A read-only domain controller (RODC) is an Active Directory (AD) feature first introduced in Windows Server 2008. In this article, I explain how to deploy an RODC on Windows Server 2016 using PowerShell.

An RODC is a domain controller (DC) that holds a read-only copy of the Active Directory database and the SYSVOL folder. It supports unidirectional replication and only pulls data from its replication partner when the data changes on writable domain controllers. Enterprises can deploy RODCs in branch offices where they cannot guarantee physical security.

RODC characteristics

The following characteristics differentiate RODCs from writeable DCs (RWDC).

  1. Write operations from clients are not possible on an RODC because it holds a read-only copy of the AD database.
  2. An RODC does not replicate AD and SYSVOL folder data to to RWDCs.
  3. An RODC holds a complete copy of the AD database, except for credentials and credential-like attributes, called a filtered attributes set (FAS).
  4. When an RODC receives an authentication request from users from the branch site, it forwards the request to a writeable domain controller. Read more about the authentication process on RODCs here.
  5. An RODC can cache credentials of least privileged users to provide better authentication performance to branch users. If the RODC has Password Replication Policy enabled and has already cached the credentials, it processes the authentication request locally. Read more about credential caching and FAS here.
  6. It is possible to delegate rights to standard domain users for RODC administration. Read more about those RODC administration operations here.

Deploying an RODC


Before you deploy an RODC, you need to have at least one writeable domain controller in your environment. In addition, the following conditions are required:

  1. An administrator account has a strong password.
  2. The server has a static IP address.
  3. The server has the latest Windows updates installed.
  4. The preferred DNS server IPv4 address is configured and points to the writeable DC.

Installing the Active Directory Domain Service

First, you have to install the Active Directory Domain Service (AD DS) feature on your Windows Server 2016 computer. To do so, execute the following PowerShell command and wait for the installation to complete.

Install-WindowsFeature AD-Domain-Services

If everything went well, you will end up with the result that the screenshot below displays.

Installing the AD DS role

Installing the AD DS role

Promoting a domain member to an RODC

The next step is to promote the server to an RODC with its own DNS server and global catalog by executing the command below. It will prompt you to provide the DSRM (Directory Services Restore Mode) password and credentials that have the permissions to add this DC to the domain.

Install-ADDSDomainController -Credential (Get-Credential) -DomainName <domainName> -InstallDNS:$true -ReadOnlyReplica:$true -SiteName "Default-First-Site-Name" -Force:$true

You use the same cmdlet (Install-ADDSDomainController) for deploying a writable DC. The only difference is the ReadOnlyReplica parameter that installs the domain controller as an RODC. If you don't specify the path to the Active Directory log, the database, and the SYSVOL folder, it will use the default paths.

After executing the command and successfully promoting your server to an RODC, the server will automatically reboot.

Promoting a server to an RODC

Promoting a server to an RODC

Configuring RODC password caching

The new RODC it still using a writeable DC for authenticating branch users and computers. To force the RODC to authenticate users and computer accounts, you have to ensure that the RODC caches the corresponding credentials. For this, you have to configure the Password Replication Policy (PRP) to ensure that it replicates and caches the credentials on the RODC for subsequent authentications.

Allowed and Denied Password Replication Groups

There are two groups in PRP: the Allowed and the Denied Password Replication Groups. The RODC caches account credentials for members of the Allowed Password Replication Group but not those of the Denied Password Replication Group. By default, accounts from privileged groups such as Enterprise, Schema, and Domain Admins are members of the Denied RODC Password Replication Group. To get the complete list, execute the following command:

Get-ADGroupMember -Identity "Denied RODC Password Replication Group" | ft DistinguishedName, Name, ObjectClass
Getting a list of Denied RODC Replication Group members

Getting a list of Denied RODC Replication Group members

Adding users accounts to the Allowed Password Replication Group

To add branch user accounts to the Allowed RODC Password Replication Group without the system asking for confirmation, execute the following PowerShell command:

Get-ADUser -SearchBase 'OU=Students,DC=yourdomain,DC=com' -Filter * | ForEach-Object {Add-ADGroupMember -Identity 'Allowed RODC Password Replication Group' -Members $_ -Confirm:$false }

The command fetches all user accounts from the Students organizational unit (OU) and then pipes those accounts to the Add-ADGroupMember cmdlet, which adds them to the group. To confirm that the operation succeeded, run the following command.

Get-ADGroupMember -Identity "Allowed RODC Password Replication Group" | ft DistinguishedName, Name, ObjectClass
Adding user accounts to the Allowed Password Replication Group

Adding user accounts to the Allowed Password Replication Group

Prepopulating user passwords

If you would like to cache account credentials on the RODC before users log in, you can prepopulate their passwords by executing the following commands:

$users = Get-ADUser -SearchBase "OU=Branch Users,dc=yourdomain,dc=com" ‑Filter *
foreach ($user in $users) {
   Get-ADObject -identity $user | Sync-ADObject -Source SERVER2016 ‑Destination SRV-02RODC -PasswordOnly

Getting an account list of stored RODC passwords

To get the list of accounts with cached passwords on the RODC, execute the following command:

Get-ADDomainControllerPasswordReplicationPolicyUsage -Identity "SRV-02" ‑RevealedAccounts | ft Name,ObjectClass

This will return the list of accounts with names and object classes of credentials stored or cached on the RODC with the name "SRV-02."

Getting a list of accounts with passwords stored on the RODC

Getting a list of accounts with passwords stored on the RODC

Clearing the RODC password cache

Once an RODC caches passwords, there is no way to delete them on it directly. However, resetting the passwords on a writeable DC also removes them from the password cache on the RODC. The same applies to computers; resetting their accounts removes their credentials from the RODC.

Let's reset a password of the user with the name "John Ark":

Set-ADAccountPassword jark -NewPassword (Read-Host -prompt "Provide New Password" -AsSecureString)

If you list the accounts with cached passwords using Get-ADDomainControllerPasswordReplicationPolicyUsage, John Ark's account won't appear anymore.

Subscribe to 4sysops newsletter!

Accounts with cached passwords after resetting the password of a user

Accounts with cached passwords after resetting the password of a user

Known issues

If for some reason you are unable to cache passwords on the RODC, follow the troubleshooting steps in my TechNet article.

  1. Avatar
    CypherBit 7 years ago

    Thank you for the article. One question, if we’re using 2012 R2 DCs (same for DFL & FFL), can a 2016 RODC be used/installed?

    • Avatar Author


      Thank you for reading my article!!

      Yes, you can deploy 2016 RODC if your DFL and FFL is set at 2012 R2.




  2. Avatar
    Lebohang Motsepe 5 years ago

    Awsome Article, enjoyed it and exactly what I was looking for. Thanks for the Troubleshooting link as well.

  3. Avatar Author

    Thank you Lebohang,


  4. Avatar
    Zooky 5 years ago

    Great article, thank you!

  5. Avatar
    chella 5 years ago

    Great info, i have one doubt, DC or Rodc which initiate the the replication process between DC and RODC replication??

  6. Avatar


    Domain controllers request (pull) changes rather than send (push) changes that might not be needed.

    Pull Vs. Push Replication
    In push replication, a source domain controller sends unsolicited information to update a destination domain controller. Push replication is problematic because it is difficult for the source to know what information the destination needs. The destination can receive the same information from another source. Therefore, a source can send unnecessary information to a destination.

    Source : What Is the Active Directory Replication Model?

    Active Directory uses pull replication. In pull replication, a destination replica requests information from a source replica. The request specifies the information that the destination needs, based on its knowledge of changes already received from the source and from all other domain controllers in the domain. When the destination receives information from the source, it applies that information, bringing itself more up-to-date. The destination’s next request to the source excludes the information that has already been received and applied.
    The alternative is push replication. In push replication, a source sends information to a destination unsolicited, in an attempt to bring the destination more up-to-date. Push replication is problematical because it is difficult for the source to know what information the destination needs. Perhaps the destination has received the same information from another source. If a source sends information to a destination, there is no guarantee that the destination is going to apply it; if the source assumes otherwise, the system is unreliable.

    Source : Pull Replication

  7. Avatar
    Dp 5 years ago

    Good info.

    I have a question on this topic. We have a forest with multiple domains. I have a child domain in that forest that I have tried to promote a server to RODC both in PowereShell and using the AD wizard. Fails with Access denied error 5 every time. I am using a domain admin account and it still fails. 

    The only time this was able to work was in the parent level domain but my remote site is for the child domain not the parent domain.

    My question is, can RODC be installed on a child domain to replicate from another DC in the child domain? Or is RODC only possible at the parent domain level?  

  8. Avatar
    Theodoros Pantzouris 4 years ago


    Thank you very much for the article.

    I have one question in case you are aware of this issue.

     In the forest we have 4 x 2016 DCs,  2x 2012 R2 DCs and 3x 2008R2 DCs (The FFL & DFL are Windows Server 2008 R2).Can a 2016 RODC be used/installed?

  9. Avatar
    Kevin Hunter 2 years ago

    Do you have an article that covers creating a W2K19 RODC in a perimeter network?  I've done it with W2K12 a few years ago.  I'd like to know if the steps are any different now that I want to use W2K19.

  10. Avatar
    Kevin Hunter 2 years ago

    Our "end game" goal is to create this RODC in a perimeter network.  I've been told by others I can create the RODC in an internal network/site and move it to the DMZ site after creation (after changing the IP as well).  Does that sound reasonable?

    • Avatar
      Leos Marek (Rank 4) 2 years ago

      Well yes and no 🙂

      If you want to have a DC in DMZ zone, you still need to ensure the connectivity between a writable DC for replication, DNS, etc. If this is already the case and you have LAN connection between DMZ and main network (with all needed ports opened), you could setup the RODC directly in DMZ and save the transfer part steps.

      Or, is DMZ for you just another location (branch office) with standard LAN connection, but less physical security?

  11. Avatar
    Kevin Hunter 2 years ago

    The goal is to replace an older existing RODC already in the DMZ.  I intend to retire/remove the existing RODC and create a new RODC with a different name, but the same IP as the old one. The firewall rules are already in place to allow communication between the RODC and its neighboring writable DC.

    There is a LAN connection between our DMZ and internal network.

    My original plan was to create the new RODC on the internal network and move it to the DMZ before promoting it. Then someone said I could promote it before moving it.  But that seems to create more work (cleaning up DNS after IP change for one).  

    Creating it in place (in the DMZ) seems like the most straight forward way to go.

    • Avatar
      Leos Marek (Rank 4) 2 years ago

      OK got it. There should be no overhead with the IP change. This is updated automatically in DNS. I guess you are free to go either way.


Leave a reply to CypherBit Click here to cancel the reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account