Preparing the RODC

This procedure describes how to configure the branch server to function as a Read Only Domain Controller (RODC).

To prepare an RODC server

  1. Install Windows Server 2008 or Windows Server 2008 R2 on the branch server.

  2. Log in to the server with the local administrator’s credentials.

  3. Verify that you have network connectivity to the HQ DC, and that you set the branch server's DNS to the HQ DC.

  4. At the command prompt, type dcpromo and then press ENTER to start the Active Directory Domain Services Wizard.

  5. On the Choose a Deployment Configuration page, click Existing forest, click Add a domain controller to an existing domain, and then click Next.

  6. On the Network Credentials page, type the name of a domain in the forest where you plan to install the RODC. If necessary, also type a user name and password for a member of the Domain Admins group, and then click Next.

  7. Select the domain for the RODC, and then click Next.

  8. Click the Active Directory site for the RODC, and then click Next.

  9. Select the Read-only domain controller check box. By default, the DNS server check box is also selected.

  10. After typing in the machine name, a warning appears indicating that the machine has an RODC profile. This is correct as it indicates that the HQ DC preparation was successful. Accept the warning and continue.

  11. On the Install from Media page, select Replicate data over the network from an existing domain controller, and click Next.

  12. On the Source Domain Controller page, select a domain controller, or let the wizard choose an appropriate domain controller, and then click Next.

  13. To use the default folders that are specified for the Active Directory database, the log files, and SYSVOL, click Next.

  14. Type and then confirm a Directory Services Restore Mode password, and then click Next.

  15. Confirm the information that appears on the Summary page, and then click Next to start the AD DS installation. You can select the Reboot on completion check box to make the rest of the installation complete automatically.

  16. If you are preparing multiple branches, do the following:

    1. Click Export settings to generate a dcpromo answer file. Type a name for your answer file, and then click Save.

    2. Cancel the wizard.

    3. At the command prompt, type the command that appears after the line Usage: in the dcpromo answer file.


      For example: dcpromo.exe /UseExistingAccount:Attach /unattend:C:\Users\Administrator\Desktop\RODC-Dcpro.txt

    4. For each branch, modify the RODC-Dcpro.txt according to the specifics of that branch (you may need to change the UserName, Password and SafeModeAdminPassword).

  17. Restart the server.

  18. The server logs in automatically with the domain administrator account. Log off and log in with the branch user account.


    After you install the first RODC in your domain, allow enough time for the new Password Replication Policy groups to replicate to other domain controllers in the domain before you try to install additional RODCs. This helps prevent errors that might occur during the RODC installation if the groups are not available on the source domain controller.

Next Steps

The next step is to install Forefront TMG SP1 on the branch server. See Installing Forefront TMG on a domain controller for configuration details.

Other Resources

Installing Forefront TMG on a domain controller