Replace a Windows Server 2003 Domain Controller in a Branch Office with a Windows Server 2008 RODC

Applies To: Windows Server 2008

In this scenario, you replace a Windows Server 2003 domain controller that is currently deployed in a branch office with a new server that will be a read-only domain controller (RODC). During the RODC installation, the existing Windows Server 2003 domain controller continues to authenticate the branch office users and computers. After the RODC is installed, you can remove Active Directory from the Windows Server 2003 domain controller and retain the domain controller as a member server.

Security Note
For security reasons, you should make sure that the Windows Server 2003 domain controller and the RODC are running in the same site for only a short time.

The steps to complete this scenario are similar to the steps for adding an RODC to a new site that does not have a domain controller. You create the RODC account and select a delegated RODC administrator to complete the installation of the RODC in the branch office. But you can only use a Windows Server 2008 domain controller as a source to create secret-less media (that is, media in which passwords and other secret-like data has been removed) for an Install from Media (IFM) installation of the RODC. Therefore, if possible, consider upgrading the Windows Server 2003 domain controller to Windows Server 2008 so that you can use it as a source to create secret-less media for the RODC installation. This makes it possible for all the RODC installation procedures to be completed in the branch office location.

As an alternative, you can use a Windows Server 2008 domain controller in a hub site to create the secret-less media and then ship the media to the branch office for the RODC installation. In either case, the RODC must use a Windows Server 2008 domain controller as a replication source during the installation of Active Directory Domain Services (AD DS).

For these reasons, you should perform an IFM installation to reduce replication over the wide area network (WAN) link during the RODC installation. On the other hand, if the WAN link can sustain the replication traffic, you can choose to have all Active Directory data replicated during the installation.

Complete the following steps to replace a Windows Server 2003 domain controller in a branch office with a Windows Server 2008 RODC:

  1. Using the Active Directory Users and Computers snap-in, right-click the Domain Controllers OU, and then select the option to create an account for the RODC. This step must be completed by a member of the Domain Admins, or you must be delegated the appropriate permissions. When you create the account, specify the following options in particular:

    • Enter the name of the RODC.

    • Select the site that has the Windows Server 2003 domain controller that you want to replace as the site for the RODC.

    • Select the DNS server and Global catalog options. If you do not install these options when you create the RODC account, you must take additional steps to install them later, including steps to enlist the RODC in the DNS application directory partitions.

    • Delegate an administrator for the RODC. As a best practice, use a security group as the delegated RODC administrator account. If a delegated RODC administrator is not selected when the RODC account is created, you can select one after the account is created. For more information, see RODC Administration (https://go.microsoft.com/fwlink/?LinkID=133521).

    • Configure the Password Replication Policy (PRP) for the RODC. The PRP specifies which account passwords are allowed to be cached or are denied from being cached by the RODC. For more information, see Administering the Password Replication Policy (https://go.microsoft.com/fwlink/?LinkID=133488).

Note

If you are using the Active Directory Domain Services Installation Wizard to create the RODC account, select the Use advanced mode installation check box on the Welcome page of the wizard to configure the PRP when you create the RODC account.

    For more information, see Performing a Staged RODC Installation ([https://go.microsoft.com/fwlink/?LinkID=129193](https://go.microsoft.com/fwlink/?linkid=129193)).  
      
  1. If you plan to install the RODC from media, run the ntdsutil ifm command on a Windows Server 2008 domain controller to create secret-less installation media for the RODC installation, and then send the media to the branch office where the installation will occur. By using the IFM option, you can reduce the amount of data that has to replicate to the RODC during the installation process. For more information about creating secret-less media for an RODC installation, see Installing AD DS from Media (https://go.microsoft.com/fwlink/?LinkID=120013).

  2. Deploy a Windows Server 2008 server in the branch office. You can, for example, have a server with Windows Server 2008 preinstalled sent directly to the branch office. We recommend that you choose the Server Core installation option of Windows Server 2008 for an RODC. However, there are some other server roles that you might want to also run on the RODC that cannot run on a Server Core installation. For more information about which server roles can run on a Server Core installation, see the section “Choosing whether to install the Server Core or the Full installation option” in RODC installation (https://go.microsoft.com/fwlink/?LinkId=153622).

    One alternative is to deploy the RODC as a virtual machine (VM) by using a virtualization technology such as Hyper-V. You can install an RODC on a Server Core installation in a VM and run other roles such as File and Print server on other VMs. For more information, see Running Domain Controllers in Hyper-V (https://go.microsoft.com/fwlink/?LinkID=139651).

Note

The server must be in a workgroup, and it should have the same name as the account that is specified in step 2.

The delegated RODC administrator runs **dcpromo** at the command line. For more information about running **dcpromo**, see Performing a Staged RODC Installation ([https://go.microsoft.com/fwlink/?LinkID=129193](https://go.microsoft.com/fwlink/?linkid=129193)).  
  
  1. Verify that the RODC installation is working correctly. For more information about specific tests that you can run to verify the installation, see RODC Post-Installation Configuration (https://go.microsoft.com/fwlink/?LinkId=152749).

  2. Remove Active Directory from the Windows Server 2003 domain controller.

  3. As a security best practice, delete all system state backups or snapshots from the original domain controller after you remove Active Directory from it. The backups and snapshots contain secrets. Because most organizations deploy an RODC to eliminate exposure of those secrets, it is a good security practice to delete them. You will never need them because they can no longer be used to restore the original domain controller.