How to: Installing a Windows 2008 Read Only Domain Controller (RODC)

In this article I’m going to set up a Read Only Domain Controller in a Windows 2008 environment. There’s already a writable Domain Controller available in the domain GPO.LOCAL. The first step is to Install a new Windows 2008 Server, in my example it’s a Core Edition. After the installation, you can begin configuring your new server.

— Enter the productkey:
slmgr.vbs -ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx

— Activate Windows:
slmgr.vbs -ato

— Rename the computer:
Netdom renamecomputer “%computername%” /newname:SRV-RODC01 /reboot:15

— Show all network interfaces:
Netsh interface ipv4 show interface

— Set a static IP address:
Netsh interface ipv4 set address name=2 source=static address=172.16.1.11 mask=255.255.0.0 gateway=172.16.1.1
(make sure that you’re choosing the right network interface. In this example it’s 2, so name=2 it means interface 2)

— Set a static DNS server:
Netsh interface ipv4 add dnsserver name=2 address=172.16.1.10 index=1

— Turn Remote Desktop (RDP) on:
Cscript %windir%\system32\SCRegEdit.wsf /ar 0

— Enable Remote Desktop (RDP) in the Windows Firewall:
netsh advfirewall firewall set rule group=”remote desktop” new enable=yes
(Note: type this rule in by your self, copy past will give an error!)

— Enable Remote Management (RemoteCMD) in the Windows Firewall:
netsh advfirewall firewall set rule group=”Remote Administration” new enable=yes
(Note: type this rule in by your self, copy past will give an error!)Making the unattended.txt:
Copy and past the following test into the new textfile and save this file on the C: drive of the Core Server.
==================================================
[DCInstall]
InstallDNS=Yes
ConfirmGc=Yes
CriticalReplicationOnly=No
DisableCancelForDnsInstall=No
Password=********
RebootOnCompletion=No
ReplicaDomainDNSName=GPO.local
ReplicaOrNewDomain=ReadOnlyReplica
ReplicationSourceDC=srv-w2k8dc01.gpo.local
SafeModeAdminPassword=********
SiteName=Default-First-Site-Name
UserDomain=GPO.local
UserName=Administrator
==================================================

 — Run the DCPROMO
dcpromo /unattend:c:\unattend.txt15)

— Reboot the Domain Controller
shutdown -r -t 0

cs_01    cs_03    cs_04

cs_05    cs_06    cs_07

cs_08    cs_09    cs_10

cs_11    cs_12    cs_13

As you can see, when you make a connection to the RODC, you’re not be able to make any changes to existing users or groups and the option “New” is hidden when you right-click in your environment.

In the next post i’m going to delete a RODC from the environment. (for example if your server is stolen or something like that).

Leave a Reply

You must be logged in to post a comment.