Deploy Read-Only Domain Controller (RODC) on Server 2016

In this article we are going to deploy read-only domain controller (RODC) in Windows Server 2016. Read only-domain controller is a type of domain controller in Windows Server operating system. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed. An RODC hosts read-only partitions of the Active Directory® Domain Services (AD DS) database.

An RODC provides a way to deploy a domain controller more securely in locations that require fast and reliable authentication services but cannot ensure physical security for a writable domain controller. Read more about what does an RODC do as domain controller.

How to Deploy Read-Only Domain Controller?

To deploy read-only domain controller in a Windows server, you need to have required  permission. An domain admin account can deploy RODC. In this practical lab I’m using Hyper-V with two Windows Serve 2016 installed. The first server DC16 is the main domain controller and the second one will be used to deploy read-only domain controller.

1.  Before you start to deploy RODC on second server, configure network card of second serve with a static IP address and join serve to domain.

2. Now open Server Manager and click Manage, select Add Roles and Features. On before you begin click Next then select Role-based or feature-based installation and click Next. 

Windows Server 2016 Server Manager

3. On Select destination server page, select your RODC server and click Next.

Deploy Read-Only Domain Controller

4. Select Active Directory Domain Services, then on the prompt window click Add Features. This will add  features that are required for active directory domain services, then click Next.

Add features that are required for active directory domain services

5. Just click Next, do noting on Features, AD DS pages. Finally click Install on Confirmation page.

Install Read Only Domain Controller on Windows Server 2016

6. Let the Active Directory Domain Services installation process will be finished successfully. When it has  finished click Promote this serve to a domain controller link.

Promote this serve to a domain controller

7. Now, on the Deployment Configuration page, select Add a domain controller to an existing domain then type your current domain name to Domain text box, then click Next.

RODC Deployment Configuration

8. On the Domain Controller Options page, select Read only domain controller (RODC) and type a password then click Next.

RODC Options

8. Currently I don’t add any groups to denied or allowed RODC. Only click Next.

Delegation Administrator Account for RODC

9. Select the primary domain, where the RODC want to replicate and will get it’s files for creating read only domain controller. Just click Next.

Specifgy Installation options

10. Only click Next on the Paths, Preparation Option, and Review pages. Finally on Prerequisites Check click Install to begin the installation.

All prerequisite check passed successfully

11. System will restart after completing installation. After rebooting the system, login to RODC and see the read only domain controller.

12. Open Active Directory Users and Computers, navigate to Users OU see the members of Denied RODC Password Replication Group. The members of this group will not replicate with RODC, instead replicate directly with primary domain controller.

Denied RODC Password Replication Groups

The process has been finished, everything should work perfect. If you get any issue with deploying RODC, comment us please.

How toInstall and ConfigureRODC Windows Server 2016
Comments (1)
Add Comment