Tag Archives: RODC

Step-by-Step Guide to Setup Read-only Domain Controller (PowerShell Guide)

RODC are a great feature which is introduce with windows server 2008 in order to maintain a low risk domain controller in locations where it cannot guarantee physical security and the maintenance. Though out article we have discussed possible scenarios where we required a domain controller in a remote site. When considering a domain controller in remote site, the link between site is not the only thing we need to focus on. When we deploy a domain controller, by default it will be aware of any changes in active directory structure. Once an update trigger, it updates its own copy of the active directory database. This ntds.dit file is contain everything about active directory infrastructure, including identity data of the user objects. If its falls in to wrong hands, they can retrieve data related to identities and compromise the identity infrastructure. when consider about information security, the physical security is also important. That’s why the datacenters have al sort of security standards. So, when deploying a domain controller in remote site, physical security also a consideration as we do not need to have loose ends. If you have a requirement for domain controller in remote site and yet you cannot confirm its security the RODC is the answer. RODC do not store any password in its database. All the authentication request against an object will be process by the closest writable domain controller. So even someone manage to get copy of the database they will not be able to do much. 

RODC deployment process involves following stages. In this process, we can use a pre-selected account and promote the RODC using it instead of using Domain Admin or Enterprise Administrator account. 

1) Setup Computer Account for RODC domain controller

2) Attached that account to the RODC during the promo process

In order to create RODC computer account we can use Add-ADDSReadOnlyDomainControllerAccount cmdlet. 

Add-ADDSReadOnlyDomainControllerAccount -DomainControllerAccountName REBEL-RODC-01 -DomainName rebeladmin.com -DelegatedAdministratorAccountName "rebeladmin\dfrancis" -SiteName LondonSite

Above command will create RODC domain controller account for REBEL-RODC-01. The domain name is defined using -DomainName and -DelegatedAdministratorAccountName defines which account to delegate the RODC installation. The new RODC will be place in LondonSite


Now we can see the newly added object under the Active Directory Domain Controllers.


Now we have things ready for the new RODC and next step is to promote it. 

Install-WindowsFeature –Name AD-Domain-Services -IncludeManagementTools

Above command will install the AD DS role first in the RODC. Once its completed we can promote it using, 

Import-Module ADDSDeployment  

Install-ADDSDomainController `  

-Credential (Get-Credential) `  

-CriticalReplicationOnly:$false `  

-DatabasePath "C:\Windows\NTDS" `  

-DomainName "rebeladmin.com" ` 

-LogPath "C:\Windows\NTDS" `

-ReplicationSourceDC "REBEL-PDC-01.rebeladmin.com" `

-SYSVOLPath "C:\Windows\SYSVOL" `  

-UseExistingAccount:$true `  



Once this is executed it will prompt for the user account and we need to input user account info which was delegated for RODC deployment. The command is very similar to regular domain promotion. 

Now we have the RODC and next steps to look in to password replication policies (PRPs). 

The default policy is already in place and we can view the allowed and denied list using,

Get-ADDomainControllerPasswordReplicationPolicy -Identity REBEL-RODC-01 -Allowed

Above command will list down the allowed objects for password caching. By default, a security group called “Allowed RODC Password Replication Group” is allowed for the replication. This doesn’t contain any members by default. By adding object to this group will allow caching. 

Get-ADDomainControllerPasswordReplicationPolicy -Identity REBEL-RODC-01 -Denied

Above command list down the denied objects for password caching. By default, following security groups are in the denied list. 

Denied RODC Password Replication Group

Account Operators

Server Operators

Backup Operators


These are high privileged accounts in active directory infrastructure these should not be cached at all. By adding objects to Denied RODC Password Replication Group, we can simply block the replication. 

Apart from the use of predefine security groups we can add objects to allow and denied list using Add-ADDomainControllerPasswordReplicationPolicy cmdlet. 

Add-ADDomainControllerPasswordReplicationPolicy -Identity REBEL-RODC-01 -AllowedList "user1"

Above command will add user object user1 to the allowed list. 


Add-ADDomainControllerPasswordReplicationPolicy -Identity REBEL-RODC-01 -DeniedList "user2"

The above command will add the user object “user2” to the denied list. 


This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Password Replication in RODC

In last 2 posts I have explain benifits of the RODC and how we can deploy a RODC. if you haven't read them yet you can read them with following links,

Why Read-only domain controllers (RODC) ?
Step-by-Step guide to install Read-Only Domain Controller (RODC)

In RODC environment one of the great feature is the password replication. in RODC environment we can determine which passwords need to be cache in RODC and which accounts still need to be authenticate via writable domain controller. As example domain administrator accounts do not need to be cached on RODC. its always safe if it can be authaticate via routable DC for security purposes. so if a domain administrator login from a RODC enviornment, we can set system to forward the authtication request or service ticket to the writable domain controller.

Microsoft made this easy by introducing password replication policy (PRP) to RODC environment. by default system create domain-wide password replication policy two domain local security groups.

Allowed RODC Password Replication Group : Members of this group will allow to cache passwords in RODC. by default this group do not have any members.

Denied RODC Password Replication Group: Members of this group are deny to cache passwords in RODC. Some of the groups which are security critical are member of this group by default such as Administrators, Server Operators, Backup Operators, Account  Operators.

One of the biggest mistakes administrator do is only allow/deny user accounts. But computers it self also uses authatication and service tickets requests. so make sure you add computer accounts also in to these lists.

How to configure RODC password replication policy(PRP) ?

1) Login to a writable domain controller with domain administrator account
2) Open "Active Directory Users and Computers" snap in by Server Manager > Tools > Active Directory Users and Computers
3) Go to "Domain Controllers" OU


4) Click to select the RODC you need to configure PRP. Then right click and click on properties.


5) In the properties window click on "Password Replication Policy" tab


6) In there we can see the 2 groups i mentioned above.


7) We can add users to these groups. to add users/computers to those double click on the group. in here i will use "Allowed RODC Password Replication Group"


8) To add users/computers to group click on members tab and click on add.


9) Once users/computers added click on "OK" to apply changes.

Policy Usage Reports and Pre-Populate Credential Caching

Microsoft provided a easy method of reporting where we can check the status of password replication. in order to use this facility need to follow following steps.

1) Login to a writable domain controller with domain administrator account
2) Open "Active Directory Users and Computers" snap in by Server Manager > Tools > Active Directory Users and Computers
3) Go to "Domain Controllers" OU
4) Click to select the RODC you need to configure PRP. Then right click and click on properties.
5) In the properties window click on "Password Replication Policy" tab
6) Click on "Advanced" button


7) In here drop-down list there is 2 options listed

Accounts Whose Passwords Are Stored On This Read-Only Domain Controller: This option will list all the user accounts/computer accounts which are currently cached password on RODC.

Accounts That Have Been Authenticated To This Read-Only Domain Controller: This option will list the user accounts/computer accounts which were forwarded to writable domain controller for authentication and service tickets process. This is good place to identify the user accounts/ computer accounts which will still need to add to allow list for password caching.


In PRP lets assume we allowed USER A to cache his credentials in RODC. But it will not cache it right away. it will cache credential once user made first authentication request to the RODC. but microsoft given opertunity where we can pre-populate the caching. so when user login first time his password is already been cached on RODC.

In order to use this feature click on "Pre-Populate Passwords…" button in same advance window.


It will open up window where you can select the accounts you need. once its selected it will pop-up following information window. click on yes to accept the changes.
before do this make sure you have already allow that user/computer account in Allow list of password caching.


if you have any questions please feel free to contact me on rebeladm@live.com

Step-by-Step guide to install Read-Only Domain Controller (RODC)

In previous post i have explain what is RODC and the benefits of it. If you not read it yet you can find it in here.

Before install a RODC in a domain environment it need to meet the following requirements,

  • Forest function level should be windows 2003 server or higher
  • Needs at least one writable domain controller running windows server 2008 or higher

If forest have any DC running windows server 2003 we need to adjust permissions on DNS application directory partition to allow them to replicate to RODC. It can be done by running adprep /RODCprep from windows 2012 server installation disk \support\adprep folder.

In my demo setup i do have a domain called contoso. Before start lets check the forest function level.

  • To do that, log in to the DC as domain admin and open "Server Manager"
  • Then from tools click on "Active Directory Domains and Trust"


  • Right click on domain and select "Properties"


As we can see here its runs with windows server 2012 R2 so we do not need to prepare domain with adprep /RODCprep


To install RODC i have a fresh installed windows 2012 R2 server and its already added to the domain. (Here i do not going to explain how to add it to domain as in previous in my posts i explain how to add server to a domain)


  • To begin the setup first make sure you login as a domain administrator to the server.
  • Open "Server Manager" and from dashboard window click on "Add roles and features"


  • It will open up the wizard and click on "next" to continue.


  • In next window select "Role-based or feature-based installation" and click next


  • In next window by default it select the current server and click next to continue


  • In next window click on "Active Directory Domain Service" and it will pop up with the features. click on "add features" to continue and then "next"


  • In next window will let it run with default features. click on next to continue


  • In next window it will gives brief description about the AD DS and click next to continue


  • Next window it will ask for confirmation and click ok "install" to begin the service installation


  • Once installation done open "Server Manager" and click on "AD DS"


  • Then in right hand side panel click "More" as in image


  • Then it will open up the wizard and click on option "Promote this server to a domain…"


  • It will open up the configuration wizard. in here we will keep the default selection and click on next to continue


  • In next window make sure to select option "Read only domain controller(RODC)" and then also type a password for restore. click on next to continue


  • In next window we can select what groups/users allowed for the password caching, what group/users denied for caching and also delegated admin accounts. in here for now we will keep the default selection.


  • in next window we can define from which DC we need replication done.


  • In next window it gives option to change the folder paths. in here we keep default. click next to continue.


  • In next window it gives option to review the installation selection and click next to continue.
  • In next window system will check if its meet all the prerequisites for the installation. click on Install to begin the installation


  • Once installation done system will automatically reboot.


This completes the installation of RODC in domain. in next post we will look in to configuring RODC with different policies.

Why Read-only domain controllers (RODC) ?

In enterprise level network its common to have HQ(Head Quarters)-Branch Office network. These branch offices may required  to connected with HQ resources for its operations. Most of the time this kind of setup uses WAN links to connect branch  Offices with HQ network. Let's assume we have company called ABC and its HQ is located in Canada Toronto. Due to the  Expansion its need branch office open in London, UK. So the requirement is more complicated as its 2 different countries. 
The users in London office still need to authenticate the company domain environment and access the resources. Let's Look in 
to some of the difficulties, challenges faces with typical this kind of setup.

Lack of Resources

To connect HQ with branch site its required secure, reliable connection. But these connections typically comes with high $$$$ cost. Even though its cost mostly these links will be with speed of 128kb, 256kb, 512kb etc. If users in branch site is authenticating company AD it will use WAN link for the all the authentication, resources access etc. if the number of  users increase in branch site the link utilization just for the AD activities will increased. Also since its between  different geographical locations, different ISP, many facts will affect the reliability of the link as well. what happen if  the WAN link went down on critical business day ? so solution is to deploy AD in branch site and it will be opening whole different range of concerns, problems.

Security Risks

Even though branch office dc will increase the authentication and resource access process its open potential security  risks to the network. some companies will have fully secure datacenter facilities in branch sites as well but majority  cant afford such investments. As we know regular DC is keeping critical data about users, resource authentications etc.  what if these branch office dc get compromised or stolen?. It will affect entire company network operations and some time  this kind of issue can cause millions of dollars lost to the company.


If we host a branch site DC, typically it will required maintenance time to time. it may be to deploy fail over dc, upgrade hardware, site-link changes, user credential changes etc. So some time company may need to keep a IT department  running on branch office which will increase the company operation cost. Also since its integrated directly with main  domain environment, any changes triggers in branch office DC will also directly affect entire domain environment.

So what is the answer then ?

With windows 2008 server Microsoft introduce the Read-Only domain controller feature to specially address these  difficulties company face in this kind of branch site scenario.


As its name says its by default Read-only copy of the company main DC. So the changes making on branch site RODC will not  affect DC operations. So basically its keep all the info about the DC attributes in Branch-DC as read-only copy and once  its receive request for authentication it directs the request to the RODC instead going via WAN link.

Password Replication Policy (PRP)

We can also control this "credential caching" in detail level by using Password Replication Policy. what it does is we can  define which users, group need the credential caching on that particular RODC. For example let's assume we have another  branch in India. The users in India office will not login from London office anyway. so why we should cache credential info  for India office users in London office RODC ? Also in this way it improve security of dc more. So if one of branch office  RODC compromised it will only hold limited data about the DC.

In windows 2012 server to configure we can use 2 security groups it creates with RODC setup. According to Microsoft its as  following,

Allowed RODC Password Replication Group : Members of this group are placed in the Allow list of the Password Replication  Policies of all RODCs by default. This group has no members when Windows Server 2012 is first installed.

Denied RODC Password Replication Group: Members of this group are placed in the Deny list of the Password Replication  Policies of all RODCs by default. Some of the groups include Administrators, Server Operators, Backup Operators, Account  Operators, and Denied RODC Password Replication Group.

Local Administrators Group

Some time the branch offices need some IT support for their users. It may have local IT staff or outsourced IT company for this. In typical DC environment to do the maintenance a particular user need to have domain admin rights or delegated permissions. But in RODC we can define Local administrator accounts which will give full control over the RODC environment and it still will not affect the parent DC setup.

In next post will look in to the configuration of a RODC.