Installing a Read-Only Domain Controller (RODC) isn’t much different than installing a regular domain controller.
However, there is one important factor to keep in mind. A RODC can only be installed into an existing Active Directory Domain with at least one full (non-read-only) Windows 2008 Server Domain Controller.
Why Read-only domain controllers (RODC)
Read-only domain controllers are ideal in remote location where system security cannot be guaranteed. They allow the remote site to have local authentication point, without storing vulnerable data about every object in the domain. The only information stored on a read-only domain controller is that of users and computers it has been authorized to authenticate. Any other object that is queried or authorized against is forwarded by the read-only DC to writable domain controller.
- Unidirectional replication
- Special krbtgt account
- Password Replication Policy (PRP)
- RODC filtered attribute set (FAS).
Differences Between an RODC and a Writable Domain Controller
As an additional domain controller for a domain, a read-only domain controller (RODC) performs the same operations as a writable domain controller.
For example, because an RODC contains a copy of the directory database and a copy of the SYSVOL folder that contains the Group Policy objects (GPOs) and logon scripts for client computers, it can respond to authentication requests just as a writable domain controller does.
However, there are a number of differences between an RODC and a writable domain controller. The following table lists the important differences in the characteristics of an RODC and a writable domain controller.
Here are the Links for complete Details about the Active Directory concepts and step by step installations procedures.
Before install a RODC in a domain environment it need to meet the following requirements,
- Forest function level should be windows 2003 server or higher
- Needs at least one writable domain controller running windows server 2008 or higher
- If there is windows server 2003 environment, the Active Directory schema needs to be extended for RODC installation by running the command: adprep /rodcprep
- PDC emulator operation master should be on Windows server 2008
- Execute the following command to find out which machine is the PDC emulator if you are unsure: dsquery server -hasfsmo pdc
After you have installed Windows Server on your new machine and completed all the Initial Configuration Tasks, open up Server Manager and click on the Roles section.
We will need to install the Active Directory Domain Services (ADDS) Role first. So go ahead and check the box next to it and click Next and proceed further.
Review the confirmation and click on “Next”
Review the installation confirmation and click on “Next”
It will take few minutes to complete and when it’s done you will get this confirmation. And then click on “Close”
Now we can start deploying the RODC. Do a Start > Run > dcpromo and click OK.
The Active Directory Domain Services Installation Wizard will start, either enable the checkbox beside Use Advanced mode installation and Click Next , or keep it unselected and click on Next
The Operating System Compatibility page will be displayed, take a moment to read it and click Next
Since this is going to be RODC, make sure you select the Existing forest option and then select Add domain controller to an existing domain
When ready, click on the Next button.
On the Network Credentials page, type in the name of the domain you want to connect to and then specify the credentials to add the machine. These credentials must have at least domain admin privileges to join the DC to the network.
If you are selecting Alternate Credentials provide your Domain/Administrator Credentials
On the select a domain screen, select your domain and click Next
Select a site and then click Next
Under “Additional Options” is where you actually choose to make this a Read-Only Domain Controller installation.
On the Specify the Password Replication Policy step, adjust the settings for each group, specifying if you want to cache user credentials on the Read-Only domain controller. In this tutorial, I left all of the options Deny except the Allowed RODC Password Replication Group, which is default per Microsoft. Click Next > once you have determined the settings you want to use.
On the Delegation of RODC Installation and Administration step, click the Set… button and select either a user or security group of users that you wish to have Administrative access to the read-only domain controller.
If this is a remote office where you have a designated IT member(s), you would want to create a security group on your read/write DC and then select the group.
However, if you will always know only one individual will login to the RODC, you can specify their user as the one to have local Administrative privileges.
Lastly, if you don’t want anyone to be able to mess with the RODC, you can simply click Next > and that will only allow members of the Domain Admins or Enterprise Admins security groups to manage the RODC. Click Next > once you have decided what security group or user you wish to allow local administrative access to the machine.
In the Install from Media page ( will be displayed if you have selected Use advanced mode installation on the Welcome page, if you didn’t select it, then skip to location for the database, SYSVOL), you can choose to either replicate data over the network from an existing domain controller, or specify the location of installation media to be used to create the domain controller and configure AD DS. I want to replicate data over the network, so I will choose the first option > click Next
On the Source Domain Controller page of the Active Directory Domain Services Installation Wizard, you can select which domain controller will be used as a source for data that must be replicated during installation, or you can have the wizard select which domain controller will be used as the source for this data.
You have two options :
- Let the wizard choose an appropriate domain controller
- Use this specific domain controller
Just like when creating a Domain, you will get the choice to set a location for the database, SYSVOL and NTDS files. You may change the destination or let them remain in the default location and proceed to the next step.
Moving forward, you will be asked to save a restore mode password (which is separate from the Domain Administrator’s account). As mentioned in the previous post, this password is configured to be used when the Domain Controller is started in Directory Services Restore Mode. Choose a password and click Next.
At this point, you can export the settings to make an answer file or you can click Next > for the server to begin applying the configuration.
Click Finish once done and Restart when prompted
This completes the installation of RODC in domain.
- How to Install Active Directory on Windows Server 2008
- How To Create Additional Domain Controller (ADC) In Windows Server 2008
- Creating a New Child Domain in Windows Server 2008