Join Ed Liberman for an in-depth discussion in this video Install a read-only domain controller (RODC), part of Windows Server 2012 R2: Configure and Manage Active Directory.
- Because domain controllers are such a crucial component to any network, it is important that they are protected with a high degree of security. Occasionally however, you may be faced with a situation where security is low, but yet a domain controller is still needed. This is where a read-only domain controller can be useful. So let's take a look at how to install a read-only domain controller. Here I have three computers running, DC-1, 2, and 3. DC's 1 and 2 are already running as domain controllers in our environment, and DC-3 is a member server.
So we're going to go over to DC-3 and promote it to becoming a read-only domain controller. Here on DC-3, I am logged in as the domain administrator, and we're in the Server Manager, and in order to promote this to being a domain controller, the first thing I have to do is add the Active Directory domain services role, so I'm going to click on Add roles and features. Here we get a very typical Before you begin screen, where it just reminds us that we need to do certain things before we install any roles, so I will go ahead and click Next.
This is a role-based installation, so I can keep this as selected and click Next. Here I need to choose what machine I'm actually going to do the installation on, and it is DC-3, so I can just click Next. And this is where I get to choose the actual role, so as I mentioned a moment ago, we need to do Active Directory Domain Services. When I check that box, you'll see that another dialog box opens up, telling us that we have additional features that are required as part of this installation.
So I will come down here and click on the Add Features button to get those added as part of this installation, and then we'll go ahead and click Next. This takes us to a screen where we can add additional features if we wanted to do so. There is nothing else I need to add at this point, so I will just click Next. Here's an overview of what Active Directory Domain Services is, since that's what we're installing. Just click Next. And we finally get to a confirmation screen. On this screen, I am going to check the box to restart the destination server if it's required.
When I do this, another dialog box will pop out warning us, saying, "Hey, because this could be done remotely, "there might be a reboot, "and someone might be on that computer." In this case, it's the machine I'm actually on, so I'm just going to say Yes, that's perfectly fine. And then I'm going to click the button to Install. Now at this point, you may have noticed, that nothing is really any different than installing any other domain controller, 'cause this is just installing the role itself. It's once this process has completed, that we then go into promoting to a domain controller, that we'll get to make the selection to making this a read-only domain controller.
Now while we wait for just a moment here, 'cause this can take a few moments to go across the screen and get this installed, let's talk about some of those environments where we may have low security. Let's say a remote branch office, a small remote branch office that maybe doesn't have a complete IT staff, and even if they do, maybe doesn't have secure server rooms and things of that nature. That's a very typical environment where we may be installing one of these read-only domain controllers. Now as you can see here, my installation has completed, and at this point I have a link to Promote this server to a domain controller.
If you are following along, if you're trying to do this with me, and your system's not at this point yet, then please pause the video until you get to this point, and then you can continue with me. But I'm going to click the link here to Promote this server to a domain controller. This takes us into the Active Directory Domain Services Configuration Wizard. We want to Add a domain controller to an existing domain, and I want to emphasize that that's the only option when doing a read-only domain controller. You can't have a read-only domain controller until after you have existing, full functional, domain controllers in place.
So we're going to add a domain controller to the existing domain landonhotel.local. We want to use the credentials of the LANDONHOTEL\administrator, so everything is correct the way we see it. I'm going to click on Next. This is the screen where we get to now decide a little bit about this domain controller. First selection is do we want it to be a DNS server. It is typically recommended that domain controllers also be DNS servers. We have a choice of whether we want to be a global catalog server or not, and again, different environments will call for whether you do or don't want to be a global catalog server, but I wouldn't worry too much about that for right now.
We're just going to leave that checked. The one that we do care about is right down here where it says Read-only domain controller. I'm going to check that box, because I do want to be a read-only domain controller. Then from there I have to enter in the Directory Services Restore Mode password, just as we would with any other domain controller. So I'm going to enter that in right now. And it doesn't matter what you do as long as you do the same password in both boxes. Click Next. Now here is a screen where we have a little bit additional functionality, and a little bit extra control, and some extra security measures, with our read-only domain controller.
I'm going to take all the defaults right now, as far as delegation of administration, as well password replication, 'cause that is covered in a different lesson. So I'm going to take all the defaults and click Next. Here, we need to decide where we're going to replicate the information from, what other domain controller are we going to pull the database from? The default is Any domain controller, but if I click this dropdown, you'll see here that we have the choice of DC-1 or DC-2, those are our other domain controllers. If I knew that one of those was maybe a better connection, or closer to me, then I could select it, but otherwise just take the default of Any domain controller.
Then I'll click Next. Here I specify the location of our database and log files, just as we would with any other domain controller. I'm going to take the defaults for this example. Click Next. Here's just a quick review of everything that we're doing. As long as it all looks good, I can click Next. It'll go through a Prerequisite check, I want to point out that you don't want to be alarmed by these different warning boxes. There will be certain warnings about certain things, you should read them, but as long as you get the green circle with the checkmark up here, then everything is okay to begin the installation.
So I'm going to go ahead and click Install. And at this point, it's going to go through, and again, you'll see these warning boxes, they will match the warning boxes that we saw during the prerequisite check. But it is now going to go through the process of promoting this machine to becoming a domain controller. Now this process can take a few moments, and depending on the speed of different machines, some take longer than others. So I will continue as soon as this process has completed, and we've rebooted and signed back in.
Okay, so as you can see, we have completed the reboot process, so I am going to select to login as the LANDONHOTEL\administrator. And at this point, we are pretty much done. It will log back into the Server Manager by default. If you are at all new to Windows Server 2012, I do want to point out any of the red boxes that you see here that look like some kind of error is going on, technically that is why they're red, but I just want you to know that is typical, especially in a domain controller, when you first boot up the machine.
They're just delayed service starts, eventually these errors will go away on their own. But in the meantime, if I want to verify that we are complete, I will click on the Tools menu, and I will select any of the Active Directory tools, such as Users and Computers. And in this tool, if I'm able to see my domain, and all of my objects, and all the information, that means I am a domain controller. So that means that I have successfully installed a read-only domain controller.
And so as you can see, this installation process of a read-only domain controller, it was fairly straightforward. Really not that much different than any other domain controller. So I want you to keep in mind that the next time you have a need to install a domain controller in a location with low security, I want you to consider a read-only domain controller as an option.
Ed Liberman shows how to configure service authentication, domain controllers, and account policies, and maintain Active Directory so that it remains stable and secure. He'll cover virtualizing domain controllers, Active Directory backup and recovery, password policy management, and Kerberos policies and delegation.
- Installing read-only domain controllers
- Configuring virtual domain controllers
- Backing up Active Directory
- Recovering Active Directory
- Configuring account policies: password, lockout, and Kerberos
- Configuring service accounts
- Managing service accounts