RODC Installation Facts
Use the following general steps to install a read-only domain controller (RODC):
- Ensure that the forest functional level is Windows Server 2003 or higher.
- Make sure you have the PDC emulator role running on a Windows Server 2008 system. If necessary, take the necessary steps to prepare for the installation of a Windows Server 2008 domain controller in your network (prepare the forest and the domain).
- Copy the contents of the \sources\adprep folder on the Windows Server 2008 installation DVD to the schema master. Run the adprep /rodcprep command before you install the first RODC (you must be a member of the Enterprise Admins group to run this command). This will enable the RODC to replicate DNS partitions.
- Create an RODC account in the Domain Controllers OU. Delegate the necessary permissions to allow non-administrative users to perform administrative tasks on the RODC as part of this step.
- Install the Active Directory role on the RODC server.
- Log on as a local administrator to the server that will become the RODC and run dcpromo /UseExistingAccount:Attach. This starts the Active Directory Domain Services wizard. After you enter your administrative credentials as a step in the wizard, the wizard automatically detects the name of the server and tries to match it (attach it to) with the RODC account that you pre-created for it. Follow the steps in the wizard to complete the configuration.
To install an RODC on a Server Core installation of Windows Server 2008 or Windows Server 2008 R2, perform an unattended installation using the dcpromo /Unattend <filename> command.
You should know the following about RODC installation:
- To install an RODC on a full installation of Windows Server 2008 or Windows Server 2008 R2, you must be a member of the Domain Admins group.
- To install an RODC on a Server Core installation of Windows Server 2008 or Windows Server 2008 R2, you must be a member of the Domain Admins group or you must have been delegated the ability to perform the installation.
- Verify that the server is not joined to the domain before you start the Active Directory Domain Services wizard.
- The installation source files can be replicated to the RODC from another domain controller over the network or by using the Install From Media (IFM) feature. Ntdsutil.exe can be used to create the installation media for IFM.
- Use the ntdsutil ifm command on a writable domain controller or an RODC that runs Windows Server 2008 or Windows Server 2008 R2 to create installation media for an RODC.
- Ntdsutil removes cached secrets (such as passwords) from the installation media.
- Some data will be replicated over the network even if you choose to install from media.
It is possible to perform a staged installation of an RODC in which the installation is performed by two different individuals in separated stages.
- The first stage:
- Requires membership in the Domain Admins group.
- Creates an account for the RODC in AD DS.
- Records all the data about the RODC that will be stored in the distributed Active Directory database, including the read-only domain controller account name and the site in which it will be placed.
- The second stage:
- Can be performed in the branch office by any user or group who was delegated the right to complete the installation when the account was created. As such, this stage does not require any membership in built-in groups, such as the Domain Admins group, unless the user who creates the RODC account does not specify any delegate to complete the installation and administer the RODC.
- Installs AD DS on the server that will become the RODC.
- Creates all AD DS data that resides locally, such as the database, log files, and so on, on the RODC itself.
- Attaches the actual server that will be the RODC in a remote location, such as a branch office, to the account that was previously created for it.