Configure the Read-only Domain Controller (RODC)
An RODC contains a read only copy of all the objects in the domain to allow local authentication of users in each branch office. It performs replication with the domain controller at the main site to keep its data updated. RODC also reduces the physical security threat for the domain controller at the branch office because it does not keep a copy of confidential attributes (secrets) such as password-related properties on it. In case the security is compromised, much harm is not caused.
Before installing the Read Only Domain Controller in your forest/domain, you need to:
- Ensure that the Forest functional level of the domain/forest is Windows Server 2003 or higher. If the domain has any Windows Server 2003 domain controller running in it. Run adprep / rodcprep. This command prepares the domain controllers that are running Windows Server 2003 for replication of DNS application directory partitions.
- Ensure that at least one writable domain controller is running Windows Server 2008 to ensure that the RODC is able to establish a connection with writable Windows Server 2008 to perform replication.
You can install RODC on a full installation or the core installation of Windows Server 2008 on a member server in the domain.
To install RODC on a full installation of Windows Server 2008, you need to:
- Ensure that your Primary Domain Controller is switched on.
- Log on to the Windows Server 2008 server that you want to configure as RODC with domain administrative credentials.
- Click Start->Run and type dcpromo.A window informing you about the installation of Active Directory Domain Services binaries appears. After this installation is complete the Active Directory Domain Services Installation Wizard appears.
- Click Next.
- Click Next on the Operating System Compatibility page that appears.The Choose a Deployment Configuration page appears. The page allows you to create a new domain or a forest or add new domain controllers or new domains to the existing forest.
- Select Existing forest option and then select Add a domain controller to an existing domain option under it and click Next, as shown in Figure 4-9.The RODC is always added to the existing forest in the existing domain.
The Network Credentials page appears, as shown in Figure 4-11.
The page allows you to provide the name of the forest/domain where you want to add the RODC.
- Provide the name of the domain in which you want to add RODC in the Type the name of any domain in the forest where you want to plan to install this domain controller field.
- Select Alternate credentials option and then click Set.
- Provide your domain administrative credentials in the Username and the Password fields respectively and click OK on the Windows Security page that appears.The username that you have provided along with the domain name appears in the Alternate credentials field.
- Click NextThe Examining Active Directory forest window appears. The window tries to establish a connection between the domain controller and this server with the account credentials that you had provided in the previous step so that RODC can be installed on this server.
- Select the domain for this domain controller and click Next on the Select a Domain page that appears, as shown in Figure 4-12.
The Select a Site page appears.
- Select the site that you created for the new branch office for which you want to install the RODC.If no site is created then the Default-First-Site-Name option appears, as shown in Figure 4-13.
The Additional Domain Controller Options page appears, as shown in Figure 4-14.
- Select Read-only domain controller (RODC) option from the Select additional options from the domain controller field.
- Verify that DNS Server and Global catalog options are also selected.
The Delegation of RODC Installation and Administration page appears, as shown in Figure 4-15.
The page allows you to specify the name of a user or group who will have local administrative rights on this RODC to attach servers to it.
- Provide the user name or the group name in the Group or user field optionally and click Next.
The Location for Database, Log Files, and SYSVOL page appears.
- Verify/modify the locations of Database folder, Log files folder, and SYSVOL folder in their respective fields and click Next.The Directory Services Restore Mode Administrator Password page appears. The page allows you to set a password that will be used when this domain controller will be started in the Directory Services Restore mode to restore the Directory services.
- Provide a strong password in the Password field and retype the password in the Confirm password field.
- Verify the selection you have made up till now to install RODC on this server and click Next on the Summary page appears.The Active Directory Domain Services Installation Wizard page appears displaying the progress of the installation.
- Select Reboot on completion checkbox and click Finish.