Performing a Staged RODC Installation
Updated: July 03, 2008
You can perform an installation of an RODC in which the installation is completed in two stages by different individuals. The first stage of the installation, which requires domain administrative credentials, creates an account for the RODC in AD DS. The second stage of the installation attaches the actual server that will be the RODC in a remote location, such as a branch office, to the account that was previously created for it. You can delegate the ability to attach the server to a nonadministrative group or user.
During this first stage, the wizard records all data about the RODC that will be stored in the distributed Active Directory database, such as its domain controller account name and the site in which it will be placed. This stage must be performed by a member of the Domain Admins group.
The administrator who creates the RODC account can also specify at that time which users or groups can complete the next stage of the installation. The next stage of the installation can be performed in the branch office by any user or group who was delegated the right to complete the installation when the account was created. This stage does not require any membership in built-in groups, such as the Domain Admins group. If the user who creates the RODC account does not specify any delegate to complete the installation (and administer the RODC), only a member of the Domain Admins or Enterprise Admins groups can complete the installation.
During the second stage, the wizard installs AD DS on the server that will become the RODC and attaches the server to the domain account that was previously created for it. This stage typically occurs in the branch office where the RODC is deployed. During this stage, all AD DS data that resides locally, such as the database, log files, and so on, is created on the RODC itself. The installation source files can be replicated to the RODC from another domain controller over the network, or you can use the install from media (IFM) feature. To use IFM, use Ntdsutil.exe to create the installation media.
The server that will become the RODC must not be joined to the domain before you try to attach it to the RODC account. As part of the installation, the wizard automatically detects whether the name of the server matches the names of any RODC accounts that have been created in advance for the domain. When the wizard finds a matching account name, it prompts the user to use that account to complete the RODC installation.
You can complete each stage of the installation using any of the following methods:
| • |
Windows interface |
| • |
Answer file |
| • |
Command line |
Performing a staged RODC installation by using the Windows interface
You can use the Active Directory Users and Computers snap-in to create an RODC account.
|
To create an RODC account by using the Windows interface |
| 1. |
Click Start, click Administrative Tools, and then click Active Directory Users and Computers. |
| 2. |
Either right-click the Domain Controllers organizational unit (OU) or click the Domain Controllers OU, and then click Action. |
| 3. |
Click Pre-create Read-only Domain Controller account. |
| 4. |
On the Welcome to the Active Directory Domain Services Installation Wizard page, if you want to modify the default the Password Replication Policy, select Use advanced mode installation, and then click Next. |
| 5. |
On the Operating System Compatibility page, review the warning about the default security settings for Windows Server 2008 domain controllers and then click Next. |
| 6. |
On the Network Credentials page, under Specify the account credentials to use to perform the installation, click My current logged on credentials or click Alternate credentials, and then click Set. In the Windows Security dialog box, provide the user name and password for an account that can install the additional domain controller. To install an additional domain controller, you must be a member of the Enterprise Admins group or the Domain Admins group. When you are finished providing credentials, click Next. |
| 7. |
On the Specify the Computer Name page, type the computer name of the server that will be the RODC. |
| 8. |
On the Select a Site page, select a site from the list or select the option to install the domain controller in the site that corresponds to the IP address of the computer on which you are running the wizard, and then click Next. |
| 9. |
On the Additional Domain Controller Options page, make the following selections, and then click Next:
| • |
DNS server: This option is selected by default so that your domain controller can function as a DNS server. If you do not want the domain controller to be a DNS server, clear this option. However, if you do not install the DNS server role on the RODC and the RODC is the only domain controller in the branch office, users in the branch office will not be able to perform name resolution when the WAN to the hub site is offline. |
| • |
Global catalog: This option is selected by default. It adds the global catalog, read-only directory partitions to the domain controller, and it enables global catalog search functionality. If you do not want the domain controller to be a global catalog server, clear this option. However, if you do not install a global catalog server in the branch office or enable universal group membership caching for the site that includes the RODC, users in the branch office will not be able to log on to the domain when the WAN to the hub site is offline. |
| • |
Read-only domain controller. When you create an RODC account, this option is selected by default and you cannot clear it. | |
| 10. |
If you selected the Use advanced mode installation check box on the Welcome page, the Specify the Password Replication Policy page appears. By default, no account passwords are replicated to the RODC, and security-sensitive accounts (such as members of the Domain Admins group) are explicitly denied from ever having their passwords replicated to the RODC.
To accept the default setting, click Next.
-or-
To add other accounts to policy, click Add. If the accounts will be allowed to have their passwords replicated to the RODC, click Allow passwords for the account to replicate to this RODC. If the accounts will be denied from having their passwords replicated to the RODC, click Deny passwords for the account from replicating to this RODC. Then, click OK. When you are done adding other accounts, click Next.
When you install the first RODC in a domain, domain group accounts that are required for RODCs to function are created. Depending on your replication topology, the wizard might return an error indicating that these group accounts are not available when you try to install another RODC in the domain. In this case, wait for replication to complete before you install the additional RODC. |
| 11. |
In Select Users, Computers, and Groups, type the names of the accounts that you want to add to the policy, and then click OK. |
| 12. |
On the Delegation of RODC Installation and Administration page, type the name of the user or the group who will attach the server to the RODC account that you are creating. You can type the name of only one security principal.
To search the directory for a specific user or group, click Set. In Select Users, Computers, or Groups, type the name of the user or group. We recommend that you delegate RODC installation and administration to a group.
This user or group will also have local administrative rights on the RODC after the installation. If you do not specify a user or group, only members of the Domain Admins group or the Enterprise Admins group will be able to attach the server to the account.
When you are finished, click Next. |
| 13. |
On the Summary page, review your selections. Click Back to change any selections, if necessary.
To save the settings that you selected to an answer file that you can use to automate subsequent AD DS operations, click Export settings. Type a name for your answer file, and then click Save.
When you are sure that your selections are accurate, click Next to create the RODC account. |
| 14. |
On the Completing the Active Directory Domain Services Installation Wizard page, click Finish. | |
After you create the account for the RODC, the user or group to whom you delegated installation and administration of the RODC (in step 11 in the previous procedure) can run the Active Directory Domain Services Installation Wizard on the server that will become the RODC. Make sure that the server is not joined to the domain before you start the wizard.
|
To attach a server to an RODC account using the Windows Interface |
| 1. |
Log on as local Administrator to the server that will become the RODC, and then open a command prompt. |
| 2. |
Type the following command, and then press ENTER:
dcpromo /UseExistingAccount:Attach
|
| 3. |
On the Welcome to the Active Directory Domain Services Installation Wizard page, click Next, or, if you want to install from media or identify the source domain controller for AD DS replication, select the Use advanced mode installation check box |
| 4. |
On the Network Credentials page, type the name of any existing domain in the forest where you plan to install the additional domain controller. Under Specify the account credentials to use to perform the installation, click Alternate credentials, and then click Set. In the Windows Security dialog box, provide the user name and password for an account that was delegated the ability to install and administer the RODC when the RODC account was created. When you are finished providing credentials, click Next. |
| 5. |
On the Select Domain Controller Account page, confirm that the wizard has found an existing RODC account that matches the name of the server, and then click Next. |
| 6. |
If you selected advanced installation mode, you can specify the following advanced options:
|
1. |
On the Install from Media page, you can provide the location of installation media to be used to create the domain controller and configure AD DS, or you can choose to have all data replicated over the network. Note that some data will be replicated over the network even if you choose to install from media. For information about using this method to install the domain controller, see Installing AD DS from Media
. |
|
2. |
On the Source Domain Controller page, you can specify a domain controller from which to replicate the configuration and schema directory partitions (or the entire Active Directory database if you do not choose to install from media). If you select This specific domain controller, you can select the domain controller that you want to provide source replication to create the new domain controller, and then click Next. | |
| 7. |
On the Location for Database, Log Files, and SYSVOL page, type or browse to the volume and folder locations for the database file, the directory service log files, and the system volume (SYSVOL) files, and then click Next.
Windows Server Backup backs up the directory service by volume. For backup and recovery efficiency, store these files on separate volumes that do not contain applications or other nondirectory files. |
| 8. |
On the Directory Services Restore Mode Administrator Password page, type and confirm the restore mode password, and then click Next. This password is used to start AD DS in Directory Service Restore Mode for tasks that must be performed offline. The password complexity and length must comply with the domain security policy. |
| 9. |
On the Summary page, review your selections. Click Back to change any selections, if necessary.
To save the settings that you selected to an answer file that you can use to automate subsequent AD DS operations, click Export settings. Type a name for your answer file, and then click Save.
When you are sure that your selections are accurate, click Next to install AD DS. |
| 10. |
You can either select the Reboot on completion check box to have the server restart automatically or you can restart the server to complete the AD DS installation when you are prompted to do so. | |
Performing a staged RODC installation by using an answer file
Use the following procedure to create an answer file for each stage of an RODC installation. In the first stage, you create an RODC account. In the next stage, you attach the server to the account. In this example, the DNS server and global catalog options are also installed but they are not mandatory. The site name is mandatory for an RODC installation. If you are adding multiple security principals to the RODC password replication policy, you must specify the appropriate entry (allowed or denied) on a separate line for each security principal.
For a complete list of unattended installation options, including default values, allowed values, and descriptions, see CreateDCAccount Operation (http://go.microsoft.com/fwlink/?LinkId=122101
) and UseExistingAccount Operation (http://go.microsoft.com/fwlink/?LinkId=122102
).
Creating the RODC account
Use the following procedure to create the RODC account.
Administrative credentials
To perform this procedure, you can use any account that has Read and Write privileges for the text editor application.
|
To create an answer file for creating an RODC account |
| 1. |
Open Notepad or any other text editor. |
| 2. |
On the first line, type [DCINSTALL], and then press ENTER. |
| 3. |
Type the following entries, one entry on each line:
; Read-Only Domain Controller Installation
ReplicaDomainDNSName=FullyQualifiedDomainName
DCAccountName=RODCName
; RODC Password Replication Policy
PasswordReplicationDenied=BUILTIN\Administrators
PasswordReplicationDenied="BUILTIN\Server Operators"
PasswordReplicationDenied="BUILTIN\Backup Operators"
PasswordReplicationDenied="BUILTIN\Account Operators"
PasswordReplicationDenied=DomainName\"Denied RODC Password Replication Group"
PasswordReplicationAllowed=DomainName\"Allowed RODC Password Replication Group"
PasswordReplicationAllowed=GroupName1
PasswordReplicationAllowed=GroupName2
PasswordReplicationAllowed=User_Name1
PasswordReplicationAllowed=Computer_Name1
DelegatedAdmin=RODCAdministrator
SiteName=SiteName
InstallDNS=Yes
ConfirmGc=Yes
ReplicationSourceDC=SourceDCName |
| 4. |
Save the answer file to the location on the installation server from which it is to be called by Dcpromo, or save the file to a network shared folder or removable media for distribution. | |
Use the following table to replace the variables in the answer file with values that are appropriate for your organization.
|
FullyQualifiedDomainName |
The fully qualified domain name (FQDN) of the domain where you are installing the RODC |
|
RODCName |
The name of the server that will become the RODC.
Before anyone attempts to attach that server to the account that you are creating, it must be named with the name that you specify here and it must not be joined to the domain. |
|
DomainName |
The single-label DNS name or the FQDN of the domain where you are installing the RODC. |
|
GroupName1, GroupName2, User_Name1, Computer_Name1,… |
The name of the security principal that you are adding to the password replication policy.
The account names must be enclosed within quotation marks.
When you specify the accounts of mobile users, also specify the computer accounts, such as laptop computers, that those users will use to log on to the RODC. |
|
RODCAdministrator |
The name of the account to whom you are delegating installation and administrative right for the RODC.
You can specify only one user or group. As a best practice, specify the name of a group. Then, add to the group the account of any user that you want to manage the RODC. |
|
SiteName |
The name of the site where you want to install the RODC. |
|
SourceDCName |
The FQDN of the domain controller from which you replicate the domain information (the installation partner). |
After you create the answer file, use the following procedure to automate the creation of the RODC account.
Administrative credentials
To perform this procedure, you must be logged on to a domain controller as a member of the Domain Admins group or the Enterprise Admins group.
|
To create an RODC account by using an answer file |
| • |
At the command prompt, type the following, and then press ENTER:
dcpromo.exe /CreateDCAccount /unattend:"Path to answer file" | |
Attaching a server to an RODC account
Use the following procedure to create an answer file that can be used to attach a server to an RODC account.
|
To create an answer file for attaching a server to an RODC account |
| 1. |
Open Notepad or any other text editor. |
| 2. |
On the first line, type [DCINSTALL], and then press ENTER. |
| 3. |
Type the following entries, one entry on each line:
; Read-Only Domain Controller Installation
ReplicaDomainDNSName=FullyQualifiedDomainName
UserDomain=FullyQualifiedDomainName
UserName=DomainName\User_Name
Password=*
DatabasePath=PathToDatabase
LogPath= PathToLogFiles
SYSVOLPath= PathToSYSVOL
; Set SafeModeAdminPassword to the correct value prior to using the answer file
SafeModeAdminPassword=
; CriticalReplicationOnly=Yes
RebootOnCompletion=Yes |
| 4. |
Save the answer file to the location on the installation server from which it is to be called by Dcpromo, or save the file to a network shared folder or removable media for distribution. | |
Use the following table to replace the variables in the answer file with values that are appropriate for your organization.
|
FullyQualifiedDomainName |
The FQDN of the domain where you are installing the RODC. For UserDomain, enter the domain name for the user name (account credentials) that will be used to install a domain controller. |
|
DomainName\UserName |
The credentials of the user with the rights to attach the server to the RODC account, in the Windows NT format.
As a best practice, this user should be a member of a security group that has been delegated installation and administrative rights for the RODC. If you do not specify a user, only members of the Domain Admins Group or the Enterprise Admins group can perform the operation. |
|
PathToDatabase |
The location of the directory database, for example, C:\Windows\NTDS. |
|
PathToLogFiles |
The location of the database log files, for example, C:\Windows\NTDS. |
|
PathToSYSVOL |
The location of the SYSVOL shared folder, for example, C:\Windows\SYSVOL. |
After you create the answer file, use the following procedure to automate the operation for attaching the server to the RODC account. Before you begin this procedure, the server must be named with the name of the RODC account and it must not be joined to the domain.
Administrative credentials
Use the following procedure to attach a server to an RODC account. Because the server is not joined to the domain, log on to the server as the local Administrator.
|
To attach a server to an RODC account by using an answer file |
| • |
At the command prompt, type the following, and then press ENTER:
dcpromo.exe /UseExistingAccount:Attach /unattend:"<Path to answer file>" | |
Performing a staged RODC installation by entering installation parameters at the command line
Although we recommend that you create an RODC account by using the Windows interface because it reduces the chance for typing errors, you can use the following procedure to create an RODC account, using unattended installation parameters, from the command line. If you are creating an RODC account on a domain controller that is running a Server Core installation of Windows Server 2008, you cannot use the Windows interface.
Administrative credentials
To perform this procedure, you must be logged on to a domain controller as a member of the Domain Admins group or the Enterprise Admins group.
|
To create an RODC account by entering unattended installation parameters at the command line |
| 1. |
At a command prompt, type the following, and then press ENTER: dcpromo /unattend /CreateDCAccount /ReplicaDomainDNSName:<DomainName> /DCAccountName:<RODCName> /SiteName:<SiteName> /<unattendOption>:<value> /<unattendOption>:<value> ...
Where:
| • |
<DomainName> is the name of the domain where you are creating the RODC account. |
| • |
<RODCName> is the name of the RODC account that you want to create. |
| • |
<SiteName> is the name of the site where you want to create the RODC account. |
| • |
<unattendOption> is an option in the CreateDCAccount Operation (http://go.microsoft.com/fwlink/?LinkId=122101
) table. Separate each <option>:<value> pair with a space. |
| • |
<value> is the configuration instruction for the option |
The following example creates an RODC account named RODC10 in the contoso.com domain in the Default-First-Site-Name site with additional installation options: dcpromo /CreateDCAccount /ReplicaDomainDNSName: contoso.com /DCAccountName:RODC10 /SiteName:Default-First-Site-Name /SourceDC:DC1.contoso.com /PasswordReplicationDenied=BUILTIN\Administrators /PasswordReplicationDenied="BUILTIN\Server Operators" /PasswordReplicationDenied="BUILTIN\Backup Operators" /PasswordReplicationDenied="BUILTIN\Account Operators" /PasswordReplicationDenied="Contoso\Denied RODC Password Replication Group" /PasswordReplicationAllowed="Contoso\Allowed RODC Password Replication Group" /PasswordReplicationAllowed="Group Name1" /PasswordReplicationAllowed="Group Name2" /PasswordReplicationAllowed="User Name1" /PasswordReplicationAllowed=ComputerName1 /DelegatedAdmin=BranchAdminGroup |
| 2. |
When you finish typing all the options that are required to create the RODC account, press ENTER. | |
After you create the RODC account, perform the following procedure on the server that will become the RODC to attach that server to the RODC account.
Administrative credentials
Because the server is not joined to the domain, log on to the server as the local Administrator.
|
To attach a server to an RODC account by entering unattended installation parameters at the command line |
| 1. |
At a command prompt, type the following, and then press ENTER: dcpromo /unattend /UseExistingAccount:Attach /ReplicaDomainDNSName:<FullyQualifiedDomainName> /UserDomain:<FullyQualifiedDomainName> /UserName:<DomainName>\<UserName> /password:* /<unattendOption>:<value> /<unattendOption>:<value> ...
Where:
| • |
<FullyQualifiedDomainName> is the FQDN of the domain where you are installing the RODC. For /UserDomain, enter the domain name for the user name (account credentials) that will be used to install a domain controller. |
| • |
<DomainName>\<UserName> is the account credentials of the user with the rights to attach the server to the RODC account, in the Windows NT format. |
| • |
<unattendOption> is an option in the UseExistingAccount Operation (http://go.microsoft.com/fwlink/?LinkId=122102
) table. Separate each <option>:<value> pair with a space. |
| • |
<value> is the configuration instruction for the option |
The following example attaches a server to an RODC account in the contoso.com domain with additional installation options using the domain credentials of the contoso\da1 account: dcpromo /unattend /UseExistingAccount:Attach /ReplicaDomainDNSName: contoso.com /UserDomain:contoso.com /UserName:contoso\da1 /password:* /databasePath:"e:\ntds" /logPath:"e:\ntdslogs" /sysvolpath:"g:\sysvol" /safeModeAdminPassword:FH#3573.cK /rebootOnCompletion:yes |
| 2. |
When you finish typing all the options that are required to create the RODC account, press ENTER. | |
Note: