Performing a Staged RODC Installation
A staged approach can also
be leveraged to install an RODC in a branch office. There are two steps
to the new approach. Each step is described in the following list from a
high-level perspective:
- The first step
involves creating a computer account for the RODC in Active Directory.
After the computer account is created, you must delegate its
installation and management to a user at the branch office. The person
being delegated does not require elevated privileged rights within the
Active Directory forest like Domain Administrators or Enterprise
Administrators.
- The next step requires branch office
personnel to complete the RODC installation by attaching a server to the
RODC account created in the previous step.
By delegating the
installation of the RODC to a regular user account at the branch office,
you eliminate the need to stage the RODC in a hub site and physically
ship the server to the branch office. This was a common approach to
configuring domain controllers for branch offices when using previous
versions of Windows because administrators did not want to grant regular
users at the branch office elevated administrative privileges to
conduct the installation. In addition, if the domain controller was
traditionally built at the branch office, using this new staged approach
eliminates the need to ship sensitive Windows Server 2008 R2 media and
product keys.
Note
Another alternative to
performing a staged RODC installation is to have the branch office
prepare a base installation of the Windows Server 2008 R2 operating
system. After this installation is complete and the server is on the
network, a domain administrator from the hub site can use the Remote
Desktop Protocol (RDP) and remotely perform the dcpromo
process. This strategy also eliminates the need to use branch personnel
in any facet of the domain controller installation process.
Complete the following steps
to create an account for a Read-Only Domain Controller (RODC). You will
be using the Active Directory Users and Computers interface in the first
step of this staged approach.
1. | On
a writable Windows Server 2008 R2 domain controller, invoke Active
Directory Users and Computers by selecting it from the Administrative
Tools.
|
2. | In
Active Directory Users and Computers, expand the domain tree, and then
select the Domain Controllers Organizational Unit folder.
|
3. | Right-click the Domain Controllers OU container, and then select Pre-Create Read-Only Domain Controller Account.
|
4. | The Active Directory Domain Services Installation Wizard is invoked. Review the Welcome page, and then click Next to continue.
|
5. | On
the Network Credentials page, specify the account credentials that will
be used to perform the installation. The options include either My
Current Logged On Credentials or Alternate Credentials. Click Next to
continue.
|
6. | Enter
a computer name for the RODC in the Computer Name text box located on
the Specify the Computer Name page. This is illustrated in Figure 5. Click Next.
Note
This procedure creates
a computer account in Active Directory Domain Services. The RODC
computer name specified in this step should be the name of the server
you plan on promoting to an RODC. As part of the prerequisite tasks and
also to minimize server name conflicts, do not join the server you plan
on using as an RODC to the domain. The server should reside in a
workgroup.
|
7. | On the Select a Site page, select a site for the new domain controller installation, and then click Next.
|
8. | On
the Additional Domain Controller Options page, select the additional
options for the domain controller. Additional items could include a DNS
server and a global catalog server. Also, notice that the Read-Only
Domain Controller is selected automatically and cannot be unselected.
Note
In general, to minimize
unnecessary WAN utilization, it is a best practice to also make the RODC
a DNS server and a global catalog server.
|
9. | On
the Delegation of RODC Installation and Administration page, specify a
user or group who will ultimately manage and attach the server to the
RODC account being created. Do this by selecting Set and enter the
desired user account or group. Click Next to continue.
|
10. | Review
the summary of the Active Directory installation, and click Next on the
Summary page to finalize the inauguration of the RODC.
|
11. | Click Finish to finalize the creation of the RODC account.
|
At this point, the RODC
account has been created. The next step is to run the Active Directory
Domain Services Installation Wizard on a server that will eventually
become the RODC by leveraging the user or group the RODC installation
was delegated to in the previous steps. To attach a server to an RODC
account, follow these simple steps:
1. | Using someone with local administrative privileges, log on to the server that will be the RODC in the branch office.
Note
To reaffirm, make sure this server is in a workgroup and not associated with the Active Directory domain.
|
2. | Click Start, Run, type the command dcpromo/UseExistingAccount:Attach, and then click OK.
Note
The Active Directory
Domain Services binaries will be installed. After this is complete, the
Active Directory Domain Services Installation Wizard will be invoked.
|
3. | On
the Welcome to the Active Directory Domain Services Installation Wizard
page, click Next to attach the server to a corresponding domain
controller account created in the previous steps.
|
4. | On
the Network Credentials page, first specify the name of the forest
where the RODC installation will occur. Then click Set to specify the
alternate account credentials that will be used to perform the
installation. Provide the username and password of the IT support
personnel at the branch office, which was delegated in the previous
steps, as shown in Figure 6. Click Next.
Note
If the source server
computer account name deviates from the RODC name that was created in
the previous step, the installation is sure to fail. The two account
names must be identical.
|
5. | On
the Select Domain Controller page, the wizard will automatically link
and match the server name to the account name of the RODC created in the
previous step. Ensure
the Computer Name, DC Type, and Domain and Site information located in
the Account Details section is correct. If it is, click Next to
continue.
|
6. | Validate the folder location for the Database, Logs Files, and sysvol folder, and then click Next.
|
7. | Enter and confirm the password for the Directory Services Restore mode administrator account, and click Next.
|
8. | Review
the summary of the Active Directory installation, and click Next on the
Summary page to finalize the inauguration of the RODC.
|
9. | Click Finish and restart the RODC system.
|