Review Policy Settings and Network Settings

Applies To: Windows Server 2008

Before you begin an installation of read-only domain controllers (RODCs) in branch office locations, review all the Group Policy settings that are currently used in your environment. Assess how these Group Policy settings might be affected by the RODC deployment.

Some policy settings, such as the settings that enforce Server Message Block (SMB) packet and secure channel signing, are enabled by default on domain controllers that run Windows Server 2003 and Windows Server 2008. Some organizations might disable these settings to allow client computers that run earlier versions of Windows to communicate with Windows Server 2008 domain controllers. For more information, see Modify Default Security Policies on Windows Server 2008–Based Domain Controllers (

If you are using a Group Policy object (GPO) to control how client computers fail over to a hub site domain controller when the domain controller in their branch office location is not available, as described in the Windows Server 2003 Active Directory Branch Office Guide (, update the security group that is used to filter the policy. The 2003 guide recommends that the security group membership include hub site domain controllers so that only those domain controllers register service (SRV) resource records.

During the transition period in which there might be RODCs in some branch offices and writeable domain controllers in other branch offices, add the Read-only Domain Controllers default security group to the security group that you use to filter the policy. The security group is named Hub-DCs in the example in the following procedure. This excludes the RODCs from the policy. By default, RODCs do not register service (SRV) resource records for other sites.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (

To add members to the Hub-DCs security group

  1. Open the Active Directory Users and Computers snap-in. In Active Directory Users and Computers, click the Domain Controllers OU, and then in the details pane, double-click the Hub-DCs group.

  2. In the Hub-DCs Properties dialog box, click the Members tab.

  3. Click Add, click Object Types, click Computers, and then click OK.

  4. In the Select Users, Computers, or Groups dialog box, type Read-Only Domain Controllers and the names of the domain controllers from the Branches domain that are supposed to be located in Data-Center-Site, separated by semicolons.

  5. Click Check Names.

  6. After the names resolve, click OK to add the names to the group.

  7. In the Hub-DCs Properties dialog box, verify that all the domain controllers are added to the group, and then click OK.

  8. To ensure that the new domain controllers recognize their new group membership and are able to apply security settings on the GPO correctly, reboot all the domain controllers in the Hub-DCs group.