In this article we are going to deploy read-only domain controller (RODC) in Windows Server 2016. Read only-domain controller is a type of domain controller in Windows Server operating system. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed. An RODC hosts read-only partitions of the Active Directory® Domain Services (AD DS) database.
An RODC provides a way to deploy a domain controller more securely in locations that require fast and reliable authentication services but cannot ensure physical security for a writable domain controller. Read more about what does an RODC do as domain controller.
How to Deploy Read-Only Domain Controller?
To deploy read-only domain controller in a Windows server, you need to have required permission. An domain admin account can deploy RODC. In this practical lab I’m using Hyper-V with two Windows Serve 2016 installed. The first server DC16 is the main domain controller and the second one will be used to deploy read-only domain controller.
1. Before you start to deploy RODC on second server, configure network card of second serve with a static IP address and join serve to domain.
2. Now open Server Manager and click Manage, select Add Roles and Features. On before you begin click Next then select Role-based or feature-based installation and click Next.
3. On Select destination server page, select your RODC server and click Next.
4. Select Active Directory Domain Services, then on the prompt window click Add Features. This will add features that are required for active directory domain services, then click Next.
5. Just click Next, do noting on Features, AD DS pages. Finally click Install on Confirmation page.
6. Let the Active Directory Domain Services installation process will be finished successfully. When it has finished click Promote this serve to a domain controller link.
7. Now, on the Deployment Configuration page, select Add a domain controller to an existing domain then type your current domain name to Domain text box, then click Next.
8. On the Domain Controller Options page, select Read only domain controller (RODC) and type a password then click Next.
8. Currently I don’t add any groups to denied or allowed RODC. Only click Next.
9. Select the primary domain, where the RODC want to replicate and will get it’s files for creating read only domain controller. Just click Next.
10. Only click Next on the Paths, Preparation Option, and Review pages. Finally on Prerequisites Check click Install to begin the installation.
11. System will restart after completing installation. After rebooting the system, login to RODC and see the read only domain controller.
12. Open Active Directory Users and Computers, navigate to Users OU see the members of Denied RODC Password Replication Group. The members of this group will not replicate with RODC, instead replicate directly with primary domain controller.
The process has been finished, everything should work perfect. If you get any issue with deploying RODC, comment us please.