Installing Forefront TMG on the RODC
This procedure describes how to install and configure Forefront TMG SP1 on a read-only domain controller (RODC).
Installing Forefront TMG SP1 on a read only domain controller
Run the following from an elevated command prompt:
ServerManagerCmd.exe -inputpath <DVD_path>\FPC\PreRequisiteInstallerFiles\WinRolesInstallSA_Win7.xml -logPath C:\Windows\TEMP\TMG-Prerequisites.log
Prepare a Forefront TMG SP1 slipstream DVD with the following steps:
Copy the Forefront TMG DVD and the Forefront TMG SP1 MSP file to a local drive on the target computer. For the purposes of this example, let’s assume this is
At a command prompt, type the following command and press ENTER.
msiexec /a c:\temp\TMG\FPC\MS_FPC_SERVER.msi /p TMG-KB981324-amd64-ENU.msp /qb /L*v c:\tmg\log.txt
When the operation completes, you will have a full installation of Forefront TMG already upgraded to Service Pack 1.
Run the upgraded setup program by typing
c:\temp\TMG\FPC\setup.exeat a command prompt and pressing ENTER.
Define the Internal network to include the branch subnets, and complete the installation. The Forefront TMG installation automatically identifies that it is running on a DC, and enables the system policy that allows DC traffic from the Internal network to the Forefront TMG server, as well as from the HQ DCs (if they are outside the internal network). See the table below for the list of allowed protocols.
The Internal network computers require connectivity to the HQ DCs. If Forefront TMG functions as a network gateway between the Internal network and the HQ DCs, create a policy access rule that allows:
Name: Allow Directory Services access from Internal to HQ DCs
From: Internal Network
To: Domain Controllers computer set (created automatically during installation)
Protocols: All protocols from the table below
LDAP for AD queries
Rule name: Allow access to directory services on Forefront TMG
Rule name: Allow Kerberos authentication to Forefront TMG
Kerberos Password v5
Microsoft CIFS (TCP)
Microsoft CIFS (UDP)
Group Policy download for branch machines
Rule name: Authentication Services: Allow Microsoft CIFS to Forefront TMG
Rule name: Authentication Services: Allow RPC to Forefront TMG
DNS for branch machines
Rule name: Allow DNS to Forefront TMG
> [!IMPORTANT] > Make sure that the default gateway of the client machines is the Forefront TMG server. > <P></P>
Every branch account (user or computer) that is joined to the domain needs to have its password replicated to the RODC for authentication purposes. To replicate the password, complete the following steps on the HQ DC:
In Active Directory Users and Computers, select the Domain Controllers branch, right-click the RODC and select Properties.
Click the Password Replication Policy tab, and then click Add.
Select Allow passwords for the account to replicate to the RODC, select all relevant local users for this branch and then click OK.
On the RODC’s Properties page, click Advanced, and verify that the user accounts you added appear in the list of Accounts whose passwords are stored on this Read-only Domain Controller.
Active Directory must complete replicating the user information to the RODC before you can log on with these accounts.