Performing a staged installation of an RODC in Windows Server 2008

This chapter excerpt from Active Directory Domain Services 2008 How-To, by John Policelli, is printed with permission from Pearson Publishing, Copyright 2009. Click here to purchase the entire book. About the author

Solution: A staged installation of an RODC consists of two stages. The first stage of the installation creates an account for the RODC in AD DS. The second stage of the installation attaches the server to the account that was created in the first stage. The first stage requires elevated permissions in AD DS. However, the second stage can be performed by someone you delegate the ability to attach the server to the account.

Stage 1: Create an RODC Account in AD DS
To create an RODC account in AD DS, perform the following steps using an AD DS account that has membership in the following AD DS group:

Domain Admins for the domain for which you want to add a RODC.

1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
2. Right-click the Domain Controllers Organizational Unit (OU) and select Precreate Read-only Domain Controller account, as shown in Figure 3.41.
3. On the Welcome to the Active Directory Domain Services page, shown in Figure 3.42, click Next.

FIGURE 3.41
Selecting Pre-create Read-only Domain Controller account (click to enlarge)

FIGURE 3.42
The Welcome to the Active Directory Domain Services page (click to enlarge)

4. On the Operating System Compatibility page, click Next.
5. On the Network Credentials page, under Specify the account credentials to use to perform the installation, click My current logged on credentials or click Alternate credentials. If you select Alternate credentials, click Set and in the Windows Security dialog box, provide the user name and password for an account that can install the additional DC. When you are finished providing credentials, click Next.
6. On the Specify the Computer Name page, shown in Figure 3.43, enter the name of the server that will be the RODC; then click Next.

FIGURE 3.43
The Specify the Computer Name page (click to enlarge)

7. On the Select a Site page, select the site to which you want the domain controller to belong and click Next.
8. On the Additional Domain Controller Options page, select the desired additional options, such as DNS server and/or Global catalog, for the domain controller and click Next.
9. On the Delegation of RODC Installation and Administration page, shown in Figure 3.44, enter the group or user that can attach the server to the RODC account and click Next.

FIGURE 3.44
The Delegation of RODC Installation and Administration page (click to enlarge)

10. On the Summary page, click Next.
11. On the Completing the Active Directory Domain Services Installation Wizard page, click Finish.

Stage 2: Attach Server to RODC Account
To attach a server to an RODC account, perform the following steps using an AD DS account that has been delegated the permission to attach the server to the RODC account in stage 1, outlined previously, and with membership in the following local group:

Administrators

1. Log on to the server you want to attach to the RODC account using an account that has been delegated the permission to attach the server to the RODC account in stage 1.
2. Click Start, click Command Prompt.
3. In the Command Prompt window, type dcpromo/UseExistingAccount:Attach and press ENTER. The dcpromo process begins by determining whether the AD DS binaries are installed. If the binaries are not installed, dcpromo installs them.
4. On the Welcome to the Active Directory Domain Services Installation Wizard page, click Next.
5. On the Network Credentials page, click Next.
6. On the Select Domain Controller Account page, confirm that the wizard has found an existing RODC account that matches the name of the server; then click Next.
7. On the Location for Database, Log Files, and SYSVOL page, type or browse to the volume and folder locations for the database file, the directory service log files, and the system volume (SYSVOL) files. Then click Next.
8. On the Directory Services Restore Mode Administrator Password page, type and confirm the restore mode password and click Next.
9. On the Summary page, click Next.
10. On the Completing the Active Directory Domain Services Installation Wizard page, click Finish.
11. To validate the installation process, click Start, click Run, type C:WindowsDebug, and click OK.
12. Open the DCPROMO.log file and analyze the results in the file.

ACTIVE DIRECTORY DOMAIN SERVICES 2008 HOW-TO
Performing a staged RODC installation
Forcing the removal of a DC

John Policelli has been honored by Microsoft as an MVP for Directory Services. He has provided thought leadership for some of Canada's largest Active Directory installations, and has also served as an author, technical reviewer, and subject matter expert for more than 50 training, exam writing, press, and whitepaper projects related to Windows Server 2008 Identity and Access Management, networking, and collaboration. His technology certifications include MCTS, MCSA, ITSM, iNet+, Network+, and A+.