A read-only domain controller (RODC) is an Active Directory (AD) feature first introduced in Windows Server 2008. In this article, I explain how to deploy an RODC on Windows Server 2016 using PowerShell.

Karim Buzdar

Karim Buzdar holds a degree in telecommunication engineering and is a Microsoft Certified Solutions Associate (MCSA) for Server Infrastructure. As an IT engineer and technical author, he focuses on Microsoft Directory Services and PowerShell. You can reach Karim on LinkedIn.

An RODC is a domain controller (DC) that holds a read-only copy of the Active Directory database and the SYSVOL folder. It supports unidirectional replication and only pulls data from its replication partner when the data changes on writable domain controllers. Enterprises can deploy RODCs in branch offices where they cannot guarantee physical security.

RODC characteristics ^

The following characteristics differentiate RODCs from writeable DCs (RWDC).

  1. Write operations from clients are not possible on an RODC because it holds a read-only copy of the AD database.
  2. An RODC does not replicate AD and SYSVOL folder data to to RWDCs.
  3. An RODC holds a complete copy of the AD database, except for credentials and credential-like attributes, called a filtered attributes set (FAS).
  4. When an RODC receives an authentication request from users from the branch site, it forwards the request to a writeable domain controller. Read more about the authentication process on RODCs here.
  5. An RODC can cache credentials of least privileged users to provide better authentication performance to branch users. If the RODC has Password Replication Policy enabled and has already cached the credentials, it processes the authentication request locally. Read more about credential caching and FAS here.
  6. It is possible to delegate rights to standard domain users for RODC administration. Read more about those RODC administration operations here.

Deploying an RODC ^

Prerequisites

Before you deploy an RODC, you need to have at least one writeable domain controller in your environment. In addition, the following conditions are required:

  1. An administrator account has a strong password.
  2. The server has a static IP address.
  3. The server has the latest Windows updates installed.
  4. The preferred DNS server IPv4 address is configured and points to the writeable DC.

Installing the Active Directory Domain Service

First, you have to install the Active Directory Domain Service (AD DS) feature on your Windows Server 2016 computer. To do so, execute the following PowerShell command and wait for the installation to complete.

If everything went well, you will end up with the result that the screenshot below displays.

Installing the AD DS role

Installing the AD DS role

Promoting a domain member to an RODC

The next step is to promote the server to an RODC with its own DNS server and global catalog by executing the command below. It will prompt you to provide the DSRM (Directory Services Restore Mode) password and credentials that have the permissions to add this DC to the domain.

You use the same cmdlet (Install-ADDSDomainController) for deploying a writable DC. The only difference is the ReadOnlyReplica parameter that installs the domain controller as an RODC. If you don't specify the path to the Active Directory log, the database, and the SYSVOL folder, it will use the default paths.

After executing the command and successfully promoting your server to an RODC, the server will automatically reboot.

Promoting a server to an RODC

Promoting a server to an RODC

Configuring RODC password caching ^

The new RODC it still using a writeable DC for authenticating branch users and computers. To force the RODC to authenticate users and computer accounts, you have to ensure that the RODC caches the corresponding credentials. For this, you have to configure the Password Replication Policy (PRP) to ensure that it replicates and caches the credentials on the RODC for subsequent authentications.

Allowed and Denied Password Replication Groups

There are two groups in PRP: the Allowed and the Denied Password Replication Groups. The RODC caches account credentials for members of the Allowed Password Replication Group but not those of the Denied Password Replication Group. By default, accounts from privileged groups such as Enterprise, Schema, and Domain Admins are members of the Denied RODC Password Replication Group. To get the complete list, execute the following command:

Getting a list of Denied RODC Replication Group members

Getting a list of Denied RODC Replication Group members

Adding users accounts to the Allowed Password Replication Group

To add branch user accounts to the Allowed RODC Password Replication Group without the system asking for confirmation, execute the following PowerShell command:

The command fetches all user accounts from the Students organizational unit (OU) and then pipes those accounts to the Add-ADGroupMember cmdlet, which adds them to the group. To confirm that the operation succeeded, run the following command.

Adding user accounts to the Allowed Password Replication Group

Adding user accounts to the Allowed Password Replication Group

Prepopulating user passwords

If you would like to cache account credentials on the RODC before users log in, you can prepopulate their passwords by executing the following commands:

Getting an account list of stored RODC passwords

To get the list of accounts with cached passwords on the RODC, execute the following command:

This will return the list of accounts with names and object classes of credentials stored or cached on the RODC with the name "SRV-02."

Getting a list of accounts with passwords stored on the RODC

Getting a list of accounts with passwords stored on the RODC

Clearing the RODC password cache

Once an RODC caches passwords, there is no way to delete them on it directly. However, resetting the passwords on a writeable DC also removes them from the password cache on the RODC. The same applies to computers; resetting their accounts removes their credentials from the RODC.

Let's reset a password of the user with the name "John Ark":

If you list the accounts with cached passwords using Get-ADDomainControllerPasswordReplicationPolicyUsage, John Ark's account won't appear anymore.

Accounts with cached passwords after resetting the password of a user

Accounts with cached passwords after resetting the password of a user

Known issues

If for some reason you are unable to cache passwords on the RODC, follow the troubleshooting steps in my TechNet article.

Win the monthly 4sysops member prize for IT pros

Share
0

Related Posts

2 Comments
  1. CypherBit 5 months ago

    Thank you for the article. One question, if we're using 2012 R2 DCs (same for DFL & FFL), can a 2016 RODC be used/installed?

    0

    • Author
      Karim Buzdar 5 months ago

      Hi,

      Thank you for reading my article!!

      Yes, you can deploy 2016 RODC if your DFL and FFL is set at 2012 R2.

      Cheers,

      Karim

       

      0

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account