Sunday, November 16, 2008

Staged installation of a Read-Only Domain Controller (RODC)

RODC's, one of the new functions in a Windows 2008 AD. I'm sure you know by know what it is and how it can serve you. The easiest way to deploy a RODC is via the typical installation, or Direct Installation as Microsoft calls it, with a simple dcpromo - next - next - finish.

However, you can have a regular user install a RODC in a branch office wihtout giving him extra permissions. That's done with using the the Staged Installation where a regular domain user without privileged permissions will perform the last stages of the RODC deployment.

First, we'll have to prep our AD for the upcoming RODC deployment. Of course, this section is done on a Domain Controller and therefor needs to be performed by a domain administrator. Needless to say, this is the bulk of the work.

A) Preparing the AD for the RODC account
1. Open the Active Directory Users and Computers console, right click the Domain Controllers OU and choose for Pre-create Read-Only Domain Controller Account.
2. Decide wether or not you want to use Advanced Mode.Since I don't want to change the default Password Replication Policy (PRP) I'm not choosing for advanced mode.
3. Choose the credentials that you want to use to perform the RODC account creation (as said before, this account needs to be member of the Domain Admins group)
4. Choose a name for the RODC (this name will have to be given to the server computer)
5. Choose a site in which the RODC will be deployed
6. Select if you want the RODC to also be a DNS and/or Global Catalog
7. Now you can select which user (or group) that can attach the server to the RODC account (this account will need local admin permissions)
8. Last is the Summary Page which you can use to Export your settings to an answer file for future RODC account creations.

9. If all goes well, the wizard closes succesfully and your Unoccupied DC Account will be visible in AD.

OK, our AD is now prepared for the new RODC. Let’s log on to the server and install it as a RODC using a regular user account. Make sure the server is NOT part of domain while doing the upgrade to RODC.

B) Attach the server to the RODC account
1. Log on the server as the local administrator
2. Launch the command dcpromo /UseExistingAccount:Attach.

3. On the Welcome Page, choose for Advanced Mode.
4. Specify the forest to which the RODC is being added and provide the account that has been delegated permissions to add the RODC.

5. If you have configured everything correctly, the wizard will find the Unoccupied RODC account
6. Choose how you want to replicate data from the existing DC’s (via the network or via Media)
7. If you choose to replicate from the DC’s, you can now choose which DC
8. The last steps are the same as a normal installation: choose the NTDS and SYSVOL location and restore password.
9. On the Review Page you can verify your selctions and export them to an answer file for future installations.

10. As the last page of wizard explains, the configuration can last from several hours to several hours.

The Active Directory Services are now being installed and after a reboot you’re done! Pretty slick, this new staged installation of the RODC.

1 comment:

udai said...

Great Work buddy!!!