Let me give you a basic introduction first before we jump right into the installation. From here on I will refer to Read Only Domain COntroller as simply RODC.
What is RODC?
An RODC is a domain controller, typically placed in the branch office, that maintains a copy of all objects in the domain and all attributes except for secrets such as password related properties.
When a user in the branch office logs on, the RODC receives the request and forwards it to a domain controller in the hub site for authentication.
You can configure a Password Replication Policy (PRP) for the RODC that specifies user accounts the RODC is allowed to cache. If the user logging on is included in the PRP, the RODC caches that user’s credentials, so the next time authentication is requested the RODC can perform the task locally.
The RODC replicates changes to Active Directory from DCs in the hub site. Replication is one way (from a writable domain controller to a RODC). No changes to the RODC are replicated to any other domain controller.
Why would you use RODC?
Because the RODC maintains only a subset of user credentials, if the RODC is compromised or stolen, the effect of the security exposure is limited.
An attacker that takes over the DC can’t change group memberships or user accounts in such a way that they replicate back to DCs at the data center and beyond.
Prerequisites for installing RODC
Ensure that the forest functional level is Windows Server 2003 or higher:
You can check and raise your domain functional level from Active Directory Users and Computers snap-in. Right click on the root domain and click Raise Domain Functional level.
Preparing the present domain for the first RODC:
- Log on to any computer as a member of the Enterprise Admins group.
- Copy the contents of the \sources\adprep folder from the Windows Server 2008 R2 DVD to a folder on the computer.
- Open an elevated command prompt, and change directories to the adprep folder.
- Type adprep /rodcprep, and then press ENTER.
Deploy at least one writable domain controller:
There needs to be at least one machine running Windows Server 2008 or Windows Server 2008 R2 in the same domain as the RODC and ensure that the writable domain controller is also a DNS server.
An RODC must replicate domain updates from a writable domain controller running Windows Server 2008 or Windows Server 2008 R2.
Install the RODC
Now you are ready to install your first Read Only Domain Controller in your domain.
- Log on to the server as a member of the Domain Admins group.
- Click Start, type dcpromo, and then press ENTER to start the Active Directory Domain Services Installation Wizard.
- On the Choose a Deployment Configuration page, click Existing forest, click Add a domain controller to an existing domain, as shown in the following illustration, and then click Next.
- On the Network Credentials page, type the name of a domain in the forest where you plan to install the RODC.
- Select the domain for the RODC, and then click Next.
- Click the Active Directory site for the RODC, as shown in the following illustration, and then click Next.
- Select the Read-only domain controller check box, as shown in the following illustration. By default, the DNS server check box is also selected.
- Use the default folders that are specified for the Active Directory database, the log files, and SYSVOL, click Next.
- Type and then confirm a Directory Services Restore Mode password, and then click Next.
- Confirm the information that appears on the Summary page, and then click Next to start the AD DS installation. You can select the Reboot on completion check box to make the rest of the installation complete automatically.
That’s it! You have successfully installed the first RODC in your domain.