Determine the Domain Upgrade Order

Applies To: Windows Server 2008

Before you begin an installation of read-only domain controllers (RODCs) in branch office locations, determine the order of the domain upgrades. The recommended order for upgrading domains in an existing branch office deployment is as follows:

  1. Beginning with the domain that contains the branch offices, install writeable Windows Server 2008 domain controllers in the hub sites. This step is the minimum that is required for deployment of RODCs in the branch offices. Most organizations will want to make sure that all hub site domain controllers for every domain are running Windows Server 2008 before they begin to deploy RODCs in branch offices, either because their deployment begins with sites that host the most critical infrastructure services or to coincide with predefined schedules for hardware and software replacement.

  2. For the same domain, upgrade or replace the existing domain controllers in the branch offices with RODCs.

  3. Raise the domain functional level to Windows Server 2008.

  4. For the remaining domains, upgrade or replace the remaining domain controllers with Windows Server 2008 domain controllers.

The rest of this topic explains this sequence in more detail. For more information about prerequisites for deploying an RODC, see Prerequisites for Deploying an RODC.

If you have multiple domains in your forest, begin the installation of writeable Windows Server 2008 domain controllers (either clean installations or upgrades of Windows Server 2003 domain controllers) in the domain where you plan to use RODCs. Writeable domain controllers running Windows Server 2008 must be deployed in that domain before you can introduce RODCs in your branch offices. For example, if the forest has three domains, as shown in the illustration in Evaluate Your Active Directory Logical Structure, start the deployment process by installing Windows Server 2008 domain controllers in the Branches domain. The Branches domain contains the users and computers in the branch office locations.

In this scenario, first upgrade or deploy new writeable Windows Server 2008 domain controllers from the Branches domain that are running in the Data-Center-Site. These domain controllers, which are shown in the illustration in Review the Existing Physical Structure, are the operations master (also known as flexible single master operations or FSMO) role holders named HubDC1 and HubDC2 and the bridgehead servers named BHDC1, BHDC2, BHDC3, and so on.

As a best practice, replace all the Windows Server 2003 domain controllers from the Branches domain in the Data-Center-Site with writeable Windows Server 2008 domain controllers before you begin to deploy RODCs in branch office locations. If you have all these domain controllers running Windows Server 2008, the RODCs that you subsequently add to the domain will be load balanced across the bridgehead servers automatically. You will not have to use the Adlb.exe tool to evenly distribute the replication workload for RODCs. However, you can continue to run Adlb.exe on the writeable Windows Server 2008 domain controllers in the Data-Center-Site to load-balance the replication connections that they have with the Windows Server 2003 domain controllers in the branch offices during the transition period when you are replacing the branch office domain controllers with RODCs. For more information about using Adlb.exe during the transition, see Preventing Bridgehead Server Overload During a Transition.

You do not have to replace all the Windows Server 2003 domain controllers from the Branches domain in the Data-Center-Site before you start to deploy RODCs. A writeable Windows Server 2008 domain controller is required for an RODC to replicate domain data and to enforce the Password Replication Policy (PRP). If you cannot replace all the Data-Center-Site domain controllers for the Branches domain before you begin to deploy RODCs, you should deploy at least two writeable Windows Server 2008 domain controllers so that the RODCs can fail over to the second Windows Server 2008 domain controller if the first domain controller is not available. If you have only one writeable Windows Server 2008 domain controller and it becomes unavailable, none of the RODCs that you deploy can replicate the domain partition, including passwords, and you cannot make any changes to the PRP.

Another factor to consider when you are choosing which domains to upgrade is a plan to migrate from File Replication Service (FRS) to Distributed File System (DFS) Replication for SYSVOL. If you want to use DFS Replication for SYSVOL, the domain functional level must be Windows Server 2008. As a best practice, plan to raise the domain functional level to Windows Server 2008 as soon as possible because DFS Replication provides better support for SYSVOL on RODCs than File Replication Service (FRS) does. In particular, if possible, you should raise the domain functional level to Windows Server 2008 and migrate to DFS Replication before you begin to add RODCs to branch office locations that did not previously have any Windows Server 2003 domain controllers. This way, when you add RODCs they will automatically use DFS Replication for SYSVOL. However, this is not a requirement for introducing RODCs, and it is practical mostly in environments that have only a few domain controllers deployed in branch offices. For more information, see Plan for DFS Replication for SYSVOL.

You can upgrade or replace the Windows Server 2003 domain controllers in other domains anytime if they will not have any RODCs. However, domain controllers in the other domains must run Windows Server 2003 or Windows Server 2008 because RODCs require the forest functional level to be Windows Server 2003.

To replace existing Windows Server 2003 domain controllers, you can either upgrade them directly to Windows Server 2008 or decommission them and replace them with new servers. For more information, see Upgrading Active Directory Domains to Windows Server 2008 AD DS Domains (