Microsoft Windows – RODC Setup

Release date: June 5th 2019

Welcome to my Microsoft Tips & Tricks section. I was asked to set up a Read Only Domain Controller, RODC, for a customer of mine. As I haven’t done this in ages, I thought I should do this in lab first. A prerequisite for doing this exercise is to have a separate zone in the data-center that can simulate a remote location in a network. I have created this and will deploy a new Read-Only domain controller in this site with the 10.0.23.0 subnet. My current Active directory is located in the 172.16.0.0 subnet. I will be using Microsoft Windows 2016 Server for this setup.

I have divided this exercise into the following tasks:

  • Prepare existing Active Directory
  • Setup server with ip-info and join domain
  • Add roles/features
  • Configure roles
  • Verify Active Directory Sites and Services
  • Verify Windows Time settings
  • Verify replication topology and functionality
  • Event Viewer check etc…

 

Prepare existing Active Directory

Before I begin, I prepare “Active Directory Sites and Services” with my new site and subnet. First I will create a new site. Open the MMC and right-click sites – “New Site”

RODC-01

 

I will name it «somewhat logically» «SecondarySite» and use the DEFAULTIPSITELINK

RODC-02

 

Next, I create a subnet for my new site

RODC-03

 

I enter my prefix and link it to my new site

RODC-04

 

Setup server with ip-info and join domain

Next, I log in to my new domain controller. The first thing I do here, is to set up ip, subnet, gateway and dns. I will use my existing DNS servers in order to install and promote this server to a domain controller

RODC-05

Afterwords I verify communication with existing ad-servers, join the server to the domain and reboot.

 

Add roles/features

Once the server is rebooted, I will add in the necessary roles.

RODC-06

 

Next…

RODC-07

 

Next…

RODC-08

 

Next…

RODC-09

 

I add AD, DHCP and DNS roles, Next…

RODC-10

 

Next…

RODC-11

 

Next…

RODC-12

 

Next…

RODC-13

 

Next…

RODC-14

 

Next…

RODC-15

 

I select “Restart the destination server….”. Install…

RODC-16

 

Configure roles

After the roles are added to the server, I proceed with promoting this server to ad domain controller

RODC-17

 

I choose to add my domain controller to an existing domain, use a domain admin account to perform this operation, Next…

RODC-18

 

I select «Read Only Domain Controller”. Due to my preparations earlier, the Site Name is automatically set to correct site. I set a good DSRM-password, which I document, Next…

RODC-19

 

I leave the default group settings for replication of passwords. If this was a production environment I would probably have a usergroup with the users located in this new location, which I would add to “Allowed RODC Password Replication Group”, Next…

RODC-20

 

I choose to replicate with any domain controller as this is a two-site setup. If there we multiple sites, I would evaluate this differently, Next…

RODC-21

 

Next…

RODC-22

 

Next…

RODC-23

 

The prerequisite check has some benign warnings which I can live with in this lab-setup, Install…

RODC-24

 

After the domain controller is promoted, I continue with configuring the DNS server on my new DC. I open DNS manager and select Properties.

RODC-25

 

I will not be using IPv6, deselect these addresses for the DNS listener.

RODC-26

 

I will forward to my primary DC’s

RODC-27

 

I adjust scavenging-settings to be similar to my other DNS-servers

RODC-28

 

I add a new reverse zone for my new subnet, 10.0.23.0. In hindsight, I probably should have done this to begin with, when I was prepping AD for my new site

RODC-29

 

Next…

RODC-30

 

This will be a Primary Zone, Next…

RODC-31

 

I don’t use IPv6, I select IPv4 Reverse Lookup Zone, Next…

RODC-32

 

I type in the Network ID, Next…

RODC-33

 

Next…

RODC-34

 

As I will be using this subnet and dns-zone with FOG server at a later time, I will need to allow both nonsecure and secure dynamic updates, Next…

RODC-35

 

Finish…

RODC-36

 

The zone is now ready and replicated through AD

RODC-37

 

I open an administrative cmd prompt on the domain controller and run “ipconfig /flushdns” and “ipconfig /registerdns

RODC-38

 

I can now verify that the new domain controller is in the correct reverse zone

RODC-39

 

Verify Active Directory Sites and Services

I launch the Active Directory Sites and Services MMC and verify that the connector is in place and operational.

RODC-40

 

Verify Windows Time settings

Having a good working consistent time service running throughout the domain is critical. I have created a quick little guide as to accomplish consistent time, posted here: Microsoft Windows Time service settings in domain and forest – Setup

I verify Windows Time setting on my RODC by first running with “w32tm /query /source”. As we can see from the prompt below, the time source is my PDC: AD-01.ad.admin.frelab.net

RODC-41

 

Next I run “w32tm /monitor” to check time offset vs. the other domain controllers. The offset between the domain controllers aren’t very alarming as far as I can tell,

RODC-42

 

Verify replication topology and functionality

MS Active Directory needs a functional replication topology in order to work properly. To check the status of replication I run the following cmd’s:

“Repadmin /replsummary”

RODC-43

As we can see from the results from “Repadmin /replsummary”, AD-03 is not listed as Source DSA, this is because it is a Read Only Domain Controller.

 

“Repadmin /Showrepl” – No errors in replication.

RODC-44

 

Repadmin /syncall (DON’T RUN ON RODC!!!)

RODC-45

 

Event Viewer check etc…

Finally, I check the logs in Event Viewer for any errors after I added my RODC. The most logical logs to check is DFS Replication, Directory Service, DNS Server, System and Application.

RODC-46

 

Microsoft Tips & Tricks section

Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s