Additional Active Directory Server Roles - MCTS Guide to Microsoft Windows Server 2008 Active Directory Configuration

Information Technology Reference

In-Depth Information

The RODC was developed to address the need to have a domain controller in a branch office

where server expertise and physical security are often lacking. An RODC performs many of the

same tasks as a regular domain controller, but changes to Active Directory objects can't be made

on an RODC. An RODC maintains a current copy of Active Directory information through

replication. However, there are some important differences in the information an RODC keeps

that make it more secure than domain controllers. In addition, you should be aware of some fac-

tors before installing an RODC in your network. This section discusses the following aspects of

using RODCs in a Windows network:

• RODC installation

• RODC replication

• Credential caching

• Administrator role separation

• Read-only DNS

RODC Installation

Before you can install an RODC, you must address these prerequisites:

• A writeable Windows Server 2008 DC that the RODC can replicate with must be operat-

ing in the domain.

• The forest functional level must be at least Windows Server 2003.

• If the forest functional level is not set at Windows Server 2008, you must run the adprep

/rodcprep command before installing the RODC.

Because an RODC is meant to address the needs of a branch office, administrators can combine

the RODC installation with another designed-for-branch-office installation: Server Core, which is

Windows Server 2008 without a GUI. On a full Windows Server 2008 installation, you use Server

Manager to install a role and Dcpromo.exe to start the Active Directory installation. On a Server Core

installation, you start Dcpromo.exe from a command prompt with the /unattend installation option.

Another option for installing an RODC that isn't available with a regular DC is delegated instal-

lation. Delegated installation doesn't require domain administrator credentials; a regular user at the

branch office can perform the installation. To use this feature, you must create a computer account

for the server performing the RODC role in the Domain Controllers OU. When you create the

account, select the user or group name that can join the computer to the domain (see Figure 12-12).

12

Figure 12-12

Creating an RODC computer account

Search WWH ::

Custom Search

Home