Get Exclusive Discounts and Free Computer Training
Signup to get our latest updates ...
Installing a Read-Only Domain Controller (RODC) isn’t much different than installing a regular domain controller.
However, there is one important factor to keep in mind. A RODC can only be installed into an existing Active Directory Domain with at least one full (non-read-only) Windows 2008 Server Domain Controller.
The reason is that the RODC is a new feature to Windows 2008 and it needs at least one DC to understand what it is doing in order to function properly.
Once the decision has been made to install a RODC the next decision is whether to install on a full-install or core-install of Windows 2008 Server.
The RODC is primarily aimed at providing additional security on an Active Directory Database for a server that is not physically secured. Installing a RODC on a Core Install of Windows 2008 provides no additional physical security.
It is actually a fair assumption that if someone is savvy enough to break into a stolen server that they also are capable of working most of their tricks from the command-line. So, while a Core Installation does increase security by having a smaller attack footprint, this level of security is separate from that provided by a RODC.
Although, it can be tempting to consider a Core Installation for remote RODC installs to lower the amount of patches and updates that need to be installed. However, it is important to remember that if there is no technical staff on-site, it can be much more difficult to walk someone through any procedures that must be performed locally if the non-technical person has to use the command line.
There is only one way to install RODC role on a Core Server installation. The dcpromo.exe command runs on the GUI-less version of Windows Server 2008.
Using an answer file for the command makes the process much easier than trying to get all the switches just right in the command line.
Although there are many settings available depending upon your particular infrastructure, just basic information is required to complete the command:
Many people will put a “yes” for RebootOnCompletion. If you are doing an actual unattended promotion then that would make sense.
If you are sitting at the console, I prefer to manually reboot the server so that I can take as much time as I want to study what is on the screen if there is an issue.
On a full install of Windows Servers 2008, there is of course a GUI tool to help with the process. The Active Directory Domain Services Installation Wizard handles the installation of RODC.
Type “dcpromo” at a command prompt to start the wizard. The first screen will ask you whether you want to use an existing forest, or create a new domain in a new forest. Since you must join an existing domain with a RODC, the choice is obvious.
Next you’ll be asked for a username and password. The account must be a member of Domain Admins in order to create a Read-Only Domain Controller.
Next, you’ll choose the site you wish to join.
So far, this is all the same as a regular Domain Controller install. Under “Additional Options” is where you actually choose to make this a Read-Only Domain Controller installation.
Next, choose the paths for installing the components, or just click Next to use the defaults. Once the confirmation screen appears, you are all set.
In this case, you might as well check “Reboot On Completion”. Unlike in the command-line environment, here in the GUI-world if something goes wrong you’ll have all the time you want before clicking on OK or Next to analyze what happened.
Your RODC is now installed. Congratulations! If it’s late enough in the day, or if your boss has already gone home, then head on out to happy hour.
If it’s still morning, or this is the third day this week you’re leaving early, then go get a cup of coffee. Either way, you’ve earned it.
The things that are better left unspoken : 4 methods to add Server Core RODCs to your environment Says:
July 13th, 2008 at 2:54 am
[...] You lose AD, you can’t do anything… Directory Services in Windows Server "Longhorn" Read-Only Domain Controller and Server Core Step-by-Step Guide for Read-only Domain Controllers Windows Server 2008 dcpromo Changes Active Directory Domain Services: Install from (restored backup) media (IFM) Command Line switches for DCPROMO Windows Server Codename Longhorn Installing AD on writable and read-only DCs from a media set Deploying Windows Server 2008 Read Only Domain Controllers Performing a Staged RODC Installation Determine the Number of Domain Controllers RODC deployment guide RODC Compatility Pack for Legacy OSes RODC compatibility pack for down-level clients How to promote Server Core to be a RODC Creating an Unattend Installation File for DCPROMO in Windows Server 2008 PowerShell script to automate deployment of Read-only Domain Controllers on Hyper-V Install It - Read-Only Domain Controller on Windows Server 2008 Installing Windows 2008 Active Directory on Server Core (Existing Forest) Read-Only Domain Controllers - What’s Old is New Again Windows Server 2008 Core - Active Directory Domain Services Active Directory Domain Services: Install from (restored backup) media (IFM) The Crosby Blog - Windows Server 2008 Core: Read-Only DC (using the scripting method) Understanding “Read Only Domain Controller” authentication Installing Active Directory on Server Core with an Answer File How to Promote Server Core Installation to a Read Only Domain Controller Windows Server 2008 dcpromo Changes III (or Server Core Setup) How to Configure a Server Core Domain Controller: Vanilla to First DC in a Forest Install AD DS from media [...]
Dean Says:
July 13th, 2008 at 5:12 pm
You can watch a whole bunch of online Screencasts here:
http://www.netometer.com/video/windows+2008.php
Installing and configuring server core are just some of the scenarious demonstated there.
Dean
Joy Says:
July 30th, 2008 at 3:45 am
Thanks! Just a question, did it ever happen to you that when running DCPromo unattended inside a script and calling it via “cmd /c” that it is hanging? Restarting the machine will then make it continue. RebootOnCompletion and RebootOnSuccess have both been used but to no avail :(
Additionally, how do you check (logs, etc) that it dcpromo unattended has actually completed?
Brian Says:
July 30th, 2008 at 4:17 pm
Joy,
It would be my guess that if it is hanging like that then the operation is not completing and thus never triggering the reboot option. Note how this is different than the operation failing which would reboot whether even if it failed (assuming using RebootOnCompletion). To test this theory, I would set RebootOnSuccess to No. Then, if you never get the prompt or control never returns, then you would know that your operation is hanging somewhere else and you just can’t see it because it isn’t writing anything to the screen. The manual reboot would cause the system to stop waiting for whatever response it is looking for. If that is the case, you might look to see if one or more of your parameters doesn’t seem to be taking. That could indicate that those parameters come later in the operation than the one that is hanging up, so they are not getting applied.
By the way, if you are using ONLY the text in the article, then you may be missing a necessary parameter for your environment. That block of text is the MINIMUM required. You may need to add a line or two depending on how you are set up.
Take a look at: http://207.46.196.114/windowsserver2008/en/library/d2521765-9e7b-44b6-9021-496908f4b9521033.mspx?mfr=true
to see if there are any parameters that would apply to your environment.
If that link doesn’t work, then you can navigate to it:
Windows Server 2008 Technical Library > Active Directory Domain Services > Getting Started: AD DS > Step-by-Step Guide for Windows Server 2008 Active Directory Domain Services Installation and Removal > Appendix of Unattended Installation Parameters
*************
For your second question, look in your domain log files. Again, it can be hanging in such a way that an error never gets written (it doesn’t think it is finished, it is just waiting for an answer, so it won’t write an error). You can use the /LogPath parameter (see that same Microsoft link) to explicitly define a location.
You could try piping the return code to a text file but again, this will only work if the operation COMPLETES. Then, you can use Unattended Installation Return Codes. It was here last I checked:
http://207.46.196.114/windowsserver2008/en/library/d2521765-9e7b-44b6-9021-496908f4b9521033.mspx?mfr=true