Yesterday, I summarized the features of a new type of domain controller in Windows Server 2008, the Read-only Domain Controller (RODC). Today, I will describe how to install and configure an RODC.
Latest posts by Michael Pietroforte (see all)
- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
- One needs at least one writable Windows Server 2008 domain controller to which the RODC can forward authentication requests.
- The functional level of the domain and the forest must be Windows Server 2003 or higher.
- If your domain level is Windows Server 2003 you have to run adprep /rodcprep before you install the first RODC.
- You can use a standard Windows Server 2008 or Server Core as an RODC.
- To install an RODC run dcpromo. The wizard lets you choose to install the DC as RODC.
Administrator Role Separation
- To configure the Administrators role, launch a command prompt and enter dsmgmt, then enter local roles, and then type add <DOMAIN>\<user> Administrators
- To display the Administrators role on the local roles prompt type: show role Administrators
- To display other roles, type list roles on the local roles prompt.
Subscribe to 4sysops newsletter!
- To configure the Password Protection Policy, you have to open the properties of the RODC computer object in the Active Directory Users and Computers snap-in.
- Click on the Password Protection Policy tab to configure groups for which password caching will be allowed and for which password caching will be denied.
- "Deny" overrides "allow".
- The RODC will cache the password after the user logs on the first time. Note that only users with cached passwords can logon if no writeable DC is available.
- Click on Advanced to display a list of users for which the passwords have been cached.
In the next post in my series about RODCs, I will write about the problems I see with this new type of domain controller.
Want to write for 4sysops? We are looking for new authors.
One ore detail, Michael – I have already users that complained when they’ve missed that detail – you must have Windows Server 2008 GC and PDC in the domain where the RODC is installed, otherwise you will experience problems. For example if an account is locked out the result will not be reflected by a RWDC.
If I have to add something it is that the easier way to install DC or RODC on a Windows Server 2008 Core installation is using the Core Configurator:
Another useful feature is the IFM (Install From Media) which is also demonstratd at Netomer.com
Dean, as far as I know you can’t even install an RODC if there isn’t at least one Windows Sever 2008 DC in the same domain.
If you add a Windows Server 2008 to a domain and promote it as a DC it does not hold any FSMO roles and is not a GC by default. The only exception is when you create the first DC in a domain.
Just adding a Windows Server 2008 DC to the domain doesn’t mean that you can install RODC in it too – actually you can and that’s when you will experience problems. You have to make sure that the Windows Server 2008 DC is configured (and is really functioning) as a GC and the PDC master role has been transferred to it.
That’s interesting. I wasn’t aware of that. I think that is a good example how RODC increases the complexity and risk for new kinds of problems.
i think rodc is adding more difficulty to it persons life.