There are two types of domain controllers – writable and read-only domain controllers. Writable Domain Controllers have rights to modify and customize the Active Directory database. Whereas, Read-Only Domain Controller (RODC) that provides the same functionalities as provided by a writable domain controller. However, neither they can modify Active Directory database, nor they, can store the user’s credentials in their database until unless manually allowed by an administrator. Remote branch offices where the physical security is a major concern is the most suitable place to deploy an RODC. In this post, we will explain a step by step guide to install and configure RODC in Windows Server 2016 server.
RODC Password Replication Policies
To understand the concept of the RODC, you have to understand the two types of RODC password replication policies. Actually, these are built-in groups that control which user accounts’ password can be stored and/or which user accounts’ password cannot be stored by an RODC server. These are:
- Allowed RODC Password Replication Group.
- Denied RODC Password Replication Group.
By default, the Denied RODC Password Replication Group contains the following members whose passwords are not allowed to be cached by an RODC server:
- Enterprise Domain Controllers
- Enterprise Read-Only Domain Controllers
- Group Policy Creator Owners
- Domain Admins
- Cert Publishers
- Enterprise Admins
- Schema Admins
- Domain-wide krbtgt account
- Account Operators
- Server Operators
- Backup Operators
By default, the Allowed RODC Password Replication Group does not contain any members.
Understanding RODC Lab Setup Topology
Now, you have the basics of RODC. Here, we are going to install and configure RODC in Windows Server 2016. Before doing this, let’s understand the lab setup infrastructure, we are going to follow:
We have a Writable domain controller named as DC1.MCSALAB.local that runs on Windows Server 2016 and configured with 10.0.0.100/8 IPv4 address. We will use anothe server named SERVER1 to configure as RODC server. SERVER1 is configured with 10.0.0.101/8 IPv4 address and runs on Windows Server 2016.
Preparing Primary Domain Controller To Deploy an RODC
Now, create a user account named RODCAdmin on the Primary server and make it member of Allowed RODC Password Replication Group. Also make it a member of the Server Operators group so it can be logged in locally to the RODC domain controller. Alternatively, you can modify the Default Group Policy to assign allow login locally permission to this user account.
Configuring RODC In Windows Server 2016
Now, you are set to install and configure RODC for one of your branch offices. To install and configure RODC in Windows Server, you need to perform the following steps:
- Switch on to the server that you want to configure as RODC, in this case SERVER1. Configure the TCP/IP settings as mentioned in the following figure.
- Make the SERVER1 as the member of MCSALAB.LOCAL domain and reboot the system.
Note: If you get error, ensure that DC1 and SERVER1 are able to communicate to each other.
- Once the SERVER1 is rebooted, sign in as MCSALAB\Administrator account.
- Open the Server Manager console and launch the Add Roles and Features Wizard.
- Accept the default selections until the Select server roles page displays. Here, select the Active Directory Domain Services check box and complete the Active Directory installation process.
- On the Server Manager console, click the Promote this server to a domain controller link.
- On the Deployment Configuration page, make sure that the Add a domain controller to an existing domain option is selected and then click Next.
- On the Domain Controllers Options page, select the following check boxes, set the desired DSRM password and then click Next to proceed.
- Domain Name System (DNS) server
- Global Catalog (GC)
- Read only domain controller (RODC)
- On the RODC Options page, specify the following options:
- A delegated Administrator account that will be responsible to manage the RODC.
- Accounts that are allowed to replicate passwords to the RODC.
- Accounts that are denied from replicating the passwords to the RODC.
- For the testing purpose, add RODCAdmin as the delegated administrator account that we have created earlier and click Next to proceed.
- On the Additional Options page, you can complete the Domain Controller installation using the Install From Media (IFM). Click here if you are interested to know how to configure ADC using IFM, else click Next to leave it now.
- On the Paths page, click Next and proceed to the Prerequisites Check page. Verify that all the prerequites checks passed succefully and click Install to begin the installation. You may ignore the prerequisties warnings.
- The system will reboot once the installation process of RODC completes. Sign in to MCSALAB\RODCAdmin delegated administrator account that we have added during the RODC installation.
- Now, you have successfully installed and configured RODC on SERVER1.
Verifying RODC Configuration
In order to verify and test that our RODC server is configured successfully and functioning properly, we will explore some of the RODC verification tasks.
How to view the current credentials that are cached on an RODC?
To view the credentials that are cached on an RODc, you need to perform the following steps on the DC1 primary writable domain controller.
- Open the Active Directory Users and Computers window, expand the Domain Controllers node, and then open the Properties of your RODC server (SERVER1).
- Select the Password Replication Policy tab and click Advanced.
- On the Advanced dialog box, you will see the accounts whose credentials are cached on this RODC.
Note: By default, the only credentials that are cached on an RODC are for the computer account of the RODC itself and a krbtgt account.
Wait a minute! Where is your RODCAdmin account?
- To view the RODCAdmin account, select the Accounts that have been authenticated to this Read-Only Domain Controller option and view the result.
- To add the specific users, groups, and computers into Allowed list or Denied list, click Add and select the desired RODC policy.
- Close the Properties dialog box and all other active Windows.
That’s all you need to install and configure RODC in Windows Server 2016. The same steps can also be used to deploy an RODC on Windows Server 2012/R2 server. If you are more serious and interested to learn about RODC server, click here to know how to secure your Active Directory accounts if the RODC server of your organization is stolen.