Direct Installation Method
Applies To: Windows Server 2008, Windows Server 2012
This topic describes the steps for performing a direct installation of a read-only domain controller (RODC). In a direct installation, you specify all the parameters that are necessary to install the RODC in a single operation. A direct installation of an RODC is an alternative to a staged installation, in which the parameters that are needed to install the RODC are specified in two different procedures, completed by different people in different locations and at different times.
You can perform a direct installation of an RODC using any of the following:
Using the Windows interface
Using the command line
Using an answer file
Membership in Domain Admins, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To perform a direct installation of an RODC using the Windows interface
Click Start. In the Start Search box, type dcpromo, and then press ENTER.
On the Welcome page, select the Use advanced installation mode check box, and then click Next.
The advanced installation mode in the Active Directory Domain Services Installation Wizard provides you with options to install from media (IFM), choose the source domain controller, and specify the Password Replication Policy (PRP) during the RODC installation.
Review the information on the Operating System Compatibility page, and then click Next.
On the Choose a Deployment Configuration page, click Existing forest, click Add a domain controller to an existing domain, and then click Next.
On the Network Credentials page, type the name of a domain in the forest where you want to install an RODC, specify account credentials with sufficient permissions to install an additional domain controller, and then click Next.
On the Select a Domain page, click the name of the domain in which you want to install an RODC, and then click Next.
On the Select a Site page, click the name of the site where you want to install an RODC, and then click Next.
We recommend that you assign a static IP address to the server that you want to be an RODC. If you have assigned subnets to your sites and if you have assigned a static IP address to the server that will become the RODC, the site that maps to the IP address of the server will be selected by default.
Unless all the IP addresses that are associated with the network adapter of the server are static, including the IP version 4 (IPv4) and IP version 6 (IPv6) addresses, the wizard displays a warning that indicates that at least one of the IP addresses of the server is dynamic.
On the Additional Domain Controller Options page, click the DNS server, Global catalog, and Read-only domain controller (RODC) check boxes, and then click Next.
On the Specify Password Replication Policy page, click Add.
In the Select Users, Computers, or Groups dialog box, type the names of the users and computers, or groups of users or computers, whose passwords you want to be cached on the RODC.
Remember that you must add the computer accounts for any user accounts that you want to be cached so that those users can be authenticated by the RODC when no other domain controller is available. This is also true for service accounts that log on in the site that has the RODC.
Click OK to close the Select Users, Computers, or Groups dialog box. On the Specify Password Replication Policy page, click Next.
On the Delegation of RODC Installation and Administration page, click Set.
In the Select User or Group dialog box, type the name of the user or group that will administer that RODC, and then click OK. We recommend that you specify a group rather than an individual account so that you can efficiently manage changes to the delegation when they arise.
On the Delegation of RODC Installation and Administration page, click Next.
On the Install from Media page, if you have created installation media for an RODC, click Replicate data from media at the following location, and then type the path to the media location. If you have not created installation media, click Replicate data over the network from an existing domain controller. After you make a selection, click Next.
On the Source Domain Controller page, click Let the wizard choose an appropriate domain controller, or, if you want to use a specific domain controller as the replication source during the installation, click Use this specific domain controller, and then click the name of the domain controller that you want to use. After you make a selection, click Next.
On the Location for Database, Log Files, and SYSVOL page, type the path where you want to store the Active Directory database, log files, and SYSVOL, and then click Next.
On the Directory Services Restore Mode Administrator Password page, type and confirm a password that will be used to log on to the domain controller when it is started in Directory Services Restore Mode (DSRM).
On the Summary page, confirm your selections. To save the settings that you have entered so that you can reuse them to automate additional domain controller installations, click Export settings.
Click Next to begin the installation.
You can use the following procedure to perform an unattended installation of a new RODC from the command line. For a complete list of unattended installation options, including default values, allowed values, and descriptions, at a command prompt, type dcpromo /?:Promotion
, or see Promotion Operation (https://go.microsoft.com/fwlink/?LinkID=120626).
To perform a direct installation of an RODC using the command line
At a command prompt, type the following command, and then press ENTER:
dcpromo /unattend /<unattendOption>:<value> /<unattendOption>:<value> ...
Where:
<unattendOption>
is an option in the Promotion Operation (https://go.microsoft.com/fwlink/?LinkID=120626) table. Separate each<option:value>
pair with a space.<value>
is the configuration instruction for the option.
The following example creates an RODC in the contoso.com domain in the Branch1 site, along with the global catalog, and it installs and configures the Domain Name System (DNS) Server service:
dcpromo /unattend /InstallDns:yes /confirmGC:yes /replicaOrNewDomain:ReadOnlyReplica /replicaDomainDNSName:contoso.com /sitename:Branch1 /databasePath:"e:\ntds" /logPath:"e:\ntdslogs" /sysvolpath:"g:\sysvol" /safeModeAdminPassword:FH#3573.cK /rebootOnCompletion:yes
When you have typed all the options that are required to create the additional domain controller, press ENTER.
To perform a direct installation of an RODC using an answer file
Open Notepad or any text editor.
On the first line, type [DCINSTALL], and then press ENTER.
Create the following entries, one entry on each line. For a complete list of unattended installation options, including default values, allowed values, and descriptions, see Promotion Operation (https://go.microsoft.com/fwlink/?LinkID=120626).
UserName=<administrative account with sufficient credentials to install an RODC>
UserDomain=<name of the domain for the administrative account that is used to install the RODC>
Password=<password for the account in UserName>
ReplicaOrNewDomain=ReadOnlyReplica
ReplicaDomainDNSName=<name of the domain where you are installing an RODC>
ReplicationSourcePath=<path to the location where the installation media is stored for the IFM option>
SiteName=<name of the site where the RODC will be installed>
DelegatedAdmin=<name of the user or group who will administer the RODC>
DatabasePath=<path to a folder on a local volume, surrounded by double quotation marks>
LogPath=<path to a folder on a local volume, surrounded by double quotation marks>
SYSVOLPath=<path to a folder on a local volume, surrounded by double quotation marks>
; RODC Password Replication Policy
PasswordReplicationDenied=BUILTIN\Administrators
PasswordReplicationDenied="BUILTIN\Server Operators"
PasswordReplicationDenied="BUILTIN\Backup Operators"
PasswordReplicationDenied="BUILTIN\Account Operators"
PasswordReplicationDenied="DomainName\Denied RODC Password Replication Group"
PasswordReplicationAllowed=GroupName1
PasswordReplicationAllowed=GroupName2
PasswordReplicationAllowed=User_Name1
PasswordReplicationAllowed=Computer_Name1
InstallDNS=yes
ConfirmGC=yes
SafeModeAdminPassword=password
RebootOnCompletion=yes
Save the answer file to the location on the installation server from which it is to be called by Dcpromo, or save the file to a network shared folder or removable media for distribution.
At the command prompt on the server that you want to be an RODC, type the following command, and then press ENTER:
dcpromo /unattend:"<path to the answer file>"