You can perform a staged installation of a read-only domain controller (RODC), in which different individuals complete the installation in two stages. You can use the Active Directory Domain Services Installation Wizard to complete each stage of the installation.
- Using Advanced Mode
- Configuring Additional
Domain Controller Options
- Delegating Read-Only
Domain Controller Installation and Administration
- Specifying Password
- Selecting a Read-Only
Domain Controller Account
Description of a staged RODC installation
The first stage of the installation creates an account for the RODC in Active Directory Domain Services (AD DS). The second stage of the installation attaches the actual server that will be the RODC to the account that was previously created for it.
During the first stage, the Active Directory Domain Services Installation Wizard records all data about the RODC that will be stored in the distributed Active Directory database, such as the RODC's domain controller account name and the site in which it will be placed. This stage must be performed by a member of the Domain Admins group.
The user who creates the RODC account can also specify at that time which users or groups can complete the next stage of the installation. The next stage of the installation can be performed in the branch office by any user or member of a group who has been delegated the right to complete the installation when the account was created. This stage does not require any membership in built-in groups such as the Domain Admins group. If the user who creates the RODC account does not specify any delegate to complete the installation (and administer the RODC), only a member of the Domain Admins group or the Enterprise Admins group can complete the installation.
During the second stage of the installation, the wizard installs AD DS on the server that will become the RODC. This stage typically occurs in the branch office where the RODC is deployed. During this stage, all AD DS data that resides locally, such as the database, log files, and so on, is created on the RODC itself. The installation source files can be replicated to the RODC from another domain controller over the network, or you can use the install from media (IFM) feature. When you use IFM, use Ntdsutil.exe to create the installation media that is specifically created for an RODC installation. For more information about using IFM, see Installing from Media.
The server that will become the RODC must not be joined to the domain before you try to attach it to the RODC account. As part of the installation, the Active Directory Domain Services Installation Wizard automatically detects whether the name of the server matches the names of any RODC accounts that have been created in advance for the domain. When the wizard finds a matching account name, it prompts the user to use that account to complete the RODC installation.
Scenario for performing a staged installation
When an organization uses staged installation, it can deploy a domain controller to a branch office location more efficiently than it could with previous versions of Windows Server. For example, a member of the Domain Admins group in a central location can create an RODC account in AD DS. This stage of the installation completes all the deployment tasks that require Domain Admin credentials, such as creating the computer account for the domain controller, specifying the site for it, and creating an associated NTDS Settings object for the server.
When a member of the Domain Admins group creates the RODC account, he or she can delegate to another user or security group the right to complete the RODC installation at the branch office location. The task of attaching the server to the existing RODC account does not have to be performed by a member of the Domain Admins group. Any delegated administrator (or delegated group member) that the member of the Domain Admins group specifies during the first stage of the installation can perform this task.
The organization can order and ship the server directly to the branch office location where the RODC installation can be completed. In the past, domain controllers for branch offices often had to be ordered and shipped to a central location or staging site to be built before they were in turn shipped to the branch office location where they were to be deployed. As an alternative, installation media was created in a central location and then shipped to the branch office location to complete the domain controller installation. Staged installation of an RODC streamlines the domain controller deployment process by eliminating these intermediary installation steps.
How to perform staged installations
Before you can install an RODC, you must prepare your forest by running adprep /rodcprep. For more information about preparing your forest by running adprep, see Choosing an Active Directory Domain Services Deployment Configuration.
You can then create the RODC account by using the Active Directory Users and Computers snap-in. In the console tree, either right-click the Domain Controllers container or click the Domain Controllers container and click Action, and then click Pre-create Read-only Domain Controller account.
You can also create an RODC account by running dcpromo at the command line, but the command must also specify the name of the domain where you are installing the RODC. At the command line, type the following command, and then press ENTER:
dcpromo /CreateDCAccount /ReplicaDomainDNSName:DomainName
Where DomainName is the name of the domain where you plan to install an RODC.
After you create the RODC account, it appears in the Domain Controllers container as an unoccupied domain controller account until a delegated user attaches the server to it.
After the delegated administrator assigns a static IP address and configures the DNS client settings for the server, he or she can run the Active Directory Domain Services Installation Wizard to attach the server in the branch office to the existing RODC account. To attach the server to the existing account, open a command prompt on the server that will become the domain controller, type the following command, and then press ENTER:
The delegated administrator is notified that the AD DS binaries are being installed. Then, the Active Directory Domain Services Installation Wizard automatically starts the second stage of the installation. The delegated administrator can add the /adv parameter to the dcpromo command or select the Use advanced mode installation check box on the Welcome to the Active Directory Domain Services Installation Wizard page in the wizard to specify the following additional installation options:
- Whether to replicate data over the network or
- Which domain controller to use as an
On the Network Credentials page of the wizard, the delegated administrator must enter the name of any domain in the forest where the RODC is being installed, along with alternate credentials to use for the installation. Alternate credentials are required to attach the server to an existing domain controller account because it must be performed by a domain user. However, the delegated administrator originally logged on to the server with a local administrator account because that server was not yet joined to the domain. Therefore, the delegated administrator must now specify the domain user account (or an account that is a member of the delegated administration group) that was delegated the right to install and administer the RODC when the member of the Domain Admins group created the account for the RODC.
Removing AD DS from an RODC
A delegated administrator can remove AD DS from the RODC by running Dcpromo.exe. The Active Directory Domain Services Installation Wizard requests information, including the password for the new local Administrator account, that is required to remove AD DS and make the computer a stand-alone server. You must restart the server to complete the removal of AD DS.
Detecting computer name and account conflicts
After the delegated administrator selects the name of the RODC account to attach the server to, the Active Directory Domain Services Installation Wizard verifies that the account is not currently used by an active domain controller. If the verification succeeds, the wizard automatically attempts to attach the server to that account and complete the installation.
If the wizard does not find a computer account with a matching name, it provides the delegated administrator with the chance to rename the server to another name that does match an existing computer account or to take other steps to remedy the name conflict.
If the wizard finds a matching domain controller account name but the account is enabled, the wizard attempts to contact that domain controller to verify that the domain controller is online. The wizard then proceeds as follows:
- If the wizard can verify that another domain
controller with the same name is already online, it blocks
completion of the AD DS installation. In this case, the server
on which the RODC installation is being performed must be renamed
with the name of an RODC account that is not already in use.
- If the wizard cannot verify that another
domain controller with the same name is already online, it warns
the delegated administrator that continuing with the installation
will cause the domain controller that has the same account name to
not function properly—if it is in fact online—despite the fact that
it could not be contacted by the wizard.
This condition can occur if an attempt to attach the server to the existing account was made previously but that attempt was canceled before the installation completed. In this case, the status of the RODC account might be changed from disabled to enabled before the installation is completed. If this happens, the delegated administrator can click OK to continue after the warning.
For more information, see Selecting a Read-Only Domain Controller Account.