Deploying a Windows Server 2016 read-only domain controller (RODC) with PowerShell

Deploying a Windows Server 2016 read-only domain controller (RODC) with PowerShell
A read-only domain controller (RODC) is an Active Directory (ADVERTISEMENT) function initially presented in Windows Server2008 In this post, I describe how to release an RODC on Windows Server 2016 utilizing PowerShell.
58fddcdb059d4 bpfull
Latest posts by Karim Buzdar ( see all)

An RODC is a domain controller (DC) that holds a read-only copy of the Active Directory database and the SYSVOL folder. It supports unidirectional duplication and just pulls information from its duplication partner when the information modifications on writable domain controllers. Enterprises can release RODCs in branch workplaces where they can not ensure physical security.

RODC qualities ^

The following attributes distinguish RODCs from writeable DCs (RWDC).

  1. Write operations from customers are not possible on an RODC due to the fact that it holds a read-only copy of the advertisement database.
  2. An RODC does not duplicate advertisement and SYSVOL folder information to RWDCs.
  3. An RODC holds a total copy of the advertisement database, other than for qualifications and credential-like qualities, called a filtered qualities set (FAS).
  4. When an RODC gets an authentication demand from users from the branch website, it forwards the demand to a writeable domain controller. Learn more about the authentication procedure on RODCs here
  5. An RODC can cache qualifications of least fortunate users to offer much better authentication efficiency to branch users. If the RODC has Password Replication Policy allowed and has actually currently cached the qualifications, it processes the authentication demand in your area. Find out more about credential caching and FAS here
  6. It is possible to hand over rights to basic domain users for RODC administration. Learn more about those RODC administration operations here

Deploying an RODC ^


Before you release an RODC, you require to have at least one writeable domain controller in your environment. In addition, the list below conditions are needed:

  1. An administrator account has a strong password.
  2. The server has a fixed IP address.
  3. The server has the current Windows updates set up.
  4. The favored DNS server IPv4 address is set up and indicate the writeable DC.

Installing the Active Directory Domain Service

First, you need to set up the Active Directory Domain Service (ADVERTISEMENT DS) function on your Windows Server 2016 computer system. To do so, carry out the following PowerShell command and wait on the setup to finish.

 Install-WindowsFeature AD-Domain-Services

If whatever worked out, you will wind up with the outcome that the screenshot listed below screens.

Installing the AD DS role

Installing the advertisement DS function

Promoting a domain member to an RODC

The next action is to promote the server to an RODC with its own DNS server and international brochure by carrying out the command listed below. It will trigger you to offer the DSRM (Directory Services Restore Mode) password and qualifications that have the authorizations to include this DC to the domain.

 Install-ADDSDomainController -Credential (Get-Credential) -DomainName  -InstallDNS:$ real -ReadOnlyReplica:$ real -SiteName "Default-First-Site-Name" -Force:$ real

You utilize the very same cmdlet ( Install-ADDSDomainController) for releasing a writable DC. The only distinction is the ReadOnlyReplica specification that sets up the domain controller as an RODC. If you do not define the course to the Active Directory log, the database, and the SYSVOL folder, it will utilize the default courses.

After carrying out the command and effectively promoting your server to an RODC, the server will instantly reboot.

Promoting a server to an RODC

Promoting a server to an RODC

Configuring RODC password caching ^

The brand-new RODC it still utilizing a writeable DC for validating branch users and computer systems. To require the RODC to verify users and computer system accounts, you need to make sure that the RODC caches the matching qualifications. For this, you need to set up the Password Replication Policy (PRP) to guarantee that it reproduces and caches the qualifications on the RODC for subsequent authentications.

Like this post? Please share to your friends:
Leave a Reply

;-) :| :x :twisted: :smile: :shock: :sad: :roll: :razz: :oops: :o :mrgreen: :lol: :idea: :grin: :evil: :cry: :cool: :arrow: :???: :?: :!: