jueves, 7 de febrero de 2013

Install, Configure and Remove a Read Only Domain Controler RODC

When you need to install a domain controler in a brach office that sometimes have connectivity network problems or a domain controler that you cant administrate, you can install a RODC or Read Only Domain Controler. This Domain Controler is only for read, you cant create new users, computer or other in this server, but if you install this server in a branch office, the users and computer in this place, the people can login in their computers and obtein other benefits.

First of all you need to ensure that your funtional level domain is 2008 or higher.

You have two options for install this type of Domain Controlers.

1. Go to Active Director Domain Service -> Domain Controler -> Right click and select Pre-Created RODC

Select a administrator user to install the server.

Put the new name for the new server with RODC

Select the server Site

Select if you want that the server will be DNS and Global Catalog.

Delegate the server control to a user or group who stay near the server, and have some IT knowledges.


The server appear in ADDS as down. Later you need to add a server in the domain with the same name, and automaticaly the server will be a RODC with this configuration

2.The second option is install a windows server and go to Add Roles and Features and Select ADDS

When the wizard finish, promote the server, and select the option add a domain controler to an existing domain.

Select the option RODC

Delegate the control to diferents users or groups to manage the server

Finally, in ADDS -> Domain Controlers appear the new RODC server

Now, you have the RODC installed, but you need to configure the RODC Server. First of all, go to RODC server properties, and select Password Replication Policy.

You can add new groups or user, but the best option is create a group with the people in the branch office, and add this group in Allowed RODC Password group. If you want to cache the password for the people in the branch office, go to Advance and add the users in the wizard.

Finally, if the server is stolen in the branch office, you can delete the server in Active Directory. When you delete the server, a new wizard appear.

In this wizard you can reset all the password for user accounts that were cached on the RODC, the computers, and export or view the accounts cached. Thereby you can know who was using this RODC. 

No hay comentarios:

Publicar un comentario