The reason why they call it Read-Only Domain Controller (RODC) is, because it can only read all the Active Directory’s Information but it can’t write them, it can’t edit them.
Now you may be thinking why Microsoft Have created RODC? and why they call it a Domain Controller?
RODC is used for those places where the servers have less security, and there is a danger of losing all the data if that isn’t an RODC. If they took the servers or they found a way to access to the RODC, they can’t bring any changes to them, they only can see them.
The reason why RODC called a Domain Controller is while creating an RODC, Server Administrator can specify what roles to allow to the RODC Admin and what roles to deny over the RODC.
If the Server Administrator Allow some of the rules for the RODC to control that branch, that time that can be called a Domain Controller, but that will be the Domain Controller of the that OU which was managed by the Server Administrator.
Things to Know Before Installing
- I’m using a VMware Workstation Pro.
- I had already installed 2 Windows Server 2016 OS, One of them is a Domain Controller, which I have configured the requisites such as ADDS, DNS, and DHCP and on the Second Server I have Just Installed the ADDS but I have not Configured that.
- I have already created a User for the RODC by the Name of Abbas.
- Both Servers are having the same VMnet4 in order to connect to each other.
Create Pre-Staged Read-Only Domain Controller (RODC)
Step 1. Open Active Directory Users & Computers Using Server Manager Form Tools Menu or You can type Dsa.msc on the Run Dialog box to open Active Directory Users & Computers.
Step 2. Right click on the Domain Controllers Organizational Unit and select Pre-Create Read-only Domain Controller.
Step 3. On the Welcome wizard of Active Directory Domain Services Wizard, check the Advanced Mode Installation and click Next.
Step 4. On the Network Credentials page specify the account credential weather using the local Server by which you are currently logged in or you can use an alternative Path.
In this case, I will use my current logged on credentials and when I am done I will click next.
Step 5. You need to type the name of the Computer that will be the Read-only Domain Controller. When you are done, click Next.
Step 6. The next you have to put the RODC on the Default Active Site. When you are done click next, after that wait until the DNS Examination completes.
Step 7. On the Additional Domain Controller page, you have the ability to uncheck DNS Server with Global Catalog. But I recommend you to leave it as Default as it is.
When you are done click next.
Step 8. Now you are on the Password Replication Page. In this page, you can allow or deny the Password Replication for the specified Server.
It means that it is going to cache the RODC which is allowed by default. I also Recommend you to leave it as default and click next.
Step 9. Now you have to specify a certain user or Group that the replication Password should be cached. I had only allowed the RODC in Step 8.
To Add the user or group, select “set” and type the name when you are done click ok.
Step 10. Have a look at the settings recently that you have configured. If they are fine with it click next.
Note: You can also export the settings which you recently configured and save it in any place.
Step 11: Click Finish to finish the creating RODC User.
Now that you have the Pre-staged RODC, on Domain Controllers OU, you can see it is written unoccupied.
Install Existing RODC on Server 2016
Step 1. Install Active Directory Domain Services on the Server, which you want to configure that as an RODC.
Step 2. Click on the Notification center at home page of Server Manager and select Promote this Server to a Domain Controller.
Step 3. Now you are in the Deployment configuration page. Type the Domain, then type a user credential. I will the account which I already created by the Name of Abbas.
Note: There are three options for the Configuration.
- Add an existing Domain Controller.
- Add a new Domain to an Existing forest.
- And the third will be creating a new forest.
If you have visited Techroze.com, I had already created an article about How to Install & Uninstall An Existing Domain Controller on Server, But this time I will Perform for You an Existing RODC on Server 2016.
Step 4. In the Domain Controller Options page, there is a yellow status, which said that the A Pre-Staged RODC with this Information already exists in the Directory that’s why the Specifying the Domain Controllers are disabled.
Since the Specifying options are disabled, Server 2016 has given us a second chance to Reinstall the Pre-Stagged RODC, but I’m not interested in that, I will select the Use an Existing Account.
After that type the Directory Services Restore Mode (DSRM) Password and when you are done click Next.
Step 5. In the additional page there are two options:
- Install from Media (IFM) Option.
- Specify the Additional replication option.
What is Install from Media (IFM):
IFM is an option which can be performed without the internet connection. Instead, you can use the USB or an HDD. After that, you copy all the NTDS.dit’s information through a cmdlet to the USB, then on the second server you will perform till here, and you will Install from Media, and you will browse for the file.
Specify the Additional replication option:
Replicating option requires an internet connection through a Wide Area Network (WAN) or a Local Area Network (LAN). Don’t worry here I will Perform that with the step by step Guide.
If you are with me with the Replication option, click Next.
Step 6. By Default, the NTDS.dit or the Active Directory’s Information will be stored on the default Places specified by the Server. If you desire, you can change that.
Step 7. Now review the Options or the settings which you have applied when you are fine click Next.
Step 8. After that, the server will check the prerequisites for the feature. After checking Prerequisites click Install to install an existing RODC. After that wait until the Server Restarts.
When the Server Restarts go ahead and try to create a New User on the RODC Server.
Tell me can you create a new User? I bet you, you can’t create a new user.
If You switch back the Domain Controller (DC01), there is no longer written unoccupied, instead, that is written Read-only, GC.
That’s all, I hope this article helped you with How to Create Pre-Staged Read-Only Domain Controller (RODC) on Server 2016?.If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.