Working with Read Only Domain Controllers (Part 3)

by [Published on 30 July 2009 / Last Updated on 30 July 2009]

Concluding the series on Read Only Domain Controllers by guiding you through the deployment process.

If you would like to read the other parts in this article series please go to:

Introduction

So far in this article series, I have explained what a Read Only Domain Controller is and some of the benefits associated with deploying one. In this article, I want to show you how to go about deploying a Read Only Domain Controller.

Before You Begin

Before you begin following the installation procedure, you need to install Windows Server 2008 onto your Read Only domain Controller and join the server to a domain. It is technically possible to create a Read Only Domain Controller without joining a domain first, but the steps that I will be walking you through assume that your server is a domain member.

The Forest Functional Level

Before you get started, you will have to make sure that the forest functional level is set to Windows Server 2003 or higher. To do so, open the Active Directory Domains and Trusts console. When the console opens, right click on the listing for your Active Directory forest, and then select the Properties command from the resulting shortcut menu. As you can see in Figure A, the forest functional level is listed on the resulting properties sheet’s General tab.


Figure A: You must verify that the forest functional level is set to Windows Server 2003 or higher

If the forest functional level is not sufficient, you will have to raise the level before you continue. Keep in mind that doing so means that you will not be able to use Windows 2000 domain controllers in your forest any longer. To raise the forest functional level, click OK to close the properties sheet. Now, right click on the listing for your forest once more, and choose the Raise Forest Functional level from the command prompt, on the resulting screen, select the Windows Server 2003 option, and then click the Raise button.

Updating the Application Directory Partitions

The next step in the process is to update the permissions for any application directory partitions in the forest. That way, those partitions can be replicated by any Read Only Domain Controller that is also functioning as a DNS server.

To do so, insert your Windows Server 2008 installation DVD into the domain controller that has been designated as the domain’s schema master. Next, copy the \Sources\Adprep folder from the DVD to an empty folder on the server’s hard drive. Finally, open a command prompt window and navigate to the newly created ADPREP folder, and execute the following command:

ADPREP /RODCPREP

Figure B shows what it looks like when this command is run.


Figure B: Run the ADPREP /RODCPREP command

Promoting the Server to a Domain Controller

Now it is time to actually configure our server to act as a Read Only Domain Controller. The process is actually quite similar to the process that you would use to configure any other server to act as a domain controller.

Begin the process by logging into the server using an account that is a member of the Domain Admins group. At this point, enter the DCPROMO command at the server’s Run prompt. This will cause Windows to launch the Active Directory Domain Services Installation Wizard. The wizard will do a quick check to make sure that the Active Directory binaries are installed. These binaries are not installed by default, so the wizard will install them for you.

When Windows finishes installing the binaries, it will display the wizard’s Welcome screen, shown in Figure C. Although it is common to just click Next and bypass a wizard’s Welcome screen, in this case you need to click the Use Advanced Mode Installation check box first.


Figure C: Select the Use Advanced Mode Installation check box

Click Next, and the wizard will ask you about which forest and domain the new domain controller should service. Select the option to add the domain controller to an existing domain within an existing forest, as shown in Figure D.


Figure D: Choose the option to add the domain controller to an existing domain

Click Next, and the wizard will prompt you to specify the name of the domain that you plan on adding the domain controller to. You must also confirm that you want to use the credentials that you are currently logged in with when you promote the server to domain controller status, as shown in Figure E. When you are done, click Next.


Figure E: Enter the name of the domain that you want to add the domain controller to

The following screen is a bit redundant. It simply asks you to confirm your domain selection, as shown in Figure F. After doing so, click Next.


Figure F: Confirm the domain that you want to add the domain controller to

You should now see a screen asking you to specify the name of the site that you want to place the new domain controller in, as shown in Figure G. This is especially important for Read Only Domain Controllers, because they are typically placed in branch offices, which are almost always in a separate Active Directory site.


Figure G: Specify the Active Directory site that you want to place the new domain controller into

Click Next and you will be asked to select the additional options for the domain controller, as shown in Figure H. Obviously you will want to select the Read Only Domain Controller option, but it is a good idea to also make the domain controller a DNS server and a global catalog server.


Figure H: Be sure to select the Read Only Domain Controller option

Click Next, and you will be asked to specify the Password Replication Policy, as shown in Figure I. This is where you can control which passwords are allowed to replicate to the Read Only Domain Controller. You can make any desired changes, but the defaults will normally work fine.


Figure I: It is usually OK to use the default settings

Click Next, and you will be given the opportunity to delegate a user or group to complete the RODC installation process. In our case, you do not even have to worry about this option because we are about to complete the configuration process in a few steps.

The next screen that you will see gives you the option of either replicating data over a network from a domain controller or of building the Active Directory database from a file. Creating the Active Directory database from a file is handy if you have a large database and a slow connection. Otherwise, you should just replicate the data over the network, as shown in Figure J.


Figure J: Choose the source of the Active Directory data to replicate

The following screen asks you to choose a replication partner for the domain controller. It is usually best to let Windows choose the replication partner for you unless you have a good reason for using a specific domain controller as a replication partner.

When you click Next, you will be taken to the portion of the wizard that you are probably used to. This screen asks you to specify the location where the Active Directory database should be stored. Make your choices and click Next.

You will now be prompted to provide a Directory Services Restore Mode password. Enter a password, and click Next.

You should now see a summary of the installation options that you have chosen. Assuming that everything appears to be correct, click Next to begin the domain controller promotion process. When the process completes, click Finish and then reboot the server.

Conclusion

Now that you have set up your first RODC, you may want to set up additional RODCs. If so, you must wait for the next replication cycle to complete. Otherwise, you might end up receiving Active Directory errors.

If you would like to read the other parts in this article series please go to:

Advertisement

Featured Links