Skip to content
July 4, 2007 / Steve Rosa

Windows Server 2008 – Read-Only Domain Controller – Installation

In this post, we will see how to install a replica read-only domain controller to an existing Active Directory domain.

You will see that from an installation perpective, the process does not differ much from a standard domain controller installation.

The name of the domain is still SRO-LH.local.

I have installed a new server, SRO-LH-03 and run the command dcpromo.exe.

The first thing the process does is to check whether the ADDS binaries are installed on the server:

ro-dc.png

As this is is a brand new system, neither the ADDS role not the binaries are installed. So, this is taken care of:

ro-dc_1.png

Welcome screen of the ADDS Installation Wizard:

ro-dc_2.png

Yes, we want to add a new domain controller to an existing domain:

ro-dc_3.png

We have to specify the name of the domain in which we want to install the additional domain controller:

ro-dc_4.png

At this moment in time, I am logged on as a local administrator of the server and have therefore no right to perform the ADDS installation. For this reason, I specify some alternate credentials, i.e. the domain’s administrator credentials, by clicking on the Set… button:

ro-dc_5.png 

Confirmation:

ro-dc_6.png

Then, we need to confirm the domain for this additional domain controller:

ro-dc_7.png

We also need to define in which Active Directory site the new domain controller will be put:

ro-dc_8.png

On this page, we explicitly specify that we want to make the server a RODC:

ro-dc_9.png

As per Microsoft Technet article, you can perform an installation of an RODC in which the installation is completed in two stages by different individuals.

  1. The first stage of the installation, which requires domain administrative credentials, creates an account for the RODC in AD DS.
  2. The second stage of the installation attaches the actual server that will be the RODC in a remote location, such as a branch office, to the account that was previously created for it. You can delegate the ability to attach the server to a nonadministrative group or user, which is a feature I find pretty neat from the deployment perspective.

During this first stage, the wizard records all data about the RODC that will be stored in the distributed Active Directory database, such as its domain controller account name and the site in which it will be placed. This stage must be performed by a member of the Domain Admins group. The administrator who creates the RODC account can also specify at that time which users or groups can complete the next stage of the installation.

The next stage of the installation can be performed in the branch office by any user or group who was delegated the right to complete the installation when the account was created. This stage does not require any membership in built-in groups, such as the Domain Admins group. If the user who creates the RODC account does not specify any delegate to complete the installation (and administer the RODC), only a member of the Domain Admins or Enterprise Admins groups can complete the installation.

During the second stage, the wizard installs AD DS on the server that will become the RODC and attaches the server to the domain account that was previously created for it. This stage typically occurs in the branch office where the RODC is deployed. During this stage, all AD DS data that resides locally, such as the database, log files, and so on, is created on the RODC itself.

At this point of the installation process, we can specify any group or user who will later be able to install and manage the RODC. As we are not in such deployment scenario, we leave the field empty:

ro-dc_10.png

The next step is about specifying the folders for the AD database, the log files and the SYStem VOLume:

ro-dc_11.png 

Then, we specify the Directory Services Restore Mode (DSRM) password for the Domain Controller:

ro-dc_12.png

The wizard offers to review all the options selected and even provides a way to export the settings to an answer file for future re-use:

ro-dc_13.png

Finally, the actual installation and replication process starts. You also have the possibility to decide whether you want the server to reboot automatically at the end:

ro-dc_14.png

This concludes the installation of the RODC in itself.

Steve

About these ads

11 Comments

Leave a Comment
  1. Vince Delmonte / Apr 14 2009 9:56 pm

    Not that I’m impressed a lot, but this is more than I expected for when I found a link on Furl telling that the info here is awesome. Thanks.

  2. Dwarka Yadav / Jun 29 2009 3:35 pm

    This is very useful solution

  3. Rajendra Panchal / Sep 19 2010 3:30 pm

    Nice piece of information on RODC installation

  4. Amila / Oct 26 2010 1:36 pm

    This is Awesome. Nice job. Got the complete idea on how to deploy a RODC.

  5. systechblog / Nov 4 2010 11:39 pm

    thanks mate i am looking for it

  6. diego bosman / Feb 17 2011 1:27 pm

    this really helped , thanx allot i just passed my exam because you helped me cheat

  7. aleena / May 8 2011 1:21 pm

    this was what I was looking for thanks a lot..It surely did work..plz help me on the forest trusts in 2008 server in yr next post…thanks again..

  8. jassi / Sep 9 2011 8:45 am

    Thank you, It is very useful for me.

  9. pankaj kumar / Sep 4 2012 6:55 am

    Thank You………….

  10. Click On this page / May 5 2013 8:40 pm

    Simply want to say your article is as amazing. The clearness in your post is just spectacular and i can suppose
    you’re an expert in this subject. Fine with your permission allow me to grasp your feed to keep updated with imminent post. Thank you a million and please keep up the gratifying work.

Trackbacks

  1. Windows Server 2008 - Read-Only Domain Controller - Administration and misc. « Stief’s Technology Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: