Deploying an RODC
Start course
1h 3m

Windows Active Directory Domain Services (AD DS) is a leading identity management solution for organizations of all sizes. At the core of Windows AD DS is the domain controller. The domain controller provides login services, group policies, domain naming services (DNS), and other identity management services for users and computers in a domain along with other enterprise management services.

In this course, we start by reviewing the Windows AD DS environment including forests and domains. Then we review considerations for deploying domain controllers in a virtualized environment, on-premises, and in Azure. Next, we look at use cases for deploying read-only domain controllers at locations where physical security cannot be guaranteed. Lastly, we examine flexible single master operations roles and how to locate and move them to support troubleshooting efforts.

Learning Objectives

  • Deploy and manage domain controllers on-premises
  • Deploy and manage domain controllers in Azure
  • Deploy read-only domain controllers (RODCs)
  • View, manage, and troubleshoot flexible single master operations (FSMO) roles

Intended Audience

  • System administrators with responsibilities for managing hybrid identities
  • Subject matter experts in configuring and managing Active Directory workload on-premises and in Azure
  • Anyone preparing for the Azure AZ-800 Administering Windows Server Hybrid Core Infrastructure exam



Let's get started with a demo on Deploying a Read-Only Domain Controller. This will build on previous demos. There's a domain controller in the environment. That was created in the edinalab.local domain for this example. Please see the previous lectures if you need to create a domain. We start with a Windows Server with a data drive for the Active Directory partition. This too has already been created for the demo. The server that will become the read-only domain controller requires network connectivity to the existing domain controller. That includes configuring the DNS settings to use an Active Directory aware DNS server.

In this demonstration, that DNS server is the existing domain controller. We also need a domain admin account to configure the read-only domain controller. The upcoming example can be run in Azure or on-premises with hardware or a virtual environment. Let's get started on the computer that will become our read-only domain controller. Here we are on the computer that will become our read-only domain controller. Let's start by adding the Active Directory Domain Services role to the server from the Server Manager. This follows the same process we use to create the domain controller. Click 'Next' until we reach server roles. Select 'Active Directory Domain Services', add all the features. Go 'Next' to confirmation and 'Install'. This will take a minute to install, I'll pause here until it's finished. That finished, we can 'Close' to continue.

Once finished, we'll configure the services. We'll promote this server to a domain controller. Use the added domain controller to an existing domain option and specify the domain edinalab.local for this example. We have to add credentials for an existing account that can add the domain controller, domain administrator, for this example. Be sure to add the domain suffix to the administrator account. Go to 'Next', check the box for DNS server, global catalog and read-only domain controller. Add the directory services, restore password, and click 'Next'. We'll add an account with delegated administrative account permissions. This account will be able to manage the read-only domain controller server but not Active Directory on the server. For this example, we'll use a previously created user account, RODC admin.

Next, we can add accounts that are allowed to replicate to the read-only domain controller and accounts that are denied from replicating passwords to the read-only domain controller. Notice the built-in group, allowed RODC password replication group is already listed. Members of this group will be allowed to replicate passwords to the read-only domain controller. Go to 'Next", leave it selected to replicate from any domain controller, go to 'Next".

Update the folder path to use the data drive. Review the settings and click 'Next' and click 'Install' after the prerequisite check. This will take a minute to finish, we'll pause here until it's done. Here we are logged into the new domain controller and you can see we have Active Directory Domain Services and DNS listed as services on this virtual machine. Let's close that and go to Active Directory users and computers. Be sure to go to 'View', 'Advanced features', that will give us all the features available in Active Directory users and computers.

First we'll connect to the read-only domain controller. Right click on the domain and go to 'Change domain controller'. Select 'This domain controller' and select our read-only domain controller. You can identify which one is the read-only domain controller with the RODC under DC type. Click 'OK'. We get a warning that the selected domain controller  is read-only and we won't be able to make any changes. Click 'OK', let's go into domain controllers. Right click on a read-only domain controller and go to properties, password replication policy. Notice the options to add to remove are greyed out. That's because we connected to a read-only domain controller, click 'Cancel'.

Let's go back and right click on the domain, change domain controllers. This time, we'll change to a writable domain controller. We can just leave the option any writable domain controller, click 'OK'. Now let's go into our domain controllers. Right click on the read-only domain controller. Go to password replication policies. From here, we can add a user group or a computer object, let's add. We have the option to add an account as allowed or explicitly deny the account from replicating the password. Let's select allow, 'Ok'. We'll add an account. The account we're adding was previously created, test.two. Click 'Ok' and now test.two is allowed with a password replication policy. That's how to add a Read-Only domain controller and add a user to the password replication policy.

About the Author

Travis Roberts is a Cloud Infrastructure Architect at a Minneapolis consulting firm, a Microsoft MVP, MCT, and author. Travis has 20 years of IT experience in the legal, pharmaceutical, and marketing industries and has worked with IT hardware manufacturers and managed service providers. In addition, Travis has held numerous technical certifications throughout his career from Microsoft, VMware, Citrix, and Cisco.