Yesterday, I summarized the features of a new type of domain controller in Windows Server 2008, the Read-only Domain Controller (RODC). Today, I will describe how to install and configure an RODC.

Installing an RODC

• One needs at least one writable Windows Server 2008 domain controller to which the RODC can forward authentication requests.
• The functional level of the domain and the forest must be Windows Server 2003 or higher.
• If your domain level is Windows Server 2003 you have to run adprep /rodcprep before you install the first RODC.
• You can use a standard Windows Server 2008 or Server Core as an RODC.
• To install an RODC run dcpromo. The wizard lets you choose to install the DC as RODC.

Administrator Role Separation

• To configure the Administrators role, launch a command prompt and enter dsmgmt, then enter local roles, and then type add <DOMAIN>\<user> Administrators
• To display the Administrators role on the local roles prompt type: show role Administrators
• To display other roles, type list roles on the local roles prompt.
  

Password Protection Policy

• To configure the Password Protection Policy, you have to open the properties of the RODC computer object in the Active Directory Users and Computers snap-in.
• Click on the Password Protection Policy tab to configure groups for which password caching will be allowed and for which password caching will be denied.
• “Deny” overrides “allow”.
• The RODC will cache the password after the user logs on the first time. Note that only users with cached passwords can logon if no writeable DC is available.
• Click on Advanced to display a list of users for which the passwords have been cached.

In the next post in my series about RODCs, I will write about the problems I see with this new type of domain controller.