Installing and configuring a read-only domain controller (RODC)

As mentioned earlier, RODC is a read-only installation of AD DS. RODC installation can be performed in two different ways: a standard domain controller installation using the GUI wizard or PowerShell, or by creating a pre-staged computer account in AD DS for RODC. Both approaches will give you same result, but the pre-staged account configuration will force you to configure more settings related to RODC before promoting the server to RODC.

If you decide to go with the easier approach of using the GUI wizard, you just need to check the Read only domain controller (RODC) checkbox on the Domain Controller Options page:

1. Go to Deployment Configuration and select Add a new domain to existing forest.
2. Go to Domain Controller Options:
   1. Select the Forest and Domain functional level.
   2. Check Domain Name System (DNS) server.
   3. Check Read only domain controller (RODC).
   4. Type the DSRM password.
3. Go to RODC Options:
   1. Define the RODC Administrator account (optional).
   2. Define which users or groups can replicate their passwords to RODC.
4. Go to Additional Options and verify the NetBIOS name, or change it if you need to.

1. Go to Paths and change the path if necessary. Otherwise, you can skip this step and keep the default values.
2. Go to Review Options. Once you have configured everything, you need to review the configuration and confirm it.
3. Go to Prerequisites Check. If you pass all prerequisite checks, you just need to click Install and wait for AD DS to install.
4. After the installation of AD DS on the RODC, the server will restart automatically.

The PowerShell command that you will use to install RODC has a few more switches than the command that we used to install a standard domain controller:

Import-Module ADDSDeployment
Install-ADDSDomainController -DomainName "mcsacertguide.local" -InstallDns:$true -ReadOnlyReplica:$true -NoGlobalCatalog:$false -CriticalReplicationOnly:$false -AllowPasswordReplicationAccountName @("MCSACERTGUIDE\Allowed RODC Password Replication Group") -DenyPasswordReplicationAccountName @("BUILTIN\Administrators", "BUILTIN\Server Operators", "BUILTIN\Backup Operators", "BUILTIN\Account Operators", "MCSACERTGUIDE\Denied RODC Password Replication Group") -SiteName "Default-First-Site-Name" -DatabasePath "C:\Windows\NTDS" -LogPath "C:\Windows\NTDS" -SysvolPath "C:\Windows\SYSVOL" -NoRebootOnCompletion:$false -Force:$true

By default, RODC doesn't cache any passwords, for security reasons. In the RODC environment, you need to determine which passwords will be cached on RODC and which accounts need to be authenticated on a writable domain controller. By default, in the RODC environment, the system creates a domain-wide password-replication policy with two security groups:

• Allowed RODC Password Replication Group: Members of this group are allowed to cache passwords in RODC. By default, this group doesn't have any members.
• Denied RODC Password Replication Group: Members of this group aren't allowed to cache passwords in RODC. Some security-critical groups are members of this group by default, such as Administrators, Server Operators, Backup Operators, and Account Operators.