To attach the server to the read-only domain controller (RODC) account, you must rename the server that will become the RODC with the name of the RODC account that was created for it by the domain administrator. The Active Directory Domain Services Installation Wizard matches the name of the server to the name of the RODC account that was created for the server.

Note

The server that you plan to attach the account to must not be joined to the domain when you start the Active Directory Domain Services Installation Wizard.

On the Select Domain Controller Account page, the wizard lists all the potential matching accounts for each domain in the forest that you specified on the Network Credentials page earlier in the wizard. You cannot select accounts from other forests.

The Active Directory Domain Services Installation Wizard provides a message that confirms that it was able to find one, and only one, RODC account with the same name. If it finds more than one account name that could be a match, you can select an account from the possible accounts that the wizard lists. You can select only one account.

If the wizard does not find an RODC account for the name that you specify, the wizard provides a message that states that the name you provide must match the name of the RODC account that was created previously. In this case, you can either:

The wizard does not proceed until you select exactly one matching account. After you select a matching RODC account, the wizard performs additional verification tests.

The wizard first verifies that you have permission to attach the server to the selected account. The member of the Domain Admins group grants this permission to a delegated user or group when he or she creates the RODC account. Only the following users can join the computer to the selected RODC account:

After the wizard verifies the user credentials, the wizard determines whether the RODC account is enabled (that is, whether the account is already in use). If the RODC account is not enabled, the wizard proceeds with the RODC installation. If the RODC account is enabled, the wizard attempts to contact the computer that already has this account enabled.

If the wizard successfully contacts a computer that already has this account enabled, you have provided the name of a domain controller that is already functioning on the network. In this case, the wizard provides a message that indicates that the installation cannot continue. Instead, you must rename the computer to match the name of an RODC account that is not already in use.

If the Active Directory Domain Services Installation Wizard cannot contact a computer that has this account enabled, it provides a message that warns that if you continue to install AD DS and the other server with the same name does exist, the other server will no longer function properly. In this case, you can perform additional network diagnostic tests to determine if the computer that has the enabled account is currently functioning on the network. You can perform these additional network diagnostic tests, such as using the ping command, independently from the wizard. After you resolve the issue, you can continue with the wizard to complete the installation.

When you create the RODC account, the wizard automatically generates a NetBIOS name based on the Domain Name System (DNS) name that you provide. To use a different NetBIOS name, use the ADSI Edit snap-in to modify the NetBIOS name after you create the RODC account.

  • Specifying Password Replication Policy
  • Removing Active Directory Domain Services