Tag: remote office

Setting up a Read-only Domain Controller (RODC) using the Staging method

by Samuel Mitchell, posted in Microsoft, Uncategorized, windows, Windows server

In this article, the steps required to setup a Read-only Domain Controller (RODC) for a remote office to authenticate users.

The demonstrataction of this configuration is done using the Active Directory Users and Computers (ADUC) console and performing the same task using Powershell.

The first set of instructions is using Powershell to install the RODC:

Step 1 – Create a normal AD user account

Logon to a writeable Domain Controller and open the Powershell commandline to execute the following commands.

This command is to add a new user account that will perform this task but if a user already exist, this step can be skipped.

New-ADUser -Name Sam -SamAccountName Sam -UserPrincipalName Sam -AccountPassword (Convertto-SecureString -AsPlainText ‘Pa$$w0rd’ -Force)

The command adds user Sam with password and setting the principal name and account to Sam.

Step 2 – Pre-create the Read-only Domain Controller computer account

To pre-create the RODC computer account, run the command below which adds the account to AD. The user account Sam which has no Administrative privileges will be delegated to join the RODC server to the domain.

Add-ADDSReadOnlyDomainControllerAccount -DomainControllerAccountName DC-RO -SkipPreChecks -delegatedAdministratorAccountName Sam -DomainNam ‘mydomain.com’ -SiteName Default-First-Site-Name

Let the user run the following Powershell commands on the prospective RODC server which should not be on the domain.

Step 3 – Install the Active Directory Domain Services on the prospective RODC

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

Step 4 – Promote the server to the role of a RODC

Install-ADDSDomainController -DomainName ‘mydomain.com’ -Credential (Get-Credential) -UseExistingAccount

The command will prompt for the delegated account create earlier or the account that was delegated and the Directory Service Restore Mode password (SafeModeAdministratorPassword) to perform this task. Once, the process is completed, the server is going to restart and then the RODC is ready for use.

Reference: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/rodc/install-a-windows-server-2012-active-directory-read-only-domain-controller–rodc—level-200-