Windows 7 / Getting Started

Staging the Installation of an RODC

RODCs are designed to support branch office scenarios by providing authentication local to the site while mitigating the security and data integrity risks associated with placing a DC in a less controlled environment. Many times, there are few or no IT support personnel in a branch office. How, then, should a domain controller be created in a branch office?

To answer this question, Windows Server 2008 R2 allows you to create a staged, or delegated, installation of an RODC. The process includes two stages:

  • Create the account for the RODC: A member of Domain Admins creates an account for the RODC in Active Directory. The parameters related to the RODC are specified at this time: the name, the Active Directory site in which the RODC will be created, and, optionally, the user or group that can complete the next stage of the installation.
  • Attach the server to the RODC account: After the account has been created, AD DS is installed, and the server-which must be a member of a workgroup and not the domain-is joined to the domain as an RODC attached to the prestaged account. These steps can be performed by the users or groups specified when the RODC account was prestaged; these users do not require any privileged group membership. A server can also be attached by a member of Domain Admins or Enterprise Admins, but the ability to delegate this stage to a nonprivileged user makes it much easier to deploy RODCs in branches without IT support. The domain controller will replicate its data from another writable DC in the domain, or you can use the IFM method discussed in the "Installing AD DS from Media" section.

Creating the Prestaged Account for the RODC

To create the account for the RODC, using the Active Directory Users And Computers snap-in, right-click the Domain Controllers OU and choose Pre-Create Read-Only Domain Controller Account. A wizard appears that is very similar to the Active Directory Domain Services Installation Wizard. You are asked to specify the RODC name and site, and you can also configure the password replication policy.

On the Delegation Of RODC Installation And Administration page, you can specify one security principal-user or group-that can attach the server to the RODC account you create. The user or group will also have local administrative rights on the RODC after the installation. It is recommended that you delegate to a group rather than to a user. If you do not specify a user or group, only members of the Domain Admins or Enterprise Admins groups can attach the server to the account.

You can create prestaged RODC accounts by using Dcpromo.exe with numerous parameters or by creating an answer file for Dcpromo.exe.

Attaching a Server to the RODC Account

After you have prestaged the account, the server can be attached to it. To attach a server to a prestaged RODC account:

  1. Ensure that the server is a member of a workgroup, not a member of the domain.
    Note:
    When you create an RODC by using the staged approach-when you attach an RODC to a prestaged account-the server must be a member of a workgroup, not the domain, when you launch Dcpromo.exe or the Active Directory Domain Services Installation Wizard. The wizard looks in the domain for the existing account with its name and attaches to that account.
  2. Type dcpromo.exe /UseExistingAccount:attach.
    The wizard prompts for network credentials and then finds the RODC account in the domain indicated by the credentials. Remaining steps are similar to other domain controller promotion operations.

To use an answer file, provide the following options and values:

[DCINSTALL]
ReplicaDomainDNSName=FQDN of domain to join
UserDomain=FQDN of user specified by UserName
UserName=DOMAIN\username (in Administrators group of the domain)
Password=password for user specified by UserName
InstallDNS=yes
ConfirmGC=yes
DatabasePath="path to folder on a local volume"
LogPath="path to folder on a local volume"
SYSVOLPath="path to folder on a local volume"
SafeModeAdminPassword=password
RebootOnCompletion=yes

Run Dcpromo.exe with the /unattend:"answer file path" and the /UseExistingAccount:Attach parameters, as in the following example:

dcpromo /useexistingaccount:attach /unattend:"c:\rodcanswer.txt"

All the options just shown in the answer file can also be specified or overridden directly on the command line. Just type a command similar to the following:

dcpromo /unattend /UseExistingAccount:Attach /ReplicaDomainDNSName:google.com
    /UserDomain:google.com /UserName:google\dan /password:*
    /databasePath:"e:\ntds" /logPath:"f:\ntdslogs" /sysvolpath:"g:\sysvol"
    /safeModeAdminPassword:Pa$$w0rd /rebootOnCompletion:yes
[Previous] [Contents] [Next]

In this tutorial:

  1. Administering Domain Controllers
  2. Deploying Domain Controllers
  3. Unattended Installation Options and Answer Files
  4. Installing a New Windows Server 2008 R2
  5. Installing Additional Domain Controllers in a Domain
  6. Installing an Additional Domain Controller
  7. Installing a New Windows Server 2008 Child Domain
  8. Staging the Installation of an RODC
  9. Installing AD DS from Media
  10. Managing Operations Masters
  11. Domain-Wide Operations Master Roles
  12. Optimizing the Placement of Operations Masters
  13. Transferring Operations Master Roles
  14. Seizing Operations Master Roles
  15. Configuring DFS Replication of SYSVOL
  16. Understanding Migration Stages