Deploying an RODC

  • Ensure That the Forest Functional Level Is Windows Server 2003 or higher
  • Run adprep /rodcprep
    You must be a member of the Enterprise Admins group.

  • Install a writable domain controller that runs Windows Server 2008


  • For a new RODC installation :
    - Full installation of Windows Server 2008
    - Core:
    Copy the following answer file settings to a text file.

    [DCInstall]

    InstallDNS=Yes

    ConfirmGc=No

    CriticalReplicationOnly=No

    DisableCancelForDnsInstall=No

    PasswordReplicationAllowed=The name(s) of groups whose members' passwords will be allowed to be cached on the RODC

    PasswordReplicationDenied=The name(s) of groups whose members' passwords will NOT be allowed to be cached on the RODC

    Password=Domain Admin password

    RebootOnCompletion=No

    ReplicaDomainDNSName=Full DNS name of the domain

    ReplicaOrNewDomain=ReadOnlyReplica

    ReplicationSourceDC=Name of a Windows Server 2008 domain controller in the same domain

    SafeModeAdminPassword=Choose an appropriate password to use for Directory Services Restore Mode

    SiteName=RODC Site Name

    UserDomain=DomainName

    UserName=Domain Admin account name

    The groups that are specified as values for PasswordReplicationAllowed and PasswordReplicationDenied must already exist. You must specify the groups either by using the Windows NT format (domain\user_name or domain.com\user_name) or by using the user principal name (UPN) format (user_name@domain.com). Add another entry for each additional group.

    run :

    dcpromo /unattend:PathToAnswerFile

  • For a staged installation of an RODC :


    1.

    Click Start, click Administrative Tools, and then click Active Directory Users and Computers.


    2.

    Double-click the domain container, then you can either right-click the Domain Controllers container or click the Domain Controllers container, and then click Action.


    3.

    Click Pre-create Read-only Domain Controller account, as shown in the following figure.
    Pre-create read-only domain controller account





    4.

    On the Welcome to the Active Directory Domain Services Installation Wizard page, if you want to modify the default the Password Replication Policy, select Use advanced mode installation, and then click Next.


    5.

    On the Network Credentials page, under Specify the account credentials to use to perform the installation, click My current logged on credentials, as shown in the following figure, or click Alternate credentials, and then click Set. In the Windows Security dialog box, provide the user name and password for an account that can install the additional domain controller. To install an additional domain controller, you must be a member of the Enterprise Admins group or the Domain Admins group. When you are finished providing credentials, click Next.

    Network Credentials


    6.

    On the Specify the Computer Name page, type the computer name of the server that will be the RODC.


    7.

    On the Select a Site page, select a site from the list or select the option to install the domain controller in the site that corresponds to the IP address of the computer on which you are running the wizard, and then click Next.


    8.

    On the Additional Domain Controller Options page, make the following selections, as shown in the following figure, and then click Next:

    DNS server: This option is selected by default so that your domain controller can function as a DNS server. If you do not want the domain controller to be a DNS server, clear this check box. However, if you do not install the DNS server role on the RODC and the RODC is the only domain controller in the branch office, users in the branch office will not be able to perform name resolution when the WAN to the hub site is offline.

    Global catalog: This option is selected by default. It adds the read-only directory partitions of the global catalog to the domain controller, and it enables global catalog search functionality. If you do not want the domain controller to be a global catalog server, clear this option. However, if you do not install a global catalog server in the branch office or enable universal group membership caching for the site that includes the RODC, users in the branch office will not be able to log on to the domain when the WAN to the hub site is offline.

    Read-only domain controller. When you create an RODC account, this option is selected by default and you cannot clear it.

    Additional domain controller options


    9.

    If you selected the Use advanced mode installation check box on the Welcome page, the Specify the Password Replication Policy page appears. By default, no account passwords are replicated to the RODC, and security-sensitive accounts (such as members of the Domain Admins group) are explicitly denied from ever having their passwords replicated to the RODC.

    To accept the default setting, click Next.

    -or-

    To add other accounts to policy, click Add. If you want the accounts to be allowed to have their passwords replicated to the RODC, click Allow passwords for the account to replicate to this RODC. If you want the accounts to be denied from having their passwords replicated to the RODC, click Deny passwords for the account from replicating to this RODC. Then, click OK. When you are done adding other accounts, click Next.

    When you install the first RODC in a domain, domain group accounts that are required for RODCs to function are created. Depending on your replication topology, the wizard might return an error indicating that these group accounts are not available when you try to install another RODC in the domain. In this case, wait for replication to complete before you install the additional RODC.


    10.

    In Select Users, Computers, and Groups, type the names of the accounts that you want to add to the policy, and then click OK.


    11.

    On the Delegation of RODC Installation and Administration page, type the name of the user or the group who will attach the server to the RODC account that you are creating, as shown in the following figure. You can type the name of only one security principal.

    Delegate RODC installation

    To search the directory for a specific user or group, click Set. In Select Users, Computers, or Groups, type the name of the user or group. We recommend that you delegate RODC installation and administration to a group.

    This user or group will also have local administrative rights on the RODC after the installation. If you do not specify a user or group, only members of the Domain Admins group or the Enterprise Admins group will be able to attach the server to the account.

    When you are finished, click Next.


    12.

    On the Summary page, review your selections. Click Back to change any selections, if necessary.

    To save the settings that you selected to an answer file that you can use to automate subsequent AD DS operations, click Export settings. Type a name for your answer file, and then click Save.

    When you are sure that your selections are accurate, click Next to create the RODC account.


    13.

    On the Completing the Active Directory Domain Services Installation Wizard page, click Finish.

No comments:

Recent Posts