. Do a Start > Run > dcpromo and click OK.

How To Create Additional Domain Controller (ADC) In Windows Server 2008

The Active Directory Domain Services Installation Wizard will start, either enable the checkbox beside Use Advanced mode installation and Click Next , or keep it unselected and click on Next

Active Directory on Windows Server 2008

The Operating System Compatibility page will be displayed, take a moment to read it and click Next

Active Directory on Windows Server 2008-9

Since this is going to be RODC, make sure you select the Existing forest option and then select Add domain controller to an existing domain

When ready, click on the Next button.

How To Create Additional Domain Controller (ADC) In Windows Server 2008

On the Network Credentials page, type in the name of the domain you want to  connect to and then specify the credentials to add the machine.  These credentials must have at least domain admin privileges to join the DC to the network.

If you are selecting Alternate Credentials provide your Domain/Administrator Credentials

How-To-Create-Additional-Domain-Controller-ADC-In-Windows-Server-2008-7

On the select a domain screen, select your domain and click Next

How To Create Additional Domain Controller (ADC) In Windows Server 2008

Select a site and then click Next

How To Create Additional Domain Controller (ADC) In Windows Server 2008

Under “Additional Options” is where you actually choose to make this a Read-Only Domain Controller installation.

Steps for Deploying & Installing an Read-Only Domain Controller (RODC)

On the Specify the Password Replication Policy step, adjust the settings for each group, specifying if you want to cache user credentials on the Read-Only domain controller.  In this tutorial, I left all of the options Deny except the Allowed RODC Password Replication Group, which is default per Microsoft.  Click Next > once you have determined the settings you want to use.

Steps for Deploying & Installing an Read-Only Domain Controller (RODC)

On the Delegation of RODC Installation and Administration step, click the Set… button and select either a user or security group of users that you wish to have Administrative access to the read-only domain controller.

If this is a remote office where you have a designated IT member(s), you would want to create a security group on your read/write DC and then select the group.

However, if you will always know only one individual will login to the RODC, you can specify their user as the one to have local Administrative privileges.

Lastly, if you don’t want anyone to be able to mess with the RODC, you can simply click Next > and that will only allow members of the Domain Admins or Enterprise Admins security groups to manage the RODC.  Click Next > once you have decided what security group or user you wish to allow local administrative access to the machine.

Steps for Deploying & Installing an Read-Only Domain Controller (RODC)

In the Install from Media page ( will be displayed if you have selected Use advanced mode installation on the Welcome page, if you didn’t select it, then skip to location for the database, SYSVOL), you can choose to either replicate data over the network from an existing domain controller, or specify the location of installation media to be used to create the domain controller and configure AD DS. I want to replicate data over the network, so I will choose the first option > click Next

How To Create Additional Domain Controller (ADC) In Windows Server 2008

On the Source Domain Controller page of the Active Directory Domain Services Installation Wizard, you can select which domain controller will be used as a source for data that must be replicated during installation, or you can have the wizard select which domain controller will be used as the source for this data.

You have two options :

  • Let the wizard choose an appropriate domain controller
  • Use this specific domain controller

How To Create Additional Domain Controller (ADC) In Windows Server 2008

Just like when creating a Domain, you will get the choice to set a location for the database, SYSVOL and NTDS files. You may change the destination or let them remain in the default location and proceed to the next step.

How To Create Additional Domain Controller (ADC) In Windows Server 2008

Moving forward, you will be asked to save a restore mode password (which is separate from the Domain Administrator’s account). As mentioned in the previous post, this password is configured to be used when the Domain Controller is started in Directory Services Restore Mode. Choose a password and click Next.

Moving forward, you will be asked to save a restore mode password (which is separate from the Domain Administrator’s account). As mentioned in the previous post, this password is configured to be used when the Domain Controller is started in Directory Services Restore Mode. Choose a password and click Next.

At this point, you can export the settings to make an answer file or you can click Next > for the server to begin applying the configuration.

Steps for Deploying & Installing an Read-Only Domain Controller (RODC)

Click Finish once done and Restart when prompted

This completes the installation of RODC in domain.

Related Article:

 

Check Also

Active Directory Complete Guide

Active Directory Complete Guide

Here I am sharing my knowledge on the complete Active Directory Guide in a single …

6 comments

  1. Quite fine post, I definitely adore this site,
    keep on it.

  2. It’s challenging to locate knowledgeable people on this matter, but you seem
    like you understand what you’re talking about! Thanks

  3. It’s difficult to find well-informed people on this matter, but you sound like
    you know what you’re talking about! Thanks

  4. Hi all, here every one is sharing these kinds of know-how, therefore
    it’s nice to read this web site, and I used to pay a
    quick visit this weblog daily.

  5. Thanks for sharing superb informations. Your website is very cool. I’m impressed by the details that you have on this site. It reveals how nicely you understand this subject. Bookmarked this website page, will come back for extra articles. You, my pal, ROCK! I found simply the information I already searched everywhere and just couldn’t come across. What a great site.

  6. Aw, this was an extremely nice post. Finding the time and actual effort to generate a very good article but what can I say I
    procrastinate a lot and never manage to get anything done.

Leave a Reply

Your email address will not be published. Required fields are marked *