How to Deploy a Read-Only Domain Controller in Windows Server 2016

An RODC holds a read-only copy of the Active Directory database and doesn't allow any changes in AD data. It is mostly deployed in branch offices due to poor physical security. If some one gets access to the RODC, he won't be able to change the global data. If an intruder somehow manages to change the data on the RODC, it won't be replicated to write-able DCs due to unidirectional replication (from wrote-able to read-only DC).

In this guide, I am going to show you how to deploy an RODC in Windows Server 2016.

Prerequisites

Cross check the following prerequisites

  1. Administrator account has strong password.
  2. Static IP is configured.
  3. Firewall is turned off.
  4. Latest updates from Microsoft are installed.
  5. You have at least one writeable DC.
  6. DNS settings in TCP/IPv4 are pointing to DNS server of write-able DC.

Deploy a Read-Only Domain Controller in Windows Server 2016

To get started, open server manager dashboard and click on 'Add roles and features'. Then follow the wizard.

Step 1. Verify the tasks listed in the window and then click Next.

Add roles and features

Step 2. Choose Role-based or feature-based installation and click Next.

Select installation type

Step 3. Choose desired destination server from servers pool and click Next.

Select destination server

Step 4. Choose active directory domain services from server roles. As soon as you check the box a new window will appear, click Add Features.

Select server roles

Step 5. Click Next.

Select server roles

Step 6. Click Next.

Select features

Step 7. Click Next.

Active Directory Domain services

Step 8. Click Install and wait for an installation to finish. This may take several minutes to complete.

Confirm installation selections

Step 9. Click Promote this server to a domain controller.

Installation progress

Step 10. Choose Add a domain controller to an existing domain. Provide the domain name and the appropriate credentials having permission to add a domain controller to an existing domain. Click Next.

Deployment configuration

Step 11. Choose Read only domain controller (RODC) and provide the DSRM password. Click Next.

Domain Controller options

Step 12. Click Next.

RODC Options

Step 13. Click Next.

Additional options

Step 14. Click Next.

Paths

Step 15. Click Next.

Review options

Step 16. Click Install and wait for configuration to finish. When configuration finishes, the server will be rebooted.

Prerequisites check
Step 17. Login to RODC with admin credentials. Open active directory user and computers (ADUC) console and make sure you are connected to Read Only DC and not to write-able DC. Notice the greyed out icons and try updating the AD data. You won't.

Test the setup

Leave a Comment