- Windows Server
- 14 May 2021 at 18:47 UTC
-
- 1/2
When you deploy an Active Directory infrastructure in a company, you create at least 2 domain controllers per domain to prevent your users from being not able to connect on client workstations.
When the servers are in your business, it's more or less easy to manage their security.
However, if you need to deploy additional domain controllers in other countries to reduce the time it takes to access your Active Directory infrastructure, you might want to deploy read-only domain controllers (RODCs) rather than standard domain controllers (accessible in read and write).
Info : read-only domain controllers (RODC) have only been available since Windows Server 2008.
In this tutorial, we'll show you how to deploy a read-only domain controller (RODC).
- Install a read-only domain controller (RODC)
- Promote a read-only domain controller (RODC)
- Read-only domain controller
- Change the delegated administrator of a read-only domain controller (RODC)
- Password replication policies
1. Install a read-only domain controller (RODC)
To deploy a new read-only domain controller (RODC), start the Add Roles and Features Wizard.
Select the "Active Directory Domain Services" role.
Click "Next" at each step, then click Install.
Once the "Active Directory Domain Services" role is installed, click on the "Promote this server to a domain controller" link.
2. Promote a read-only domain controller (RODC)
To begin, we add a domain controller to an existing domain.
So, select the "Add a domain controller to an existing domain" option and then click on "Select".
Specify the credentials of the administrator account of the domain to join, then select the desired domain.
Then, the desired domain and the account used will appear here.
Click on Next.
In the next step, check the "Read-only domain controller (RODC)" box and click Next.
Since we want to deploy a read-only domain controller (RODC), an additional step "RODC Options" has appeared.
The "Delegated administrator account" option is optional and allows you to delegate the management of this read-only domain controller (RODC) to another person (who is, for example, physically present where this server is located).
The following 2 options allow you to manage the read-only replication of domain user accounts.
By default :
- only the passwords of users present in the "Allowed RODC Password Replication Group" group will be replicated in read-only mode on this read-only domain controller (RODC)
- passwords for user accounts considered sensitive (such as administrator accounts, for example) will not be replicated on this read-only domain controller (RODC)
Then, the other steps will be the same as when you add a new writable domain controller.
Choose from which domain controller the data will be replicated to it.
The wizard offers you to choose where to store the different folders, as usual.
A summary of the configuration is displayed.
The important line in this case being : Read-only domain controller = Yes.
Once the verification is complete, click on Install
Wait while the read-only domain controller (RODC) is installed.
When the domain controller installation is complete, the server will restart.
On restart, log on with the Domain administrator account or with the account that you defined as delegated administrator at the "RODC Options" step.
3. Read-only domain controller
On this read-only domain controller (RODC), launch the "Active Directory Users and Computers" console.
Before this console is displayed, a warning will be displayed :
Plain Text
You are being connected to the Read-only Domain Controller dc2-rodc.informatiweb.lan. You will not be able to perform any write operations
Click OK.
In the "Domain Controllers" folder of this "Active Directory Users and Computers" console, you will find :
- at least 1 writable domain controller which is also defined as a global catalog (GC)
- and your read-only domain controller (RODC)
Since this domain controller is in read-only (for security reasons), you will not be able to create new users on it.
The options used to change group membership, deactivate accounts, ... will also be grayed out.
As indicated previously during the wizard for promoting your server to a read-only domain controller, the management of password replication is managed through 2 special groups :
- Allowed RODC Password Replication Group
- Denied RODC Password Replication Group
Share this tutorial
To see also
-
Windows Server 4/16/2021
Windows Server - AD DS - How Active Directory replication works
-
Windows Server 4/30/2021
Windows Server - AD DS - Overview of Active Directory functional levels
-
Windows Server 4/3/2021
Windows Server - AD DS - The basics of Active Directory
-
Windows Server 5/21/2021
WS 2016 - AD DS - Add a domain controller to an existing AD domain
You must be logged in to post a comment