Share via


Read Only Domain Controller (RODC): Installation and Configuration - Part1

RODC, a great new feature of windows server 2008, is mainly used for branch location, a location where less number of user and security and where there is no specific IT staff for managing the domain. RODC is domain controller which has a read only directory database which can never talk back to R-W domain controller. It only gets update from R/W domain controller. In RODC only password are omitted for security reason and updates are only replication from server 2008. RODC verified the credentials, not forward and also by default admin account of domain is not cached at RODC for security reason. We can delegate the administrator role to any user at RODC to manage. Admin user can install updates, drivers and perform admin tasks.

To Install and configure RODC in domain, we need to check below prerequisites 

  • ®    PDC emulator operation master should be on Windows server 2008

  • ®    Domain Functional Level\Forest Functional Level should be set as Windows Server 2008 or Windows Server 2003.

  • ®    If there is windows server 2003 environment, we need to prepare the domain for RODC installation by “ADPREP\RODCPREP”

  • ®    There should be only one RODC per site

  • ®    If the user outlook is the RODC site , make RODC a global catalog

So let’s begin our tutorial how to install and configures RODC in a domain. In our lab we have only one read write domain controller, and we are going to configure a new RODC in this lab. In this first part of article I will show you how to install the RODC at domain. In the next series we will see the configuration and benefit features of RODC.

            Domain Name- test.lab

Read Write Active Directory – AD.test.lab, 192.168.1.1

In above pic, we have a one domain controller with FQDN as AD.test.lab. with an IP address as 192.168.1.1. So we are going to create a new RODC in this lab and we used the IP address as 192.168.1.3. We installed a new server 2008 with FQDN as RODC.test.lab with a configured IP address 192.168.1.3. To install RODC, we run “dcpromo” with advantage switch at the server 192.168.1.3.

®    Run dcpromo and check the box “Use Advanced Mode Installation” and click Next.

®    Now we have operating system compatibility console window. Read fully and click Next.

®     Since we have already a domain controller in our lab, we choose existing forest and tick the check box “add a domain controller to an existing domain” in choose e deployment configuration window. Click next

®     Enter the domain name and set the credentials to use to perform the installation. In this example we choose alternate credentials to perform the installation. This is because to show the account role separation between read write domain controller and RODC. You can choose any option. 

®     Since we have only one domain, it shows only one. If there are multiple domains then we have to choose accordingly.  Click Next

®     Select a site where you want to install RODC, and click next.

®     Check read only domain controller box also and click Next.

®     Now we have Password replication Wizard policy box.  In this wizard we can specify whose passwords are allowed to replicate to the RODC or whose accounts are denied from replicating to RODC. By default Admin, Server operator, backup operators, account operators have set to deny access.

®     If you want to add a account, click Add. Once we click Add we have two option, allow or deny, we are going to check Allow password to replicate\

®     We have added the account rodc-admin and set the allow permission

®     Enter the group or user for Delegation of RODC installation and administration. The user or group which we enter will get local admin rights on RODC server. In this example we enter the user account “user01”. Click Next

 

®     Now we have install from media wizard window and choose the option depending on whether you want to replication domain data over the network from an existing domain controller or you want to replicate data from some backup media. In this example we choose replicate data over the network

®     Select a source domain controller for installation partner

®     Enter the location of database and log file folder

®     Enter the password for DCRM (Directory Service Restore Mode)

®     Review your setting and click Next

®     This will start the installation of RODC server at the domain.

®     Click Finish to complete the install. You must restart the server.

This completes the installation of RODC at our domain. Once the server has been restart, we will see newly created RODC server entry in Domain controller.

So our new RODC server is available now and since RODC is having read-only database, once logged in server we don't have option like new user creation or anything like in read-write domain controller

So in this first part of article we know how to install RODC server in domain. In the next series of rodc article we will see how to configure and use the feature of RODC.