Preparing the Headquarters Domain Controller

  • Article

The procedures below describe how to configure a headquarters domain controller (HQ DC) running Active Directory Domain Services (AD DS) to operate with read only domain controllers (RODCs) located at branch offices. This topic assumes that you have a domain controller configured for your organization.

  • Ensure that the forest functional level is Windows Server 2003 or higher

  • Run adprep /rodcprep

  • Install a writable domain controller that runs Windows Server 2008

  • Create the branch accounts on the HQ DC

  • Pre-create RODC accounts

Ensure that the forest functional level is Windows Server 2008 or higher

Any domain user can verify that the current forest functional level is Windows Server 2008 or higher. To raise the forest functional level, you must be either a member of the Domain Admins group in the forest root domain or a member of the Enterprise Admins group.

To ensure that the forest functional level is Windows Server 2008 or higher

  1. Open Active Directory Domains and Trusts.

  2. In the console tree, right-click the name of the forest, and then click Properties.

  3. Under Forest functional level, verify that the value is Windows Server 2008.

  4. If it is necessary to raise the forest functional level, in the console tree, right-click Active Directory Domains and Trusts, and then click Raise forest functional level.

  5. In Select an available forest functional level, click Windows Server 2008, and then click Raise.

Run adprep /rodcprep

This step updates the permissions on all the DNS application directory partitions in the forest. This allows them to be replicated successfully by all RODCs that are also DNS servers. To run adprep /rodcprep, you must be a member of the Enterprise Admins group.

Note

  • You do not have to perform this step if you are creating a new forest that will have only domain controllers running Windows Server 2008.

  • For more information about this command, see Running Adprep.exe (https://go.microsoft.com/fwlink/?LinkID=142597).

To run adprep /rodcprep

  1. Log on to a domain controller as a member of the Enterprise Admins group.

  2. Do one of the following:

    • For Windows Server 2008, copy the contents of the \sources\adprep folder on the Windows Server 2008 installation DVD to the schema master.

    • For Windows Server 2008 R2, copy the contents of the \support\adprep folder on the Windows Server 2008 R2 installation DVD.

  3. Open a command prompt, change directories to the adprep folder, type the following command, and then press ENTER:

    adprep /rodcprep

Install a writable domain controller that runs Windows Server 2008

An RODC must replicate domain updates from a writable domain controller that runs Windows Server 2008 or Windows Server 2008 R2. Before you install an RODC, be sure to install a writable domain controller that runs Windows Server 2008 or Windows Server 2008 R2 in the same domain. The domain controller can run either a full installation or a Server Core installation of either version of Windows Server. In either version, the writable domain controller does not have to hold the primary domain controller (PDC) emulator operations master role.

For more information and step-by-step procedures for installing a writable domain controller that runs Windows Server 2008, see the Step-by-Step guide for Windows Server 2008 Active Directory Domain Services Installation and Removal (https://go.microsoft.com/fwlink/?LinkId=86716).

Create the branch accounts on the HQ DC

Use the PrepareBranch.cmd script to create:

  • An organizational unit for the new branch in the domain.

  • An administrative user account for branch administration.

  • Seven security groups for the Forefront TMG SQL Server and Reporting Server.

Warning

In particular, special attention must be paid to using the exact names of all the administrative user accounts on the RODC.

To create the branch accounts on the HQ DC

  1. On the HQ DC, create a new directory (for example, c:\rodc).

  2. Copy the text below to the Clipboard.

    @echo off
REM           This script adds an organization unit for the new branch to the domain,
REM           adds security groups for the TMG SQL server and reporting
REM           and creates a user for branch administration

if [%2]==[] goto :usage

set SQLserverName=%1&rem
set OrganizationUnitTree=%~2&rem
set password=*&rem
if NOT [%3]==[] set password=%3&rem

REM Create the OU for the branch if it is not already created
:VerifyOrCreateOU
dsquery ou | findstr %OrganizationUnitTree% || (
   echo The Organization Unit Tree %OrganizationUnitTree% was not found
   echo %OrganizationUnitTree% will be created within 10 seconds
   echo ***    If you do not want to create %OrganizationUnitTree%
   echo ***    Type Ctrl-C NOW !!!
   timeout /t 10 
   Echo Creating %OrganizationUnitTree%
   dsadd ou %OrganizationUnitTree% || goto :OUError
   goto :VerifyOrCreateOU
)

call :AddSecurityGroup "CN=SQLServer2005SQLBrowserUser$%SQLserverName%,%OrganizationUnitTree%"             "Group for SQL Server Browser in SQL Server 2008."
call :AddSecurityGroup "CN=SQLServerMSSQLServerADHelperUser$%SQLserverName%,%OrganizationUnitTree%"        "Group for SQL Server Active Directory Helper in SQL Server 2008."
call :AddSecurityGroup "CN=SQLServerMSSQLUser$%SQLserverName%$ISARS,%OrganizationUnitTree%"                "Group for SQL Server."
call :AddSecurityGroup "CN=SQLServerMSSQLUser$%SQLserverName%$MSFW,%OrganizationUnitTree%"                 "Group for SQL Server."
call :AddSecurityGroup "CN=SQLServerReportServerUser$%SQLserverName%$MSRS10.ISARS,%OrganizationUnitTree%"  "Group for SQL Server Reporting Services in SQL Server 2008."
call :AddSecurityGroup "CN=SQLServerSQLAgentUser$%SQLserverName%$ISARS,%OrganizationUnitTree%"             "Group for SQL Server Agent."
call :AddSecurityGroup "CN=SQLServerSQLAgentUser$%SQLserverName%$MSFW,%OrganizationUnitTree%"              "Group for SQL Server Agent."
echo.
echo    These groups are created:
echo.
dsquery group -name *%SQLserverName%*
echo.
dsadd user "CN=%SQLserverName%Admin,%OrganizationUnitTree%" -pwd %password%
dsquery user "%OrganizationUnitTree%"
exit /b 0


:AddSecurityGroup
REM Create security group in the DC Global scope for SQL
set SQLgroupName=%1&rem
set Description=%2&rem
dsadd group %SQLgroupName% -secgrp yes -scope g -desc %Description% || (
   echo      --- Failed to create the group %SQLgroupName%
   exit /b
)
exit /b 0

:usage
echo    Add to the domain a security group for TMG on RODC
echo.
echo    Usage: %0 ^<Server name^> ^<OU Tree^> [password]
echo.
echo    Server name: The name of the RODC
echo    OU Tree:     In DS format "OU=OU1,OU=OU2,DC=DCname,DC=DCname"
echo    password:    optional password for the branch admin user
echo    Example:     %0 B4-RODC "OU=Branch4,OU=Branches,DC=YRHQ,DC=Local" p@$$w0rd
echo    Hint   :     Run "dsquery ou" to get a list of the ^<OU Tree^>s
echo.
exit /b

:OUError
echo.
echo    Error %errorlevel%
echo    Cannot create the OU %OrganizationUnitTree%
echo    because the containing OU cannot be located
echo.
exit /b

  3. Open Notepad and paste the text. Save the file as PrepareBranch.cmd.

  4. At the command prompt, type dsquery ou and press ENTER. Record the Organizational Unit syntax, which should look something like this: "OU=Branches,DC=DC1,DC=DC2".

  5. Run the PrepareBranch command with the following syntax:

    c:\rodc\PrepareBranch.cmd <name of RODC server> “OU=<name of branch you're creating>,OU=<parent branch>,DC=(name of DC1),DC=(name of DC2)" [RODC branch admin password].

    Tip

    • For example, PrepareBranch.cmd "OU=B1,OU=Branches,DC=DC1,DC=DC2" [Pa$$word1].

    • If you are creating multiple branches, it is recommended that you create a standardized pattern for all your branches. This will reduce the likelihood of errors when modifying the answer file for each branch.

    The PrepareBranch command creates the new branch in AD DS, and adds the RODC admin account and the seven security groups. Run this command for each branch with an RODC.

    Note

    The following security groups and administrative user are created and used for replication to the RODC (where <RODC Server Name> is the name of the RODC server):

    • <RODC Server Name>Admin

    • SQLServer2005SQLBrowserUser$<RODC Server Name>

    • SQLServerMSSQLServerADHelperUser$<RODC Server Name>

    • SQLServerMSSQLUser$<RODC Server Name>$ISARS

    • SQLServerMSSQLUser$<RODC Server Name>$MSFW

    • SQLServerReportServerUser$<RODC Server Name>$MSRS10.ISARS

    • SQLServerSQLAgentUser$<RODC Server Name>$ISARS

    • SQLServerSQLAgentUser$<RODC Server Name>$MSFW

    Important

    When you set up the branch server computer, make sure to use the exact name you specify here.

Pre-create RODC accounts

Pre-creating an RODC branch account in Active Directory enables the server at the branch to attach to the account. You can use the Active Directory Domain Services Installation wizard to pre-create a single RODC server account, or to generate an answer file with the branch’s configuration, with which you can streamline creation of multiple accounts.

To pre-create RODC accounts

  1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.

  2. If you did not provide a password when you ran PrepareBranch.cmd, navigate to the organizational unit you created in the previous procedure (typically under Branches), right-click the admin account, and click Reset password to set a password and enable the new admin account.

  3. Right-click Domain Controllers and select Pre-create Read-only Domain Controller account.

  4. On the Welcome to the Active Directory Domain Services Installation Wizard page, select Use advanced mode installation, and then click Next.

  5. On the Network Credentials page, under Specify the account credentials to use to perform the installation, click My current logged on credentials [...\administrator] and then click Next.

  6. On the Operating System Compatibility page, review the warning about the default security settings for Windows Server 2008 and Windows Server 2008 R2 domain controllers, and then click Next.

  7. On the Network Credentials page, under Specify the account credentials to use to perform the installation, click My current logged on credentials or click Alternate credentials, and then click Set. In the Windows Security dialog box, provide the user name and password for an account that can install the additional domain controller. To install an additional domain controller, you must be a member of the Enterprise Admins group or the Domain Admins group. When you are finished providing credentials, click Next.

  8. On the Specify the Computer Name page, type the computer name of the server that will be the RODC and then click Next.

    Warning

    The name must be identical to the name you provided when you ran PrepareBranch.cmd .

  9. On the Select Site page, click the Active Directory site for the RODC, and then click Next.

  10. On the Additional Domain Controller Options page, make sure that all the checkboxes are selected (they are by default) and then click Next.

  11. On the Specify the Password Replication Policy, click Add.

  12. Click Allow passwords for the account to replicate to this RODC.

  13. Click Advanced and then click Find Now to display the accounts.

  14. Hold the CTRL key and click the accounts created by the script (one administrator user and 7 groups), and then click OK twice.

    Note

    For example:

    • B2-RODCAdmin

    • SQLServer2005SQLBrowserUser$B2-RODC

    • SQLServerMSSQLServerADHelperUser$B2-RODC

    • SQLServerMSSQLUser$B2-RODC$ISARS

    • SQLServerMSSQLUser$B2-RODC$MSFW

    • SQLServerReportServerUser$B2-RODC$MSRS10.ISARS

    • SQLServerSQLAgentUser$B2-RODC$ISARS

    • SQLServerSQLAgentUser$B2-RODC$MSFW

    Verify that you have selected the correct administrator account and security groups, and then click Next.

  15. On the Delegation of RODC installation and Administration page, type the name of the branch’s RODC administrator user.

    Tip

    You can click Set, Advanced and Find Now to select the user account and avoid typos.

  16. If you are only preparing a single branch, click Next twice and then click Finish. This user will be able to attach a server to the RODC account and complete the RODC installation.

  17. If you are preparing multiple branches, you can do the following:

    1. Click Export settings to generate a dcpromo answer file. Type a name for your answer file, and then click Save.

    2. Cancel the wizard.

    3. Open the dcpromo answer file in a text editor and copy the command syntax under Usage.

      For example, Dcpromo.exe /CreateDCAccount /ReplicaDomainDNSName:YRHQ.Local /unattend:C:\RODC \PreCreateRODC_<filename.txt>

    4. At the command prompt, paste the syntax and press ENTER to create the RODC account for the branch you just configured.

    5. For each additional branch, modify the answer file according to the specifics of that branch. You will need to replace the following with the specifics for each branch:

      • DCAccountName

      • DelegatedAdmin

      • Any line that includes the RODC server name.

      For example, assume that the initial answer file refers to DCAccountName as “B2-RODC”, and you want to modify the file to pre-create a branch called B3-RODC. In most cases a simple search and replace will take care of all lines that need modification.

Next Steps

The next step is to begin to configure your branch servers. See Preparing the RODC for information about installing Windows Server 2008 R2 (if you haven’t already done so), and configuring the server to function as an RODC.

Other Resources

Installing Forefront TMG on a domain controller