When you deploy an Active Directory infrastructure in a company, you create at least 2 domain controllers per domain to prevent your users from being not able to connect on client workstations.
When the servers are in your business, it's more or less easy to manage their security.
However, if you need to deploy additional domain controllers in other countries to reduce the time it takes to access your Active Directory infrastructure, you might want to deploy read-only domain controllers (RODCs) rather than standard domain controllers (accessible in read and write).
Info : read-only domain controllers (RODC) have only been available since Windows Server 2008.
In this tutorial, we'll show you how to deploy a read-only domain controller (RODC).
To deploy a new read-only domain controller (RODC), start the Add Roles and Features Wizard.
Select the "Active Directory Domain Services" role.
Click "Next" at each step, then click Install.
Once the "Active Directory Domain Services" role is installed, click on the "Promote this server to a domain controller" link.
To begin, we add a domain controller to an existing domain.
So, select the "Add a domain controller to an existing domain" option and then click on "Select".
Specify the credentials of the administrator account of the domain to join, then select the desired domain.
Then, the desired domain and the account used will appear here.
Click on Next.
In the next step, check the "Read-only domain controller (RODC)" box and click Next.
Since we want to deploy a read-only domain controller (RODC), an additional step "RODC Options" has appeared.
The "Delegated administrator account" option is optional and allows you to delegate the management of this read-only domain controller (RODC) to another person (who is, for example, physically present where this server is located).
The following 2 options allow you to manage the read-only replication of domain user accounts.
By default :
Then, the other steps will be the same as when you add a new writable domain controller.
Choose from which domain controller the data will be replicated to it.
The wizard offers you to choose where to store the different folders, as usual.
A summary of the configuration is displayed.
The important line in this case being : Read-only domain controller = Yes.
Once the verification is complete, click on Install
Wait while the read-only domain controller (RODC) is installed.
When the domain controller installation is complete, the server will restart.
On restart, log on with the Domain administrator account or with the account that you defined as delegated administrator at the "RODC Options" step.
On this read-only domain controller (RODC), launch the "Active Directory Users and Computers" console.
Before this console is displayed, a warning will be displayed :
You are being connected to the Read-only Domain Controller dc2-rodc.informatiweb.lan. You will not be able to perform any write operations
In the "Domain Controllers" folder of this "Active Directory Users and Computers" console, you will find :
Since this domain controller is in read-only (for security reasons), you will not be able to create new users on it.
The options used to change group membership, deactivate accounts, ... will also be grayed out.
As indicated previously during the wizard for promoting your server to a read-only domain controller, the management of password replication is managed through 2 special groups :
Windows Server 11/12/2011
Windows Server 12/25/2016
Windows Server 6/18/2021
Windows Server 7/9/2021
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2020 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.