Install and Configure Rodc Using Windows Server 2012


Pinoy Techie
Hi all, Today lets go through a step by step on how you as Server Admin can install & configure RODC using Windows Server 2012 R2 in your environment.

But 1st, let see what is RODC all about, a little bit of explanation…

RODC @ Read-Only Domain Controllers – provide an alternative to a fully writable domain controller. In many scenarios, such as a remote branch office or a location where a server cannot be placed in a secure physical environment, RODCs can provide the functionality of a domain controller without potentially exposing your AD DS environment to unnecessary risks.

You cannot make changes to the domain database on the RODC, because the AD DS database on the RODC does not accept modification requests from clients and applications. All requests for changes are forwarded to a writable domain controller. Because no changes occur on the RODC, replication of Active Directory changes is one way only from writable domain controllers to the RODC.

User and computer credentials are not replicated to an RODC by default. To use an RODC to enhance user logon, you need to configure a Password Replication Policy (PRP) that defines which user credentials can be cached. Limiting the credentials cached on the RODC reduces the security risks. If the RODC is stolen, only passwords for the cached user and computer accounts need to be reset.

Orait, that just a bit of explanation, more information about RODC please log in to @ you all most welcome come to my Windows Server 2012 R2 training that available every month around Malaysia.

So, for RODC demo, as usual for those who follow my blog, you should know that I always use my existing Hyper-V Infrastructure consists of few server such as ComSys Backup, ComSys DC01, ComSys Svr01, ComSys SVR-Core, ComSys-Svr2012R2-Core & my Client PC which is Surface01 running Windows 8 Enterprise.

But for this RODC demo, I had a new Server up & running which ComSys RODC (Comsys-RODC01.comsys.local). I will use this Comsys-RODC01.comsys.local as my RODC Server and RODC will replicated from my DC01…

So now lets get started…

1 – You need to verify requirements for installing a RODC in your environment. One of the important requirement is the forest functional level, verify that your forest functional level is set to Windows Server 2003 or newer. In my case, my forest functional level is already set to Windows Server 2012 R2.

To verify the forest functional level, log in to your AD Server, open Active Directory Users and Computers, right-click the Comsys.local domain, and then click Raise domain functional level and confirm that the Current domain functional level is set to Windows Server 2012 R2…



2 – Next, in Active Directory Users and Computers, right-click Domain Controllers, and then click Pre-create Read-only Domain Controller account


3 – In the Active Directory Domain Services Installation Wizard box, click Next


4 – Click Next to accept the current credentials which is Comsys\Administrator…


5 – In the Computer name box, type Comsys-RODC01, and then click Next…


6 – On the Select a site box, click Next


7 – On the Additional Domain Controller Options box, verify that DNS Server and Global catalog is selected and click Next…


8 – On the Delegation of RODC Installation and Administration box, type COMSYS\IT Dept (my IT Dept group will be able to attach a server to the RODC account that I creating now) in the Group or user field, and then click Next…


9 – On the Summary page, click Next


10 – Click Finish to complete the process and in the Active Directory Users and Computers, click Domain Controller OU and you will see Comsys-RODC01 is listed



As at now, we done verify RODC requirement and delegate RODC Installation and Administration to IT Dept group…

Next, lets install RODC on the ComSys RODC server…

11 – Log on to Comsys-RODC01 server


12 – open Server Manager, click Manage, and then click Add Roles and Features


13 – In the Add Roles and Features box, click Next


14 – Ensure that Role-based or feature-based installation is selected, and then click Next…


15 – Select Comsys-RODC01, and then click Next…


16 – On the Select server roles box, select the check box to select Active Directory Domain Services, click Add Features, and then click Next…


17 – On the Select features box, click Next…


18 – Click Next, and then click Install to proceed with the installation…



19 – wait for few minutes for the installation to complete…


20 – After the installation complete, on the Installation progress box, click Promote this server to a domain controller…


21 – In the Deployment Configuration box, verify that you select Add a domain controller to an existing domain, then click Select…


22 – In the Windows Security box, type comsys\morgan (Morgan is my user in IT dept) for User name and enter the password for Morgan, and then click OK…


23 – verify also under Specify the domain information for this operation,Comsys.local domain is selected and then click Next…


24 – Next, in the Domain Controller Options box, under Type the Directory Services Restore Mode (DSRM) password, type your password in the Password and Confirm password fields, and then click Next…


25 – On the Additional Options box, beside Replicate from, click the drop-down box, click DC01.Comsys.local, and then click Next…


26 – On the Paths box, click Next to proceed…


27 – On the Review Options box, click Next


28 – On the Prerequisites Check box, verify that all prerequisite checks passed successfully and then click Install and after the ADDS process has completed, Comsys-RODC01 server will restart.


Once the Comsys-RODC01 server restart, we need to configure password-replication groups

** a password replication policy (PRP) determines which user and computer credentials can be cached on a specific RODC.

29 – Log on to DC01 server, open Active Directory Users and Computers, click the Users container, double-click Allowed RODC Password Replication Group


30 – then click the Members tab, and then verify that there is nothing listed


31 – Next, click the Domain Controllers OU, right-click COMSYS-RODC01, and then click Properties…


32 – Click the Password Replication Policy tab, and confirm that Allowed RODC Password Replication Group and Denied RODC Password Replication Policy Group are both listed


Next, lets create a group to manage password replication to our branch office RODC server (COMSYS-RODC01)…

33 – in Active Directory Users and Computers, right-click the Production OU, click New, and then click Group…


34 – In the New Object – Group window, type Comsys Branch Office Users in the Group name field, confirm that Global and Security are selected, and then click OK…


35 – In Active Directory Users and Computers, click the Production OU, and then double-click the Comsys Branch Office Users group, then in the Comsys Branch Office Users Properties box, click the Members tab and add few members such as Bart, Booby, Marko and Surface01 laptop


Next, we also need to configure a password-replication policy for the branch office RODC server (COMSYS-RODC01)…

36 – in Active Directory Users and Computers, click the Domain Controllers OU, right-click COMSYS-RODC01, and then click Properties, click the Password Replication Policy tab, and then click Add then In the Add Groups, Users, and Computers window, click the radio button to select Allow passwords for the account to replicate to this RODC, and then click OK.


37 – In the search window, in the Enter the object names to select field, type Comsys Branch Office Users and then click OK…


38 – In the COMSYS-RODC01 Properties box, click OK…


Next, lets evaluate the resulting password-replication policy for our RODC…

39 – in the COMSYS-RODC01 Properties box, on the Password Replication Policy tab, click Advanced


40- Click the Resultant Policy tab, then add user name Bart (Bart is my Production user), verify that the Resultant Setting for Bart is Allow…


41 – Next on the RODC Server (COMSYS-RODC01), sign in as comsys\bart. The sign in will fail, because Bart does not have permission to sign in to COMSYS-RODC01. However, the credentials for Bart’s account were processed and cached on COMSYS-RODC01.



42 – Log on back to Domain Server, in Active Directory Users and Computers, click the Domain Controllers OU, double-click COMSYS-RODC01, and then click the Password Replication Policy tab, on the Password Replication Policy tab, click Advanced and Notice that Bart’s account’s password has been stored on RODC.


Lastly, lets prepopulate credential caching (always remember, do not cache passwords for domain-wide administrative accounts

43 – On the Password Replication Policy tab, click Advanced, and then clickPrepopulate Passwords


44 – In the Select Users or Computers box, I add Bobby and my Surface01, then click OK


45 – Confirm that my user Bobby and Surface01 laptop have both been added to the list of accounts with cached credentials and then click Yes…



Orait, that’s all for today.. I recommend that you read more on this RODC, it’s a good function provided you understand when & where to implement it…

Similar threads

Top Bottom