How To Install And Configure RODC In Windows Server 2016

There are two types of domain controllers – writable and read-only domain controllers. Writable Domain Controllers have rights to modify and customize the Active Directory database. Whereas, Read-Only Domain Controller (RODC) that provides the same functionalities as provided by a writable domain controller. However, neither they can modify Active Directory database, nor they, can store the user’s credentials in their database until unless manually allowed by an administrator. Remote branch offices where the physical security is a major concern is the most suitable place to deploy an RODC. In this post, we will explain a step by step guide to install and configure RODC in Windows Server 2016 server.

RODC Password Replication Policies

To understand the concept of the RODC, you have to understand the two types of RODC password replication policies. Actually, these are built-in groups that control which user accounts’ password can be stored and/or which user accounts’ password cannot be stored by an RODC server. These are:

  1. Allowed RODC Password Replication Group.
  2. Denied RODC Password Replication Group.

By default, the Denied RODC Password Replication Group contains the following members whose passwords are not allowed to be cached by an RODC server:

  • Enterprise Domain Controllers
  • Enterprise Read-Only Domain Controllers
  • Group Policy Creator Owners
  • Domain Admins
  • Cert Publishers
  • Enterprise Admins
  • Schema Admins
  • Domain-wide krbtgt account
  • Account Operators
  • Server Operators
  • Backup Operators
  • Administrators

By default, the Allowed RODC Password Replication Group does not contain any members.

Understanding RODC Lab Setup Topology

Now, you have the basics of RODC. Here, we are going to install and configure RODC in Windows Server 2016. Before doing this, let’s understand the lab setup infrastructure, we are going to follow:

We have a Writable domain controller named as DC1.MCSALAB.local that runs on Windows Server 2016 and configured with IPv4 address. We will use anothe server named SERVER1 to configure as RODC server. SERVER1 is configured with IPv4 address and runs on Windows Server 2016.

Deploying RODC on Windows Server 2016

Preparing Primary Domain Controller To Deploy an RODC

We assume that you have already deployed DC1 as the primary domain controller, click here if you have not done yet and then proceed to next.

Now, create a user account named RODCAdmin on the Primary server and make it member of Allowed RODC Password Replication Group. Also make it a member of the Server Operators group so it can be logged in locally to the RODC domain controller. Alternatively, you can modify the Default Group Policy to assign allow login locally permission to this user account.

RODC Password Replication Group

Configuring RODC In Windows Server 2016

Now, you are set to install and configure RODC for one of your branch offices. To install and configure RODC in Windows Server, you need to perform the following steps:

  1. Switch on to the server that you want to configure as RODC, in this case SERVER1. Configure the TCP/IP settings as mentioned in the following figure.Configure TCP/IP Settings
  2. Make the SERVER1 as the member of MCSALAB.LOCAL domain and reboot the system.Make server as member of Primary Domain Server

    Note: If you get error, ensure that DC1 and SERVER1 are able to communicate to each other.

  3. Once the SERVER1 is rebooted, sign in as MCSALAB\Administrator account.
  4. Open the Server Manager console and launch the Add Roles and Features Wizard.
  5. Accept the default selections until the Select server roles page displays. Here, select the Active Directory Domain Services check box and complete the Active Directory installation process.Installing RODC on Windows Server 2016 server
  6. On the Server Manager console, click the Promote this server to a domain controller link.Configure an RODC server in Windows Server 2016
  7. On the Deployment Configuration page, make sure that the Add a domain controller to an existing domain option is selected and then click Next.Adding a domain controller to existing domain
  8. On the Domain Controllers Options page, select the following check boxes, set the desired DSRM password and then click Next to proceed.
    • Domain Name System (DNS) server
    • Global Catalog (GC)
    • Read only domain controller (RODC)

    Install and Configure RODC in Windows Server 2016

  9. On the RODC Options page, specify the following options:
    • A delegated Administrator account that will be responsible to manage the RODC.
    • Accounts that are allowed to replicate passwords to the RODC.
    • Accounts that are denied from replicating the passwords to the RODC.
  10. For the testing purpose, add RODCAdmin as the delegated administrator account that we have created earlier and click Next to proceed.Specifying RODC delegated account
  11. On the Additional Options page, you can complete the Domain Controller installation using the Install From Media (IFM). Click here if you are interested to know how to configure ADC using IFM, else click Next to leave it now.Installing RODC using IFM in Windows Server 2016
  12. On the Paths page, click Next and proceed to the Prerequisites Check page. Verify that all the prerequites checks passed succefully and click Install to begin the installation. You may ignore the prerequisties warnings.RODC prerequisites checks
  13. The system will reboot once the installation process of RODC completes. Sign in to MCSALAB\RODCAdmin delegated administrator account that we have added during the RODC installation.
  14. Now, you have successfully installed and configured RODC on SERVER1.

Verifying RODC Configuration

In order to verify and test that our RODC server is configured successfully and functioning properly, we will explore some of the RODC verification tasks.

How to view the current credentials that are cached on an RODC?

To view the credentials that are cached on an RODc, you need to perform the following steps on the DC1 primary writable domain controller.

  1. Open the Active Directory Users and Computers window, expand the Domain Controllers node, and then open the Properties of your RODC server (SERVER1).
  2. Select the Password Replication Policy tab and click Advanced.Viewing RODC password replication policies
  3. On the Advanced dialog box, you will see the accounts whose credentials are cached on this RODC.Accounts whose passwords are stored on the RODC server

    Note: By default, the only credentials that are cached on an RODC are for the computer account of the RODC itself and a krbtgt account.

    Wait a minute! Where is your RODCAdmin account?

  4. To view the RODCAdmin account, select the Accounts that have been authenticated to this Read-Only Domain Controller option and view the result.Viewing accounts that have been authenticated to RODC server
  5. To add the specific users, groups, and computers into Allowed list or Denied list, click Add and select the desired RODC policy.Adding users and groups to RODC allowed and denied list
  6. Close the Properties dialog box and all other active Windows.

That’s all you need to install and configure RODC in Windows Server 2016. The same steps can also be used to deploy an RODC on Windows Server 2012/R2 server. If you are more serious and interested to learn about RODC server, click here to know how to secure your Active Directory accounts if the RODC server of your organization is stolen.

Posted in Windows Server 2016 Tagged with: ,