Active Directory 2008: RODC Installation Facts…

RODC Installation Facts

Use the following general steps to install a read-only domain controller (RODC):

  1. Ensure that the forest functional level is Windows Server 2003 or higher.
  2. Make sure you have the PDC emulator role   running on a Windows Server 2008 system.   If necessary, take the necessary steps to   prepare for the installation of a Windows   Server 2008 domain controller in your network   (prepare the forest and the domain).
  3. Copy the contents of the \sources\adprep folder on the Windows Server 2008 installation   DVD to the schema master. Run the adprep /rodcprep command before you install the first RODC   (you must be     a member of the Enterprise Admins group   to run this command). This will     enable the RODC to replicate DNS partitions.
  4. Create an RODC account in the Domain Controllers OU. Delegate the necessary permissions to allow non-administrative users to   perform administrative tasks on the RODC as part of this step.
  5. Install the Active Directory role on the RODC server.
  6. Log on as a local administrator to the server that will become the RODC   and run dcpromo /UseExistingAccount:Attach. This starts the Active Directory Domain   Services wizard. After you enter your administrative   credentials as a step in the wizard, the   wizard automatically detects the name of   the server and tries to match it (attach it   to) with the RODC account that you pre-created   for it. Follow the steps in the wizard to   complete the configuration.
    To install an RODC on a Server Core installation   of Windows Server 2008 or Windows Server 2008 R2, perform an unattended   installation using the dcpromo /Unattend <filename> command.

You should know the following about RODC installation:

  • To install an RODC on a full installation   of Windows Server 2008 or Windows Server 2008 R2, you must be   a member of the Domain Admins group.
  • To install   an RODC on a Server Core installation of   Windows Server 2008 or Windows Server 2008 R2, you must be a member   of the Domain Admins group or you must have   been delegated the ability to perform the   installation.
  • Verify that the server is not joined to the domain before you start the Active Directory Domain Services wizard.
  • The installation source files can be replicated to the RODC from another domain controller over the network or by using the Install From Media (IFM) feature. Ntdsutil.exe can be used to create the installation media for IFM.
    • Use the ntdsutil ifm command on a writable domain                 controller or an RODC that runs Windows Server 2008 or Windows Server 2008 R2 to create                 installation media for an RODC.
    • Ntdsutil removes cached secrets (such as passwords) from the installation media.
    • Some data will be replicated over the network even if you choose to install from media.

It is possible to perform a staged installation of an RODC in which the installation is performed by two different individuals in separated stages.

  • The first stage:
    • Requires membership in the Domain Admins group.
    • Creates an account for the RODC in AD DS.
    • Records all the data about the RODC that will be stored in the distributed Active Directory database, including the read-only domain controller account name and the site in which it will be placed.
  • The second stage:
    • Can be performed in the branch office by any user or group who was delegated the right to complete the installation when the account was created. As such, this stage does not require any membership in built-in groups, such as the Domain Admins group, unless the user who creates the RODC account does not specify any delegate to complete the installation and administer the RODC.
    • Installs AD DS on the server that will become the RODC.
    • Creates all AD DS data that resides locally, such as the database, log files, and so on, on the RODC itself.
    • Attaches the actual server that will be the RODC in a remote location, such as a branch office, to the account that was previously created for it.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s