Windows Server 2008: Installing a Read-Only Domain Controller (part 1)

The upcoming sections include step-by-step procedures for installing an RODC on a full installation of Windows Server 2008 R2, installing an RODC on a Windows Server 2008 R2 Server Core installation, and performing a staged installation. Before launching into the procedures, however, let us examine the prerequisites associated with installing RODCs and understanding the limitations associated with using an RODC.

Examining Prerequisite Tasks When Deploying an RODC

The following bullets list the items you should review and complete before installing RODCs:

• Active Directory running on Windows Server 2003 or Windows Server 2008 R2 must already exist in the environment.

• The Active Directory schema must support the Windows Server 2008 R2 server extensions.

• The forest and domain functional level must be running Windows Server 2003 or higher.

• At least one domain controller within the domain must be running Windows Server 2008 R2.

• The PDC Emulator FSMO role must be running Windows Server 2008 R2.

• A regular non-read-only (writable) domain controller must already exist within the Active Directory infrastructure.

• The RODC cannot be the first domain controller within the Active Directory infrastructure.

• If the DNS service will be configured on a Server Core installation, a non-read-only DNS server must be present within the domain.

Limitations Associated with Windows Server 2008 R2 RODCs

There are situations when RODCs cannot be used. This is the case with bridgehead servers and operations master role holders. For example, a Windows Server 2008 R2 bridgehead server is responsible for managing Active Directory replication from a physical site. Because an RODC can only perform inbound unidirectional replication, it cannot be designated as a bridgehead server because these servers must support both inbound and outbound replication.

An RODC also cannot function as a Flexible Single Master Operations (FSMO) role holder. Each FSMO role needs to write information to an Active Directory domain controller. As an example, consider extending the Active Directory schema for Microsoft Exchange Server 2007. The new schema extensions would be written on a domain controller to support Exchange 2007. The schema extensions would fail on an RODC because the domain controller is not writable, which, of course, explains why an RODC cannot perform the FSMO role.

To add to its limitations, out-of-the-box RODCs cannot authenticate a smart card logon. This is because the Enterprise Read-Only Domain Controller (ERODC) group is not defined in the domain controller certificate template by default. Because the ERODC is not associated with the default group defined in the template, the RODC is not automatically enrolled in the certificate process, which is a requirement for authenticating smart card logons. Unlike the limitations of RODCs stated in the previous two paragraphs, there is a way to work around this particular drawback so an RODC can authenticate a smart card logon. The following changes must be orchestrated in the certificate templates for an RODC to support smart card logons:

• ERODC group permissions for Enroll must be set to Allow on the Domain Controller certificate template.

• ERODC group permissions for Enroll and Autoenroll must be set to Allow on the Domain Controller Authentication and Directory E-Mail Replication certificate template.

• The Authenticated Users group permissions must be set to Allow Read on the Domain Controller Authentication and Directory E-Mail Replication certificate template.