Deploy an RODC to a Branch Office That Currently Has No Domain Controller

Updated: June 3, 2009

Applies To: Windows Server 2008

In this scenario, the branch office does not have any domain controllers, either because it is a new location, it does not have the physical security to host a domain controller, or it does not have the administrative expertise to manage a domain controller. In this scenario, you can perform a staged installation in which a read-only domain controller (RODC) is promoted onsite in the branch office. The benefit to using a staged installation is that you can delegate RODC promotion to any domain user, which means that a Domain Admin does not have to log on in the branch office to complete the RODC installation. Also, if you usually use an answer file to install Active Directory Domain Services (AD DS), you do not have to include the password of a Domain Admin account in the answer file, which reduces the risk if someone intercepts the answer file.

Complete the following steps to deploy an RODC to a branch office that currently has no domain controller:

  1. Using the Active Directory Sites and Services snap-in, create a site object for the branch office and a site link object that makes it possible for that branch office location to replicate with a hub site or data center.

  2. Using the Active Directory Users and Computers snap-in, right-click the Domain Controllers organizational unit (OU), and then select the option to create an account for the RODC. This step must be completed by a member of the Domain Admins group, or you must be delegated the appropriate permissions. When you create the account, specify the following options in particular:

    • Enter the name of the RODC.

    • Select the new site that you just created as the site for the RODC.

    • Select the DNS server and Global catalog options. If you do not install these options when you create the RODC account, you must take additional steps to install them later, including steps to enlist the RODC in the DNS application directory partitions.

    • Delegate an administrator for the RODC. As a best practice, use a security group as the delegated RODC administrator account. If a delegated RODC administrator is not selected when the RODC account is created, you can select one after the account is created. For more information, see RODC Administration (http://go.microsoft.com/fwlink/?LinkID=133521).

    • Configure the Password Replication Policy (PRP) for the RODC. The PRP specifies which account passwords are allowed to be cached or denied from being cached by the RODC. For more information, see Administering the Password Replication Policy (http://go.microsoft.com/fwlink/?LinkID=133488).

      noteNote
      If you are using the Active Directory Domain Services Installation Wizard to create the RODC account, select the Use advanced mode installation check box on the Welcome page of the wizard to configure the PRP when you create the RODC account.

      For more information, see Performing a Staged RODC Installation (http://go.microsoft.com/fwlink/?LinkID=129193).

  3. If you plan to install the RODC from media, run the ntdsutil ifm command on a Windows Server 2008 domain controller to create secret-less installation media (that is, media in which passwords and other attributes that are included in the RODC FAS have been removed) for the RODC installation, and then send the media to the branch office where the installation will occur. By using the Install from Media (IFM) option, you can reduce the amount of data that must replicate to the RODC during the installation process. For more information about creating secret-less media for an RODC installation, see Installing Active Directory Domain Services from Media (http://go.microsoft.com/fwlink/?LinkID=120013).

  4. Deploy a Windows Server 2008 server in the branch office. You can, for example, have a server with Windows Server 2008 preinstalled sent directly to the branch office. We recommend that you use the Server Core installation option of Windows Server 2008 for an RODC. However, there are some other server roles that you might want to run on the RODC that cannot run on a Server Core installation. For more information about what server roles can run on a Server Core installation, see the section “Choosing whether to install the Server Core or the Full installation option” in RODC installation (http://go.microsoft.com/fwlink/?LinkId=153622).

    One alternative is to deploy the RODC as a virtual machine (VM) by using a virtualization technology, such as Windows Server 2008 Hyper-V™. You can install an RODC on a Server Core installation on a VM and run other roles such as File and Print server on other VMs. For more information, see Running Domain Controllers in Hyper-V (http://go.microsoft.com/fwlink/?LinkID=139651).

    noteNote
    The server must be in a workgroup, and it should have the same name as the account that is specified in step 2.

    Have a delegated RODC administrator complete the second stage of the AD DS installation. For more information, see Performing a Staged RODC Installation (http://go.microsoft.com/fwlink/?LinkID=129193).

  5. Verify that the RODC installation is working correctly. If you did not install the DNS server role or the global catalog during the AD DS installation, you should complete those steps now.

    For more information about completing those steps and the specific tests that you can run to verify the RODC installation, see RODC Post-Installation Configuration (http://go.microsoft.com/fwlink/?LinkId=152749).

Community Additions

ADD
Show: