A Read-only domain controller (RODC) is a new type of domain controller that was introduced in Windows Server 2008. A RODC host a read-only replica of an organization’s domain database. It does not contain account passwords by default, and it does not allow any user or administrator to update the RODC database directly. It is recommended that RODCs are used for businesses who have branch offices or remote sites to maintain server security. RODCs are beneficial instead of writable DCs on offsite locations as security authentication services are faster and an organization’s directory database are protected from changes made by branch office users.
Before installing a RODC in your branch office/remote site it is essential to perform the following:
1. Update the permissions on all Domain Name System (DNS) application directory partitions
Prerequisite: You must be a member of the Enterprise Admins group
Log on to a DC as an Enterprise Administrator. Start – run – ‘CMD’.
Type “adprep /rodcprep” and press enter.
2. Update the main domain controller master role with the latest Windows Server 2008 version
Prerequisite: You must be a member of the Enterprise Admins group or Domain Admins group in the forest root domain.
Raise the Forest functional level to Windows Server 2008 (click here for instructions).
To install a RODC in a forest perform the following:
a) Install AD DS
Note: If you already have AD DS installed you can skip to step (b).
Click Start – Administrative Tools – Server Manager
Select the ‘Roles’ node, in the Roles pane, click the Add Roles link. The ‘Add Roles Wizard’ opens.
The Select Server Roles page lists the roles you can choose to install.
Select the Active Directory Domain Services check box and click Next (twice). Click Install on the Confirm Installation Selections page. The Installation Results pages confirms that the role has been installed and you click the Close button to close the wizard.
Active Directory Domain Services is now installed on your computer and readily accessible from Server Manager.
b) Promote Server to RODC
Launch the AD DS installation wizard by clicking Start – Run and typing dcpromo in the dialog box.
The AD DS installation wizard launches. Click Next to continue.
Since you are adding a RODC to an existing forest in your branch office, click the radio button ‘Existing Forest – Add a domain controller to an existing domain’. Click Next.
On the Network Credentials page, specify the name of the domain where you plan to install the RODC. You also specify your account credentials or alternate credentials that have sufficient privileges to perform the installation.
The Select a Domain page lists the domain you specified. Click Next.
On the Select a Site page, choose a site for the new RODC. The default specified site name, ‘Default-First-Site-Name’ is based on the subnet defined in the AD Sites and Services. Select Default-First-Site-Name and click Next.
The Additional Domain Controller Options page displays. The DNS Server and Global Catolog additional options are automatically ticked. Tick the box ‘Read-only domain controller (RODC)‘ and click Next.
On the Location for Database, Log Files, and SYSVOL page, you can specify where folders for this RODC should be saved. You can either accept the default locations or assign your preferred destinations.
On the Directory Services Restore Mode Administrator Password page, type in a password that will enable you to work on the domain controller when it’s started in Restore mode, and click Next.
Summary page lists the options you have chosen and you click Next to start the installation.
A dialog box informs you that the wizard is configuring AD DS. Select the Reboot on completion check box to have the server restart automatically once the process finishes.