How to Install and Configure Read-Only Domain Controller (RODC)?

Read-Only Domain Controller (RODC) is a special type of domain controller that was firstly introduced in Windows Server 2008. RODC only stores a read-only copy of Active Directory (except password hashes and other sensitive information). RODC domain controllers are most commonly used in branch offices and remote offices where it is difficult to physically secure a server with a domain controller role. If an RODC domain controller is compromised, attackers will not be able to gain access to your complete copy of Active Directory. In this article, we’ll walk you through how to install and configure an additional RODC domain controller on Windows Server 2019.

Before starting the installation of the RODC, make sure that:

  • The functional level of your domain is Windows Server 2008 or higher;
  • The domain has at least one regular writeable domain controller (RWDC);
  • You can install RODC on both Windows Server 2019 Full GUI and Windows Server Core instances;
  • Install Windows Server 2019 on a physical or virtual host, give it a name and assign a static IP address.

Start Server Manager and install the Active Directory Domain Services role (Manage > Add Roles and Features > Roles).



After installing the ADDS role, you can promote the server to a domain controller. Click on the “Promote this server to a Domain Controller” link.

read only domain controller

In the Active Directory Domain Services Configuration Wizard, select Add a domain controller to an existing domain.

rodc server

In the next step, check the Read-only domain controller (RODC) box and provide a password for Directory Service Restore Mode (DSRM).

install rodc

In the Delegated administrator account field (on the RODC Option screen) you can specify or create a domain account that will act as the local admin of the RODC host and can perform administrative tasks. However, this account will not be a member of the Domain Admins group and will not have any ADDS permissions.

In the Accounts that are allowed to replicate passwords to the RODC field, you can specify a group of users who are allowed to replicate passwords to the RODC. If the WAN link between your remote office and the central site suddenly disappears, users from this group will be able to log in to the RODC controller. By default, it is suggested to use the DOMAIN\Allowed RODC Password Replication Group.

The Accounts that are denied from replicating passwords to the RODC field specifies users who are not allowed to replicate passwords in the RODC. By default, passwords of administrative accounts with increased privileges in the domain are not replicated to the RODC (Domain Admins, Server Operators, etc.).

windows server rodc

On the next tab, specify the name of the DC that will be used as the replication source or leave the default value Any domain controller.


windows server 2019 rodc

At the last step, if all the prerequisite checks are passed successfully, click Install to begin the installation.

rodc windows

There is another option for creating an RODC. The idea is that at first, you are pre-creating a computer account in the domain. To do this, open the ADUC console (dsa.msc), right-click on the OU named Domain Controllers, and select Pre-create Read-only Domain Controller account. Create a new account for the DC (this computer does not need to be a member of the domain yet).

microsoft rodc

The Active Directory Domain Services Installation Wizard starts. Check the Use advanced mode installation checkbox, click Next.

rodc microsoft


Follow the steps of the wizard and specify the parameters of the future RODC. After completing the wizard, a new disabled RODC computer account with the description Unoccupied DC Account (Read-only, GC) will appear in AD.

read only domain controller windows server

Now, when promoting a server to a domain controller, if its name matches the RODC account in AD, the message A pre-created RODC account that matches the name of the target server exists in the directory will appear and you will be prompted to select the Use existing RODC account option.

read only domain controller server

Alternatively, you can install the RODC using PowerShell:

Install-WindowsFeature -name AD-Domain-Services -IncludeManagementTools

Import-Module ADDSDeployment

Install-ADDSDomainController -Credential (Get-Credential) -DomainName -InstallDNS:$true -ReadOnlyReplica:$true -SiteName "Default-First-Site-Name" -Force:$true

Or, you can use an alternative way with a pre-created RODC account:

Add-ADDSReadOnlyDomainControllerAccount -DomainName -Credential (get-credential\Administrator) -domaincontrolleraccountname "RODC3" -sitename "Default-First-Site-Name" -delegatedadministratoraccountname "THEITBROS\RODCAdmin"

Install-ADDSDomainController -DomainName -Credential (get-credential theitbros\Administrator) – UseExistingAccount
I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Latest posts by Cyril Kardashevsky (see all)

One comment

  1. Hi,
    can I proceed with this RODC process without adding a delegated administrator account initially over GUI? The reason why I ask is because I get an error when I want to choose the precrated RODC account like I have for other RODC’s… The error is: “The program cannot open the required dialog box because it cannot determine wether the computer named is joined to a domain. Close the message and try again” – this is a DC and it is joined to a domain of course… :)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.