Read-Only Domain Controller (RODC) is a special type of domain controller that was firstly introduced in Windows Server 2008. RODC only stores a read-only copy of Active Directory (except password hashes and other sensitive information). RODC domain controllers are most commonly used in branch offices and remote offices where it is difficult to physically secure a server with a domain controller role. If an RODC domain controller is compromised, attackers will not be able to gain access to your complete copy of Active Directory. In this article, we’ll walk you through how to install and configure an additional RODC domain controller on Windows Server 2019.
Before starting the installation of the RODC, make sure that:
- The functional level of your domain is Windows Server 2008 or higher;
- The domain has at least one regular writeable domain controller (RWDC);
- You can install RODC on both Windows Server 2019 Full GUI and Windows Server Core instances;
- Install Windows Server 2019 on a physical or virtual host, give it a name and assign a static IP address.
Start Server Manager and install the Active Directory Domain Services role (Manage > Add Roles and Features > Roles).
After installing the ADDS role, you can promote the server to a domain controller. Click on the “Promote this server to a Domain Controller” link.
In the Active Directory Domain Services Configuration Wizard, select Add a domain controller to an existing domain.
In the next step, check the Read-only domain controller (RODC) box and provide a password for Directory Service Restore Mode (DSRM).
In the Delegated administrator account field (on the RODC Option screen) you can specify or create a domain account that will act as the local admin of the RODC host and can perform administrative tasks. However, this account will not be a member of the Domain Admins group and will not have any ADDS permissions.
In the Accounts that are allowed to replicate passwords to the RODC field, you can specify a group of users who are allowed to replicate passwords to the RODC. If the WAN link between your remote office and the central site suddenly disappears, users from this group will be able to log in to the RODC controller. By default, it is suggested to use the DOMAIN\Allowed RODC Password Replication Group.
The Accounts that are denied from replicating passwords to the RODC field specifies users who are not allowed to replicate passwords in the RODC. By default, passwords of administrative accounts with increased privileges in the domain are not replicated to the RODC (Domain Admins, Server Operators, etc.).
On the next tab, specify the name of the DC that will be used as the replication source or leave the default value Any domain controller.
At the last step, if all the prerequisite checks are passed successfully, click Install to begin the installation.
There is another option for creating an RODC. The idea is that at first, you are pre-creating a computer account in the domain. To do this, open the ADUC console (dsa.msc), right-click on the OU named Domain Controllers, and select Pre-create Read-only Domain Controller account. Create a new account for the DC (this computer does not need to be a member of the domain yet).
The Active Directory Domain Services Installation Wizard starts. Check the Use advanced mode installation checkbox, click Next.
Follow the steps of the wizard and specify the parameters of the future RODC. After completing the wizard, a new disabled RODC computer account with the description Unoccupied DC Account (Read-only, GC) will appear in AD.
Now, when promoting a server to a domain controller, if its name matches the RODC account in AD, the message A pre-created RODC account that matches the name of the target server exists in the directory will appear and you will be prompted to select the Use existing RODC account option.
Alternatively, you can install the RODC using PowerShell:
Install-WindowsFeature -name AD-Domain-Services -IncludeManagementTools Import-Module ADDSDeployment Install-ADDSDomainController -Credential (Get-Credential) -DomainName theitbros.com -InstallDNS:$true -ReadOnlyReplica:$true -SiteName "Default-First-Site-Name" -Force:$true
Or, you can use an alternative way with a pre-created RODC account:
Add-ADDSReadOnlyDomainControllerAccount -DomainName theitbros.com -Credential (get-credential theitbros.com\Administrator) -domaincontrolleraccountname "RODC3" -sitename "Default-First-Site-Name" -delegatedadministratoraccountname "THEITBROS\RODCAdmin" Install-ADDSDomainController -DomainName theitbros.com -Credential (get-credential theitbros\Administrator) – UseExistingAccount