Upgrade a Windows Server 2003 Domain Controller in a Branch Office and Make It an RODC

Applies To: Windows Server 2008

In this scenario, you have an existing Windows Server 2003 domain controller in the branch office. You want to upgrade the operating system and then run a Windows Server 2008 read-only domain controller (RODC) on the same hardware. You cannot upgrade a Windows Server 2003 domain controller and make it a Windows Server 2008 RODC as part of the process of upgrading the operating system. To make any writable domain controller an RODC, you have to remove and then reinstall Windows Server 2008 Active Directory Domain Services (AD DS).

In this scenario, a Domain Admin will be required to log on in the branch office to remove AD DS from the domain controller after it is upgraded. Because the Domain Admin will be required to log on in the branch office, the staged installation process does not provide any administrative benefit.

The branch office users and computers will have to authenticate over the wide area network (WAN) link while AD DS is removed from the existing domain controller and then reinstalled.

Complete the following steps to upgrade a Windows Server 2003 domain controller and then make it a Windows Server 2008 RODC:

  1. Upgrade the operating system of the Windows Server 2003 domain controller to Windows Server 2008.


If you upgrade the operating system of the domain controller before you remove AD DS from it, you can run the ntdsutil ifm command to create secret-less media on the upgraded domain controller. Then, you can use the resulting secret-less installation media to complete subsequent RODC installations. This reduces downtime within the branch office and minimizes WAN link utilization during the RODC installation. For more information about creating secret-less media for an RODC installation, see Installing AD DS from Media (http://go.microsoft.com/fwlink/?LinkID=120013).

  1. Run the Dcpromo.exe tool to remove AD DS. You must be a member of the Domain Admins group to complete this operation.

  2. Run Dcpromo.exe again to install AD DS on the server. When you run Dcpromo.exe, select the option to install an RODC and specify the folder where you installed the IFM media for the RODC installation. You must be a member of the Domain Admins group to complete the RODC installation or you must be delegated the appropriate permissions. In this case, the risk that is associated with using privileged credentials during the installation is not as significant because the privileged credentials were already used in the step when AD DS was removed.

  3. Verify that the RODC installation is working correctly. If you did not install the DNS server role or the global catalog during the AD DS installation, you should complete those steps now.

    For more information about completing those steps and specific tests that you can run to verify the RODC installation, see RODC Post-Installation Configuration (http://go.microsoft.com/fwlink/?LinkId=152749).

  4. As a security best practice, delete all system state backups or snapshots from the original domain controller after you remove Active Directory from it. You can retain the secret-less installation media for additional RODC installations.