Release date: June 5th 2019
Welcome to my Microsoft Tips & Tricks section. I was asked to set up a Read Only Domain Controller, RODC, for a customer of mine. As I haven’t done this in ages, I thought I should do this in lab first. A prerequisite for doing this exercise is to have a separate zone in the data-center that can simulate a remote location in a network. I have created this and will deploy a new Read-Only domain controller in this site with the 10.0.23.0 subnet. My current Active directory is located in the 172.16.0.0 subnet. I will be using Microsoft Windows 2016 Server for this setup.
I have divided this exercise into the following tasks:
- Prepare existing Active Directory
- Setup server with ip-info and join domain
- Add roles/features
- Configure roles
- Verify Active Directory Sites and Services
- Verify Windows Time settings
- Verify replication topology and functionality
- Event Viewer check etc…
Prepare existing Active Directory
Before I begin, I prepare “Active Directory Sites and Services” with my new site and subnet. First I will create a new site. Open the MMC and right-click sites – “New Site”
I will name it «somewhat logically» «SecondarySite» and use the DEFAULTIPSITELINK
Next, I create a subnet for my new site
I enter my prefix and link it to my new site
Setup server with ip-info and join domain
Next, I log in to my new domain controller. The first thing I do here, is to set up ip, subnet, gateway and dns. I will use my existing DNS servers in order to install and promote this server to a domain controller
Afterwords I verify communication with existing ad-servers, join the server to the domain and reboot.
Add roles/features
Once the server is rebooted, I will add in the necessary roles.
Next…
Next…
Next…
I add AD, DHCP and DNS roles, Next…
Next…
Next…
Next…
Next…
Next…
I select “Restart the destination server….”. Install…
Configure roles
After the roles are added to the server, I proceed with promoting this server to ad domain controller
I choose to add my domain controller to an existing domain, use a domain admin account to perform this operation, Next…
I select «Read Only Domain Controller”. Due to my preparations earlier, the Site Name is automatically set to correct site. I set a good DSRM-password, which I document, Next…
I leave the default group settings for replication of passwords. If this was a production environment I would probably have a usergroup with the users located in this new location, which I would add to “Allowed RODC Password Replication Group”, Next…
I choose to replicate with any domain controller as this is a two-site setup. If there we multiple sites, I would evaluate this differently, Next…
Next…
Next…
The prerequisite check has some benign warnings which I can live with in this lab-setup, Install…
After the domain controller is promoted, I continue with configuring the DNS server on my new DC. I open DNS manager and select Properties.
I will not be using IPv6, deselect these addresses for the DNS listener.
I will forward to my primary DC’s
I adjust scavenging-settings to be similar to my other DNS-servers
I add a new reverse zone for my new subnet, 10.0.23.0. In hindsight, I probably should have done this to begin with, when I was prepping AD for my new site
Next…
This will be a Primary Zone, Next…
I don’t use IPv6, I select IPv4 Reverse Lookup Zone, Next…
I type in the Network ID, Next…
Next…
As I will be using this subnet and dns-zone with FOG server at a later time, I will need to allow both nonsecure and secure dynamic updates, Next…
Finish…
The zone is now ready and replicated through AD
I open an administrative command prompt on the domain controller and run the following commands…
ipconfig /flushdns
ipconfig /registerdns
I can now verify that the new domain controller is in the correct reverse zone
Verify Active Directory Sites and Services
I launch the Active Directory Sites and Services MMC and verify that the connector is in place and operational.
Verify Windows Time settings
Having a good working consistent time service running throughout the domain is critical. I have created a quick little guide as to accomplish consistent time, posted here: Microsoft Windows Time service settings in domain and forest – Setup
I verify Windows Time setting on my RODC…
w32tm /query /sourceAs we can see from the prompt below, the time source is my PDC: AD-01.ad.admin.frelab.net
Check time offset vs. the other domain controllers. The offset between the domain controllers aren’t very alarming as far as I can tell,
w32tm /monitor
Verify replication topology and functionality
MS Active Directory needs a functional replication topology in order to work properly. Check the status of replication…
Repadmin /replsummary
As we can see from the results above, AD-03 is not listed as Source DSA, this is because it is a Read Only Domain Controller.
Repadmin /ShowreplNo errors in replication.
Repadmin /syncall - > DON'T RUN ON RODC!!!
Event Viewer check etc…
Finally, I check the logs in Event Viewer for any errors after I added my RODC. The most logical logs to check is DFS Replication, Directory Service, DNS Server, System and Application.
Microsoft Tips & Tricks section
Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.
bjosoren's IT-Tech blog 