Step 6: Complete Additional Steps for Configuring an RODC

Updated: June 3, 2009

Applies To: Windows Server 2008

After you install Active Directory Domain Services (AD DS), complete the following configuration tasks. For additional configuration tasks that you might have to complete after you install a read-only domain controller (RODC), see RODC Post-Installation Configuration (

  • Verify that the NETLOGON and SYSVOL shared folders are present on the domain controller.

    At an elevated command prompt, type net share, and then press ENTER. If the NETLOGON shared folder is not listed, complete the steps in article 947022 in the Microsoft Knowledge Base (

  • Reconfigure the Domain Name System (DNS) client settings of RODCs in branch offices if a Group Policy setting is not already applied to do this.

    By default, an RODC is not configured to point to itself as its preferred DNS server. Change the default settings so that the RODC points to itself as the preferred DNS server and DNS lookups can be resolved locally in the branch office. Set the alternate DNS server to be a DNS server in a hub site.

  • If applicable, specify a user—or, preferably, a group—as the delegated RODC administrator account, and add the user or group to the Allowed list for the Password Replication Policy (PRP) of the RODC.

    You may have completed this step during RODC installation. After you specify the account and add it to the Allowed list, replicate the passwords for accounts in the Allowed list to the RODC by having the accounts log on to a workstation in the site with the RODC or by prepopulating the passwords by using the Active Directory Users and Computers snap-in or Repadmin.exe. This ensures that accounts in the Allowed list, including the delegated RODC administrator, can log on to the RODC even if the network is not available. For more information, see Administering the Password Replication Policy (

  • If necessary, change the DsrmAdminLogonBehavior registry entry value.

    The DsrmAdminLogonBehavior registry entry controls whether you can use the Directory Services Restore Mode (DSRM) Administrator account to log on to a domain controller if the domain controller was started normally but the AD DS service is stopped for some reason and no other domain controller can be contacted to service the logon request. This situation can arise in a branch office that has an RODC when the wide area network (WAN) link between the branch office and a hub site is unavailable. By default, the DSRM Administrator account cannot be used to log on to a domain controller that has the AD DS service stopped. For more information about the DsrmAdminLogonBehavior registry entry, see the Restartable AD DS Step-by-Step Guide (

  • Follow best practices for running antivirus software on a domain controller.

    For more information, see "Running Virus Scans on Domain Controllers" in Establishing Secure Domain Controller Build Practices (

  • Configure port requirements for Windows Server 2008 and RODCs.

    AD DS has port requirements for replication and other operations. There are also port requirements for services that AD DS depends on. Furthermore, your deployment might have other applications and services that depend on AD DS, and they can have their own set of port requirements. For more information about configuring ports for an RODC, see Active Directory Domain Services in the Perimeter Network (Windows Server 2008) (

    On domain controllers that run Windows Server 2003 with Service Pack 1 (SP1) or Service Pack 2 (SP2) or Windows Server 2008, Windows Firewall is enabled by default. You might have to configure the firewall settings on these domain controllers to allow Active Directory operations. For more information, see article 224196 in the Microsoft Knowledge Base (


The dynamic client port range for outgoing connections in Windows Vista and in Windows Server 2008 is increased from earlier versions of Windows. The new default start port is 49152, and the default end port is 65535. Earlier versions of Windows used a default port range of 1025 through 5000.

Before you deploy Windows Server 2008 domain controllers, test for connectivity over the new port range. AD DS requires TCP/IP availability. For more information, see article 929851 in the Microsoft Knowledge Base ([](