A read-only domain controller (RODC) hosts read-only partitions of the Active Directory database. RODCs provide a way for you to deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as an extranet or for specific application support. Because RODC administration can be delegated to a domain user or a security group, an RODC is well suited for a site that does not have a user who is a member of the Domain Admins group.
Before you can install an RODC, the forest functional level must be Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. You can install an RODC on a full installation or a Server Core installation ofWindows Server 2008 R2. You can also perform a staged RODC installation, in which the installation is completed in two stages. For more information about performing a staged RODC installation, see Performing a Staged Installation of a Read-Only Domain Controller.
Deploying an RODC
The following table lists the steps that you can take to deploy an RODC.
Step | Reference | |
---|---|---|
|
Raise the forest functional level to Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. |
Raising the Functional Levels (http://go.microsoft.com/fwlink/?LinkId=93174) |
|
Run adprep /forestprep. |
Prepare a Windows 2000 or Windows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkId=93242) |
|
Run adprep /domainprep /gpprep. |
Prepare a Windows 2000 or Windows Server 2003 Domain for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkId=93243) |
|
Run adprep /rodcprep. |
Prepare a Forest for a Read-Only Domain Controller (http://go.microsoft.com/fwlink/?LinkId=93244) |
|
Install at least one writable domain controller that runs Windows Server 2008 or Windows Server 2008 R2. For fault tolerance, you can deploy multiple writable domain controllers. |
Steps for Installing AD DS (http://go.microsoft.com/fwlink/?LinkId=93245) |
|
Install an RODC, either by performing a normal installation or by performing a staged installation. |
Performing a Staged RODC Installation (http://go.microsoft.com/fwlink/?LinkId=93246) Installing an Additional Domain Controller (http://go.microsoft.com/fwlink/?LinkId=93254) |