HOW TO CONFIGURE RODC(READ ONLY DOMAIN

CONTROLLER) IN SERVER 2012R2

HOW TO CONFIGURE RODC(READ ONLY DOMAIN CONTROLLER)

1 You need to verify requirements for installing a RODC in your environment. One of the important
requirement is the forest functional level, verify that your forest functional level is set to Windows
Server 2003 or newer. In my case, my forest functional level is already set to Windows Server 2012 R2.
To verify the forest functional level, log in to your AD Server, open Active Directory Users and
Computers, right-click the Comsys.local domain, and then click Raise domain functional level and
confirm that the Current domain functional level is set to Windows Server 2012 R2

2 Next, in Active Directory Users and Computers, right-click Domain Controllers, and then click Precreate Read-only Domain Controller account

3 In the Active Directory Domain Services Installation Wizard box, click Next

4 Click Next to accept the current credentials which is Comsys\Administrator

5 In the Computer name box, type Comsys-RODC01, and then click Next

6 On the Select a site box, click Next

7 On the Additional Domain Controller Options box, verify that DNS Server and Global catalog is
selected and click Next

8 On the Delegation of RODC Installation and Administration box, type COMSYS\IT Dept (my IT Dept
group will be able to attach a server to the RODC account that I creating now) in the Group or user
field, and then click Next

9 On the Summary page, click Next

10 Click Finish to complete the process and in the Active Directory Users and Computers, click Domain
Controller OU and you will see Comsys-RODC01 is listed

As at now, we done verify RODC requirement and delegate RODC Installation and Administration to IT
Dept group
Next, lets install RODC on the ComSys RODC server
11 Log on to Comsys-RODC01 server

12 open Server Manager, click Manage, and then click Add Roles and Features

13 In the Add Roles and Features box, click Next

14 Ensure that Role-based or feature-based installation is selected, and then click Next

15 Select Comsys-RODC01, and then click Next

16 On the Select server roles box, select the check box to select Active Directory Domain
Services, click Add Features, and then click Next

17 On the Select features box, click Next

18 Click Next, and then click Install to proceed with the installation

19 wait for few minutes for the installation to complete

20 After the installation complete, on the Installation progress box, click Promote this server to a
domain controller

21 In the Deployment Configuration box, verify that you select Add a domain controller to an
existing domain, then click Select

22 In the Windows Security box, type comsys\morgan (Morgan is my user in IT dept) for User name
and enter the password for Morgan, and then click OK

23 verify also under Specify the domain information for this operation,Comsys.local domain is
selected and then click Next

24 Next, in the Domain Controller Options box, under Type the Directory Services Restore
Mode (DSRM) password, type your password in the Password and Confirm password fields, and then
click Next

25 On the Additional Options box, beside Replicate from, click the drop-down box,
click DC01.Comsys.local, and then click Next

26 On the Paths box, click Next to proceed

27 On the Review Options box, click Next

28 On the Prerequisites Check box, verify that all prerequisite checks passed successfully and
then click Install and after the ADDS process has completed, Comsys-RODC01 server will restart.

Once the Comsys-RODC01 server restart, we need to configure password-replication groups

** a password replication policy (PRP) determines which user and computer credentials can be
cached on a specific RODC.

29 Log on to DC01 server, open Active Directory Users and Computers, click the Users
container, double-click Allowed RODC Password Replication Group

30 then click the Members tab, and then verify that there is nothing listed

31 Next, click the Domain Controllers OU, right-click COMSYS-RODC01, and then click
Properties

32 Click the Password Replication Policy tab, and confirm that Allowed RODC Password
Replication Group and Denied RODC Password Replication Policy Group are both listed

Next, lets create a group to manage password replication to our branch office RODC server
(COMSYS-RODC01)
33 in Active Directory Users and Computers, right-click the Production OU, click New, and then
click Group

34 In the New Object Group window, type Comsys Branch Office Users in the Group name
field, confirm that Global and Security are selected, and then click OK

35 In Active Directory Users and Computers, click the Production OU, and then double-click the
Comsys Branch Office Users group, then in the Comsys Branch Office Users Properties box, click the
Members tab and add few members such as Bart, Booby, Marko and Surface01 laptop

Next, we also need to configure a password-replication policy for the branch office RODC server
(COMSYS-RODC01)

36 in Active Directory Users and Computers, click the Domain Controllers OU, right-click COMSYSRODC01, and then click Properties, click the Password Replication Policy tab, and then click Add then In
the Add Groups, Users, and Computers window, click the radio button to select Allow passwords for the
account to replicate to this RODC, and then click OK.

37 In the search window, in the Enter the object names to select field, type Comsys Branch Office
Users and then click OK

38 In the COMSYS-RODC01 Properties box, click OK

Next, lets evaluate the resulting password-replication policy for our RODC
39 in the COMSYS-RODC01 Properties box, on the Password Replication Policy tab, click Advanced

40- Click the Resultant Policy tab, then add user name Bart (Bart is my Production user), verify that
the Resultant Setting for Bart is Allow

41 Next on the RODC Server (COMSYS-RODC01), sign in as comsys\bart. The sign in will fail,
because Bart does not have permission to sign in to COMSYS-RODC01. However, the credentials
for Barts account were processed and cached on COMSYS-RODC01.

42 Log on back to Domain Server, in Active Directory Users and Computers, click the Domain
Controllers OU, double-click COMSYS-RODC01, and then click the Password Replication Policy tab, on
the Password Replication Policy tab, click Advanced and Notice that Barts accounts password
has been stored on RODC.

Lastly, lets prepopulate credential caching (always remember, do not cache passwords for
domain-wide administrative accounts
43 On the Password Replication Policy tab, click Advanced, and then clickPrepopulate
Passwords

44 In the Select Users or Computers box, I add Bobby and my Surface01, then click OK

45 Confirm that my user Bobby and Surface01 laptop have both been added to the list of accounts
with cached credentials and then click Yes

Orait, thats all for today.. I recommend that you read more on this RODC, its a good function
provided you understand when & where to implement it