Yesterday, I summarized the features of a new type of domain controller in Windows Server 2008, the Read-only Domain Controller (RODC). Today, I will describe how to install and configure an RODC.

Latest posts by Michael Pietroforte (see all)

RODC Installation
Installing an RODC

  • One needs at least one writable Windows Server 2008 domain controller to which the RODC can forward authentication requests.
  • The functional level of the domain and the forest must be Windows Server 2003 or higher.
  • If your domain level is Windows Server 2003 you have to run adprep /rodcprep before you install the first RODC.
  • You can use a standard Windows Server 2008 or Server Core as an RODC.
  • To install an RODC run dcpromo. The wizard lets you choose to install the DC as RODC.

Administrator Role Separation

  • To configure the Administrators role, launch a command prompt and enter dsmgmt, then enter local roles, and then type add <DOMAIN>\<user> Administrators
  • To display the Administrators role on the local roles prompt type: show role Administrators
  • To display other roles, type list roles on the local roles prompt.

RODC cached passwordsPassword Protection Policy

Subscribe to 4sysops newsletter!

  • To configure the Password Protection Policy, you have to open the properties of the RODC computer object in the Active Directory Users and Computers snap-in.
  • Click on the Password Protection Policy tab to configure groups for which password caching will be allowed and for which password caching will be denied.
  • "Deny" overrides "allow".
  • The RODC will cache the password after the user logs on the first time. Note that only users with cached passwords can logon if no writeable DC is available.
  • Click on Advanced to display a list of users for which the passwords have been cached.

In the next post in my series about RODCs, I will write about the problems I see with this new type of domain controller.

Articles in seriesRead-Only Domain Controller (RODC)
  1. Dean 15 years ago

    One ore detail, Michael – I have already users that complained when they’ve missed that detail – you must have Windows Server 2008 GC and PDC in the domain where the RODC is installed, otherwise you will experience problems. For example if an account is locked out the result will not be reflected by a RWDC.
    If I have to add something it is that the easier way to install DC or RODC on a Windows Server 2008 Core installation is using the Core Configurator:

    Another useful feature is the IFM (Install From Media) which is also demonstratd at


    Dean Stefanov

  2. Dean, as far as I know you can’t even install an RODC if there isn’t at least one Windows Sever 2008 DC in the same domain.

  3. Dean 15 years ago

    If you add a Windows Server 2008 to a domain and promote it as a DC it does not hold any FSMO roles and is not a GC by default. The only exception is when you create the first DC in a domain.
    Just adding a Windows Server 2008 DC to the domain doesn’t mean that you can install RODC in it too – actually you can and that’s when you will experience problems. You have to make sure that the Windows Server 2008 DC is configured (and is really functioning) as a GC and the PDC master role has been transferred to it.


  4. That’s interesting. I wasn’t aware of that. I think that is a good example how RODC increases the complexity and risk for new kinds of problems.

  5. anuj 13 years ago

    i think rodc is adding more difficulty to it persons life.

Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account