Beruflich Dokumente
Kultur Dokumente
1 You need to verify requirements for installing a RODC in your environment. One of the important
requirement is the forest functional level, verify that your forest functional level is set to Windows
Server 2003 or newer. In my case, my forest functional level is already set to Windows Server 2012 R2.
To verify the forest functional level, log in to your AD Server, open Active Directory Users and
Computers, right-click the Comsys.local domain, and then click Raise domain functional level and
confirm that the Current domain functional level is set to Windows Server 2012 R2
2 Next, in Active Directory Users and Computers, right-click Domain Controllers, and then click Precreate Read-only Domain Controller account
3 In the Active Directory Domain Services Installation Wizard box, click Next
5 In the Computer name box, type Comsys-RODC01, and then click Next
7 On the Additional Domain Controller Options box, verify that DNS Server and Global catalog is
selected and click Next
8 On the Delegation of RODC Installation and Administration box, type COMSYS\IT Dept (my IT Dept
group will be able to attach a server to the RODC account that I creating now) in the Group or user
field, and then click Next
10 Click Finish to complete the process and in the Active Directory Users and Computers, click Domain
Controller OU and you will see Comsys-RODC01 is listed
As at now, we done verify RODC requirement and delegate RODC Installation and Administration to IT
Dept group
Next, lets install RODC on the ComSys RODC server
11 Log on to Comsys-RODC01 server
12 open Server Manager, click Manage, and then click Add Roles and Features
14 Ensure that Role-based or feature-based installation is selected, and then click Next
16 On the Select server roles box, select the check box to select Active Directory Domain
Services, click Add Features, and then click Next
18 Click Next, and then click Install to proceed with the installation
20 After the installation complete, on the Installation progress box, click Promote this server to a
domain controller
21 In the Deployment Configuration box, verify that you select Add a domain controller to an
existing domain, then click Select
22 In the Windows Security box, type comsys\morgan (Morgan is my user in IT dept) for User name
and enter the password for Morgan, and then click OK
23 verify also under Specify the domain information for this operation,Comsys.local domain is
selected and then click Next
24 Next, in the Domain Controller Options box, under Type the Directory Services Restore
Mode (DSRM) password, type your password in the Password and Confirm password fields, and then
click Next
25 On the Additional Options box, beside Replicate from, click the drop-down box,
click DC01.Comsys.local, and then click Next
28 On the Prerequisites Check box, verify that all prerequisite checks passed successfully and
then click Install and after the ADDS process has completed, Comsys-RODC01 server will restart.
29 Log on to DC01 server, open Active Directory Users and Computers, click the Users
container, double-click Allowed RODC Password Replication Group
30 then click the Members tab, and then verify that there is nothing listed
31 Next, click the Domain Controllers OU, right-click COMSYS-RODC01, and then click
Properties
32 Click the Password Replication Policy tab, and confirm that Allowed RODC Password
Replication Group and Denied RODC Password Replication Policy Group are both listed
Next, lets create a group to manage password replication to our branch office RODC server
(COMSYS-RODC01)
33 in Active Directory Users and Computers, right-click the Production OU, click New, and then
click Group
34 In the New Object Group window, type Comsys Branch Office Users in the Group name
field, confirm that Global and Security are selected, and then click OK
35 In Active Directory Users and Computers, click the Production OU, and then double-click the
Comsys Branch Office Users group, then in the Comsys Branch Office Users Properties box, click the
Members tab and add few members such as Bart, Booby, Marko and Surface01 laptop
Next, we also need to configure a password-replication policy for the branch office RODC server
(COMSYS-RODC01)
36 in Active Directory Users and Computers, click the Domain Controllers OU, right-click COMSYSRODC01, and then click Properties, click the Password Replication Policy tab, and then click Add then In
the Add Groups, Users, and Computers window, click the radio button to select Allow passwords for the
account to replicate to this RODC, and then click OK.
37 In the search window, in the Enter the object names to select field, type Comsys Branch Office
Users and then click OK
Next, lets evaluate the resulting password-replication policy for our RODC
39 in the COMSYS-RODC01 Properties box, on the Password Replication Policy tab, click Advanced
40- Click the Resultant Policy tab, then add user name Bart (Bart is my Production user), verify that
the Resultant Setting for Bart is Allow
41 Next on the RODC Server (COMSYS-RODC01), sign in as comsys\bart. The sign in will fail,
because Bart does not have permission to sign in to COMSYS-RODC01. However, the credentials
for Barts account were processed and cached on COMSYS-RODC01.
42 Log on back to Domain Server, in Active Directory Users and Computers, click the Domain
Controllers OU, double-click COMSYS-RODC01, and then click the Password Replication Policy tab, on
the Password Replication Policy tab, click Advanced and Notice that Barts accounts password
has been stored on RODC.
Lastly, lets prepopulate credential caching (always remember, do not cache passwords for
domain-wide administrative accounts
43 On the Password Replication Policy tab, click Advanced, and then clickPrepopulate
Passwords
44 In the Select Users or Computers box, I add Bobby and my Surface01, then click OK
45 Confirm that my user Bobby and Surface01 laptop have both been added to the list of accounts
with cached credentials and then click Yes
Orait, thats all for today.. I recommend that you read more on this RODC, its a good function
provided you understand when & where to implement it