Installing and Configuring an RODC
Windows Server 2008 introduced the read-only domain controller (RODC), which contains a full replication of the domain database. It was created to be used in places where a domain controller is needed but the physical security of the domain controller could not be guaranteed. For example, it might be placed in a remote site that is not very secure and that has a slower WAN link. Because it has a slow WAN link, a local domain controller would benefit the users at that site.
An RODC does not perform any outbound replication and accepts only inbound replication connections from writable domain controllers. Because the RODC has only a read-only copy of the Active Directory database, the administrator needs to connect to a writable domain controller to make changes to Active Directory.
To deploy an RODC, you need the following:
- Ensure that the forest functional level is Windows Server 2003 or higher.
- Deploy at least one writable domain controller running Windows Server 2008 or higher.
If any domain controllers run Windows Server 2003, you need to confi gure permissions on DNS application directory partitions to allow them to replicate to RODCs by running the ADPrep /RODCPrep command. The adprep.exe command is located on the \support\adprep folder on the Windows Server 2012 installation disk.
When you install an RODC, you need to defi ne a delegated administrator that has local administrative permission to the RODC, even though the account is not a member of the Domain Admin or domain built-in Administrators group.
Because RODCs need to be as secure as possible, you can confi gure each RODC to have its own Password Replication Policy (PRP). On writable domain controllers, Active Directory passwords are stored locally within the ntds.dit fi le. Because the RODC is put in a place where the security cannot be guaranteed, you can specify a particular list of user or group accounts whose password information should be stored (or cached) on a particular RODC.
For example, if you have a Site1 branch, you can confi gure the RODC to cache only passwords for those users who are members of the Site1 security group. In addition, you can confi gure specifi c users or groups whose password information should not be cached on an RODC such as administrative accounts.
To allow enterprise-wide configuration of the RODC Password Replication Policy, Windows Server 2012 creates the following security groups:
- Denied RODC Password Replication Group:
Members of this group are placed in the Deny list of the Password Replication Policies of all RODCs by default. Some of the groups include Administrators, Server Operators, Backup Operators, Account Operators, and Denied RODC Password Replication Group. - Allowed RODC Password Replication Group:
Members of this group are placed in the Allow list of the Password Replication Policies of all RODCs by default. This group has no members when Windows Server 2012 is first installed.
Install a Read-Only Domain Controller (RODC)
To install a Read-only domain controller, perform the following steps:
- Open Server Manager.
- On the left pane, click AD DS. On the right-pane, click More in the yellow bar.
- When the All Servers Task Details window opens, click Promote this server to a domain controller. The Active Directory Domain Services Configuration Wizard starts.
- On the Deployment Configuration page, with the Add a domain controller to an existing domain already selected, click Next.
- On the Domain Controllers Options page, select Read only domain controller (RODC). Select the correct site name. Type a Directory Service Restore Mode (DSRM) password in the Password and Confi rm password text boxes. Click Next.
- On the RODC Options page, click Select in the Delegated administrator account section. When the Select User or Group dialog box opens, type the name of the account to be used as a delegated administrator in the Enter the object names to select text box and click OK. Click Next.
- On the Additional Options page, click Next.
- On the Paths page, click Next.
- On the Review Options page, click Next.
- On the Prerequisites Check page, click Install.
- When the installation is complete, restart the domain controller.
To modify the Password Replication Policy, after the RODC was installed, just open the Active Directory Users and Computers console, navigate to the Domain Controllers OU, right-click the RODC, and select Properties. The Password Replication Policy is shown in the Password Replication Policy. To add new entries, click the Add button. To modify the current entries, click the Advanced button.