Steps for Deploying an RODC

Applies To: Windows Server 2008

This section contains information about deploying an RODC. It first lists high-level tasks that must be performed, in addition to optional tasks. This list is followed by detailed information, including information about administrative credentials and procedures necessary for performing some of these tasks.

To deploy an RODC, complete the following high-level tasks:

  • Ensure that the forest functional level is Windows Server 2003 or higher

  • Run adprep /rodcprep

    You do not have to perform this step if you are creating a new forest that will have only domain controllers running Windows Server 2008.

  • Install a writable domain controller that runs Windows Server 2008

  • Optional: Install an RODC on a full installation of Windows Server 2008

    -or-

  • Optional: Install an RODC on a Server Core installation

  • Optional: delegate RODC installation

  • Optional: Install RODC from media

  • Optional: Remove a domain controller that is running Windows Server 2008

Ensure that the forest functional level is Windows Server 2003 or higher

Administrative credentials

Any domain user can verify that the current forest functional level is Windows Server 2003 or higher. To raise the forest functional level, you must be either a member of the Domain Admins group in the forest root domain or a member of the Enterprise Admins group.

To ensure that the forest functional level is Windows Server 2003 or higher

  1. Open Active Directory Domains and Trusts.

  2. In the console tree, right-click the name of the forest, and then click Properties.

  3. Under Forest functional level, verify that the value is Windows Server 2003 or Windows Server 2008.

  4. If it is necessary to raise the forest functional level, in the console tree, right-click Active Directory Domains and Trusts, and then click Raise forest functional level.

  5. In Select an available forest functional level, click Windows Server 2003, and then click Raise.

Run adprep /rodcprep

Administrative credentials

This step updates the permissions on all the DNS application directory partitions in the forest. This allows them to be replicated successfully by all RODCs that are also DNS servers. To run adprep /rodcprep, you must be a member of the Enterprise Admins group.

To run adprep /rodcprep

  1. Log on to a domain controller as a member of the Enterprise Admins group.

  2. Copy the contents of the \sources\adprep folder on the Windows Server 2008 installation DVD to the schema master.

  3. Open a command prompt, change directories to the adprep folder, type the following command, and then press ENTER:

    adprep /rodcprep

Install a writable domain controller that runs Windows Server 2008

An RODC must replicate domain updates from a writable domain controller that runs Windows Server 2008. Before you install an RODC, be sure to install a writable domain controller that runs Windows Server 2008 in the same domain. The domain controller can run either a full installation or a Server Core installation of Windows Server 2008. In Windows Server 2008, the writable domain controller does not have to hold the primary domain controller (PDC) emulator operations master role.

For more information and step-by-step procedures for installing a writable domain controller that runs Windows Server 2008, see the Step-by-Step guide for Windows Server 2008 Active Directory Domain Services Installation and Removal (https://go.microsoft.com/fwlink/?LinkId=86716).

Optional: Install an RODC on a full installation of Windows Server 2008

You can install an RODC on either a full installation of Windows Server 2008 or on a Server Core installation of Windows Server 2008. You can start the Active Directory Domain Services Installation Wizard in a variety of ways. For a complete list, see the Step-by-Step guide for Windows Server 2008 Active Directory Domain Services Installation and Removal (https://go.microsoft.com/fwlink/?LinkId=86716).

After you install the first RODC in your domain, allow enough time for the new Password Replication Policy groups to replicate to other domain controllers in the domain before you try to install additional RODCs. This helps prevent errors that might occur during the RODC installation if the groups are not available on the source domain controller.

Administrative credentials

To install an RODC on a full installation of Windows Server 2008, you must be a member of the Domain Admins group.

To install an RODC on a full installation of Windows Server 2008

  1. Log on to the server as a member of the Domain Admins group.

  2. Click Start, type dcpromo, and then press ENTER to start the Active Directory Domain Services Installation Wizard. The server can belong to a workgroup. Alternatively, if you are not delegating the installation, the server can already be joined to the domain in which you want it to be an RODC.

Note

If you select the Useadvanced mode installation check box on the Welcome to the Active Directory Domain Services Installation Wizard page, you can configure the Password Replication Policy for the RODC and other settings during the AD DS installation. In this guide, a procedure for configuring the Password Replication Policy is provided in Steps for Administering an RODC. For a complete list of settings that you can configure when you select the Useadvanced mode installation check box, click the advanced mode installation Help link.

  1. On the Choose a Deployment Configuration page, click Existing forest, click Add a domain controller to an existing domain, as shown in the following illustration, and then click Next.

  2. On the Network Credentials page, type the name of a domain in the forest where you plan to install the RODC. If necessary, also type a user name and password for a member of the Domain Admins group, and then click Next.

  3. Select the domain for the RODC, and then click Next.

  4. Click the Active Directory site for the RODC, as shown in the following illustration, and then click Next.

  5. Select the Read-only domain controller check box, as shown in the following illustration. By default, the DNS server check box is also selected.

Note

To run the DNS server on the RODC, another domain controller running Windows Server 2008 must be running in the domain and hosting the DNS domain zone. An Active Directory–integrated zone on an RODC is always a read-only copy of the zone file. Updates are sent to a DNS server in a hub site instead of being made locally on the RODC.

  1. To use the default folders that are specified for the Active Directory database, the log files, and SYSVOL, click Next.

  2. Type and then confirm a Directory Services Restore Mode password, and then click Next.

  3. Confirm the information that appears on the Summary page, and then click Next to start the AD DS installation. You can select the Reboot on completion check box to make the rest of the installation complete automatically.

Optional: Install an RODC on a Server Core installation

Administrative credentials

This is an optional task. If you choose to install an RODC on a Server Core installation of Windows Server 2008, you must be a member of the Domain Admins group or you must have been delegated the ability to perform the installation.

To install an RODC on a Server Core installation of Windows Server 2008, you must perform an unattended installation of AD DS. The following procedure includes the parameters that can be specified in the answer file during an unattended installation. You can also specify these parameters at a command line if you use the dcpromo /unattend command.

For more information about unattended installation parameters of AD DS and exit codes that are returned after the installation, see the Step-by-Step guide for Windows Server 2008 Active Directory Domain Services Installation and Removal (https://go.microsoft.com/fwlink/?LinkId=86716), which is part of this documentation set.

To install an RODC on a Server Core installation of Windows Server 2008

  1. Install a second server computer that is running a Server Core installation of Windows Server 2008.

  2. Copy the following answer file settings to a text file. The InstallDNS, PasswordReplicationAllowed, PasswordReplicationDenied, and ReplicationSourceDC settings are optional. Replace the placeholder information (in italics) with the correct information for your environment. Then save the text file with the name that you will use for your answer file during the installation:

    [DCInstall]

    InstallDNS=Yes

    ConfirmGc=No

    CriticalReplicationOnly=No

    DisableCancelForDnsInstall=No

    **PasswordReplicationAllowed=**The name(s) of groups whose members' passwords will be allowed to be cached on the RODC

    **PasswordReplicationDenied=**The name(s) of groups whose members' passwords will NOT be allowed to be cached on the RODC

    **Password=**Domain Admin password

    RebootOnCompletion=No

    **ReplicaDomainDNSName=**Full DNS name of the domain

    ReplicaOrNewDomain=ReadOnlyReplica

    **ReplicationSourceDC=**Name of a Windows Server 2008 domain controller in the same domain

    **SafeModeAdminPassword=**Choose an appropriate password to use for Directory Services Restore Mode

    **SiteName=**RODC Site Name

    **UserDomain=**DomainName

    **UserName=**Domain Admin account name

Note

The groups that are specified as values for PasswordReplicationAllowed and PasswordReplicationDenied must already exist. You must specify the groups either by using the Windows NT format (domain\user_name or domain.com\user_name) or by using the user principal name (UPN) format (user_name@domain.com). Add another entry for each additional group. For example:

PasswordReplicationAllowed=CN=AllowedGroup,OU=Users,DC=spruce,DC=example,DC=contoso,DC=com

PasswordReplicationAllowed=CN=AllowedGroup2,OU=Users,DC=spruce,DC=example,DC=contoso,DC=com

If you do not want to specify any groups during the installation, leave this entry blank.
  1. At a command line, type the following command, and then press ENTER:

    **dcpromo /unattend:**PathToAnswerFile

Optional: delegate RODC installation

You can perform a staged installation of an RODC in which the installation is completed in two stages by different individuals. The first stage of the installation, which requires domain administrative credentials, creates an account for the RODC in AD DS. The second stage of the installation attaches the actual server that will be the RODC in a remote location, such as a branch office, to the account that was previously created for it. You can delegate the ability to attach the server to the account to a nonadministrative group or user in the remote location.

During the first stage of the installation, the wizard records all the data about the RODC that will be stored in the distributed Active Directory database, including the read-only domain controller account name and the site in which it will be placed. This stage must be performed by a member of the Domain Admins group.

The administrator who creates the RODC account can also specify at that time which users or groups can complete the next stage of the installation. The next stage of the installation can be performed in the branch office by any user or group who was delegated the right to complete the installation when the account was created. This stage does not require any membership in built-in groups, such as the Domain Admins group. If the user who creates the RODC account does not specify any delegate to complete the installation (and administer the RODC), only a member of the Domain Admins group or the Enterprise Admins group can complete the installation.

During the second stage, the wizard installs AD DS on the server that will become the RODC, and it attaches the server to the domain account that was previously created for it. This stage typically occurs in the branch office or other remote location where the RODC is deployed. During this stage, all AD DS data that resides locally, such as the database, log files, and so on, is created on the RODC itself. You can replicate the installation source files to the RODC from another domain controller over the network, or you can use the install from media (IFM) feature. To use IFM, use Ntdsutil.exe to create the installation media.

The server that will become the RODC must not be joined to the domain before you try to attach it to the RODC account. As part of the installation, the wizard automatically detects whether the name of the server matches the names of any RODC accounts that have been created in advance for the domain. When the wizard finds a matching account name, it prompts the user to use that account to complete the RODC installation.

You can use the Active Directory Users and Computers snap-in to create an RODC account.

Note

You can automate a staged installation of an RODC by typing dcpromo at a command prompt with the appropriate parameters or by using an answer file. For more information about automating the installation, see the Step-by-Step guide for Windows Server 2008 Active Directory Domain Services Installation and Removal (https://go.microsoft.com/fwlink/?LinkId=86716).

To create an RODC account by using the Windows interface

  1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.

  2. Double-click the domain container, then you can either right-click the Domain Controllers container or click the Domain Controllers container, and then click Action.

  3. Click Pre-create Read-only Domain Controller account, as shown in the following figure.

  4. On the Welcome to the Active Directory Domain Services Installation Wizard page, if you want to modify the default the Password Replication Policy, select Use advanced mode installation, and then click Next.

  5. On the Network Credentials page, under Specify the account credentials to use to perform the installation, click My current logged on credentials, as shown in the following figure, or click Alternate credentials, and then click Set. In the Windows Security dialog box, provide the user name and password for an account that can install the additional domain controller. To install an additional domain controller, you must be a member of the Enterprise Admins group or the Domain Admins group. When you are finished providing credentials, click Next.

  6. On the Specify the Computer Name page, type the computer name of the server that will be the RODC.

  7. On the Select a Site page, select a site from the list or select the option to install the domain controller in the site that corresponds to the IP address of the computer on which you are running the wizard, and then click Next.

  8. On the Additional Domain Controller Options page, make the following selections, as shown in the following figure, and then click Next:

    • DNS server: This option is selected by default so that your domain controller can function as a DNS server. If you do not want the domain controller to be a DNS server, clear this check box. However, if you do not install the DNS server role on the RODC and the RODC is the only domain controller in the branch office, users in the branch office will not be able to perform name resolution when the WAN to the hub site is offline.

    • Global catalog: This option is selected by default. It adds the read-only directory partitions of the global catalog to the domain controller, and it enables global catalog search functionality. If you do not want the domain controller to be a global catalog server, clear this option. However, if you do not install a global catalog server in the branch office or enable universal group membership caching for the site that includes the RODC, users in the branch office will not be able to log on to the domain when the WAN to the hub site is offline.

    • Read-only domain controller. When you create an RODC account, this option is selected by default and you cannot clear it.

  9. If you selected the Use advanced mode installation check box on the Welcome page, the Specify the Password Replication Policy page appears. By default, no account passwords are replicated to the RODC, and security-sensitive accounts (such as members of the Domain Admins group) are explicitly denied from ever having their passwords replicated to the RODC.

    To accept the default setting, click Next.

    -or-

    To add other accounts to policy, click Add. If you want the accounts to be allowed to have their passwords replicated to the RODC, click Allow passwords for the account to replicate to this RODC. If you want the accounts to be denied from having their passwords replicated to the RODC, click Deny passwords for the account from replicating to this RODC. Then, click OK. When you are done adding other accounts, click Next.

    When you install the first RODC in a domain, domain group accounts that are required for RODCs to function are created. Depending on your replication topology, the wizard might return an error indicating that these group accounts are not available when you try to install another RODC in the domain. In this case, wait for replication to complete before you install the additional RODC.

    For more information about configuring the Password Replication Policy, see Steps for Administering an RODC.

  10. In Select Users, Computers, and Groups, type the names of the accounts that you want to add to the policy, and then click OK.

  11. On the Delegation of RODC Installation and Administration page, type the name of the user or the group who will attach the server to the RODC account that you are creating, as shown in the following figure. You can type the name of only one security principal.

    To search the directory for a specific user or group, click Set. In Select Users, Computers, or Groups, type the name of the user or group. We recommend that you delegate RODC installation and administration to a group.

    This user or group will also have local administrative rights on the RODC after the installation. If you do not specify a user or group, only members of the Domain Admins group or the Enterprise Admins group will be able to attach the server to the account.

    When you are finished, click Next.

  12. On the Summary page, review your selections. Click Back to change any selections, if necessary.

    To save the settings that you selected to an answer file that you can use to automate subsequent AD DS operations, click Export settings. Type a name for your answer file, and then click Save.

    When you are sure that your selections are accurate, click Next to create the RODC account.

  13. On the Completing the Active Directory Domain Services Installation Wizard page, click Finish.

After you create the account for the RODC, the user or group to whom you delegated installation and administration of the RODC (in step 11 in the previous procedure) can run the Active Directory Domain Services Installation Wizard on the server that will become the RODC to complete the RODC installation. Make sure that the server is not joined to the domain before you start the wizard.

To attach a server to an RODC account using the Windows interface

  1. Log on as local Administrator to the server that will become the RODC, and then open a command prompt.

  2. Type the following command, and then press ENTER:

    dcpromo /UseExistingAccount:Attach

  3. On the Welcome to the Active Directory Domain Services Installation Wizard page, click Next, or, if you want to install from media or identify the source domain controller for AD DS replication, select the Use advanced mode installation check box.

  4. On the Network Credentials page, type the name of any existing domain in the forest where you plan to install the additional domain controller, as shown in the following figure. Under Specify the account credentials to use to perform the installation, click Alternate credentials, and then click Set. In the Windows Security dialog box, provide the user name and password for an account that was delegated the ability to install and administer the RODC when the RODC account was created. When you are finished providing credentials, click Next.

  5. On the Select Domain Controller Account page, confirm that the wizard has found an existing RODC account that matches the name of the server, and then click Next.

  6. If you selected advanced installation mode, you can specify the following advanced options:

    1. On the Install from Media page, you can provide the location of installation media to be used to create the domain controller and configure AD DS or you can choose to have all data replicated over the network. Note that some data will be replicated over the network even if you choose to install from media. For information about using this method to install the domain controller, see Optional: Install RODC from media.

    2. On the Source Domain Controller page, you can specify a domain controller from which to replicate the configuration and schema directory partitions (or the entire Active Directory database if you do not choose to install from media). If you select This specific domain controller, you can select the domain controller that you want to provide source replication to create the new domain controller, and then click Next.

  7. On the Location for Database, Log Files, and SYSVOL page, type or browse to the volume and folder locations for the database file, the directory service log files, and the system volume (SYSVOL) files, and then click Next.

    Windows Server Backup backs up the directory service by volume. For backup and recovery efficiency, store these files on separate volumes that do not contain applications or other nondirectory files.

  8. On the Directory Services Restore Mode Administrator Password page, type and confirm the restore mode password, and then click Next. This password is used to start AD DS in Directory Service Restore Mode for tasks that must be performed offline. The password complexity and length must comply with the domain security policy.

  9. On the Summary page, review your selections. Click Back to change any selections, if necessary.

    To save the settings that you selected to an answer file that you can use to automate subsequent AD DS operations, click Export settings. Type a name for your answer file, and then click Save.

    When you are sure that your selections are accurate, click Next to install AD DS.

  10. You can either select the Reboot on completion check box to have the server restart automatically or you can restart the server to complete the AD DS installation when you are prompted to do so.

Optional: Install RODC from media

In previous versions of Windows Server, administrators were encouraged to use Ntbackup.exe to create domain controller installation media. In Windows Server 2008, administrators are encouraged to use ntdsutil.exe to create installation media. You can use the new ifm subcommand in ntdsutil to remove cached secrets (such as passwords) from the installation media to use it for an RODC installation. Ntbackup.exe cannot remove cached secrets from the installation media.

To install an RODC from media, first use Ntdsutil to create the installation media. Then, specify the IFM option as appropriate for the installation method that you are using, as listed in the following table.

Installation method Action required to specify the IFM option

Active Directory Domain Services Installation Wizard

Select the Use advanced mode installation check box on the Welcome page (for both delegated and nondelegated installations).

Command-line installation

Type dcpromo /unattend /ReplicationSourcePath:"path to installation media"

Add other parameters as required to complete the installation.

Answer file

Create an answer file that includes an entry for ReplicationSourcePath="path to installation media"

Specify dcpromo /unattend:"path to answer file" at a command prompt.

For more information about installing from media, see the Step-by-Step guide for Windows Server 2008 Active Directory Domain Services Installation and Removal (https://go.microsoft.com/fwlink/?LinkId=86716).

Optional: Remove a domain controller that is running Windows Server 2008

Administrative credentials

This is an optional task. If you choose to remove a domain controller that is running Windows Server 2008, you must be a member of the Domain Admins group.

To remove a domain controller on Windows Server 2008

  1. Copy the following answer file settings to a text file. The InstallDNS and ReplicationSourceDC settings are optional. Replace the placeholder information (in italics) with the correct information for your environment, and then save the text file:

    [DCInstall]

    InstallDNS=Yes

    AdministratorPassword=Member Server Administrator password

    RebootOnCompletion=No

    UserDomain=DomainName

    UserName=Domain Admin Account name

    Password=Domain Admin password

    ReplicationSourceDC=Name of a Windows Server 2008 domain controller in the same domain

  2. At a command line, type the following command, and then press ENTER:

    **dcpromo /unattend:**PathToAnswerFile