Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

The things that are better left unspoken

a blog by Sander Berkouwer

Related

AD Manager Plus
 

Blog roll

News



Archives

4 methods to add Server Core RODCs to your environment

The Read-only Domain Controller is one of the new and most existing features of Windows Server 2008. So is Server Core. Combining these two features opens up a whole new world of possibilities for your Active Directory environment.

Server Core Domain Controllers are the high-performance low-maintenance brothers of Domain Controllers running on full installations of Windows Server 2008. I've already showed you a long time ago how to install Server Core Domain Controllers. (the post that started the Server Core frenzy on my blog over a year ago) Now I feel it's time to show you how to add Server Core Read-only Domain Controllers to your existing Windows Server 2008 domain.

This blogpost contains the following information:

      

Reasoning

Reasons to install additional Domain Controllers

Joe explains the importance of Active Directory in simple words:

You lose AD, you can’t do anything… “In my dreams, one day, people will not consider AD a commodity or utility service. They will look at it as the integral piece of their corporate security and stability it truly is. AD often gets bumped up to be a critical app because of Exchange needs it but realistically, if you lose Exchange, so what, you can’t do email. You lose AD, you can’t do anything except maybe play with your own laptop.”

Microsoft advices to use at least two Domain Controllers for each domain. When you only use one Domain Controller and this Domain Controller fails, you can't do anything. Although you might be able to restore the Domain Controller, when you use a dedicated Backup media server, you might have trouble authenticating the Backup Service Account...

Using two Domain Controllers might not even be sufficient in some scenarios. These scenarios might include Identity Management solutions (synchronizing with other directory services) and Infrastructure Master / Global Catalog combinations in multi-site situations. Large Microsoft Exchange Server implementations might require multiple Global Catalog servers as well. See the Infrastructure Planning & Design TechCenter for Active Directory for more information.

Reasons to install Read-only Domain Controllers

Windows Server 2008 brings a new kind of Active Directory Domain Controller to the table. The Read-only Domain Controller. It is not aimed at providing additional fault-tolerance for your Active Directory forest, but is an additional Domain Controller typically aimed at Branch Office and DMZ one-way-sync situations. These situations typically include:

  • relatively few users
  • poor physical security and/or high security requirements
  • relatively poor or restricted bandwidth to central Domain Controllers
  • little local IT knowledge (for Branch Office scenarios)
Branch offices

The classic dilemma regarding Active Directory Domain Controllers in Branch Offices was to place a (writable) Domain Controller in the Branch Office or increase bandwidth to the central Domain Controllers to facilitate authentication.

Branch Offices also typically have specific needs. Most of the time central restrictions don't get taken very seriously and the only real restriction seems to be budget. This results in the kitchen cupboard servers most of us will have encountered. (along with the coffee machine hooked up to the same UPS?)

The Read-only Domain Controllers functionality offers branch offices fast authentication, while being more secure than writable Domain Controllers, mitigating the risks when the box gets compromised or stolen.

DMZ

A Perimeter Network, also known as a DMZ, is a security measure. It is a highly restricted and heavily monitored piece of network. It is mainly used for Internet-facing servers that in one way or another need information from networks, that are considered 'internal'. (to give you an idea: typical servers placed in DMZ's are webservers, Exchange 2003 front-end servers, Exchange 2007 Edge Transport servers and ISA servers.)

This information might be related to authentication towards your 'internal' Active Directory and surely this might posses a security threat. The classic dilemma was to Create a separate Active Directory Forest for your domain (with two Active Directory Domain Controllers, naturally) or rely on the appliances, configuration and monitoring skills to keep things safe.

The Read-only Domain Controller functionality offers a one-way replication method for selected information from your internal network to the DMZ, with limited risk towards your internal network when the box gets compromised.

Reasons to install Server Core RODCs

Read-only Domain Controllers prohibit (most) branch office IT personnel to alter Active Directory information while having console access. One of the benefits of Server Core is the same persons don't have a point-and-click interface. The possibility to wreak havoc is multiple times smaller compared to a Full Installation of Windows Server 2008.

Another benefit might be the additional performance a Server Core Domain Controller offers in comparison to a Full Installation Domain Controller. Offering the same performance, while placing slimmer boxes, that cost less is appealing in branch office situations. (especially when deploying a large amount of branch offices)

     

Preparations

At least one Windows Server 2008 Domain Controller

Read-only Domain Controllers can replicate with Windows Server 2003 Domain Controllers, but updates to the domain partitions won't get replicated. For this reason Microsoft advices to replicate Read-only Domain Controllers with Windows Server 2008 Domain Controllers.

Let's assume you already upgraded your Windows Server 2003 Domain Controllers to Windows Server 2008 or have recently implemented an Active Directory forest using Windows Server 2008. Jorge and I have posted information on how to transition your Active Directory forest and how to implement new Windows Server 2008 Domain Controllers, so you shouldn't have any problems creating writable Windows Server 2008 Domain Controllers. More info:

Microsoft states you will need to make at least one Windows Server 2008 Domain Controller a DNS Server for your Active Directory Integrated DNS Zone, if you want your Read-Only Domain Controller to act as a DNS Server for your Active Directory Integrated DNS Zones.

Domain and Forest functional levels

The good news is despite having to implement at least one Windows Server 2008 Domain Controller, you do not need to raise the domain forest functional level or the forest functional level to Windows Server 2008. The forest functional level needs to be at least Windows Server 2003 though.

RODCPrep

Furthermore you should run adprep /rodcprep before you begin implementing Read-only Domain Controllers. This command will update your Active Directory and prepare it for the first Read-only Domain Controller. Perform this action on the Domain Controller holding the Domain Naming Master Flexible Single Master Operations (FSMO) role.

Note:
You can skip RODCPrep if you created your Active Directory forest with Windows Server 2008 Domain Controllers from scratch.

Adprep .exe is located on the Windows Server 2008 DVD in the subfolder SOURCES\ADPREP.

RODC Compatibility Pack

While Windows Server 2008 and Windows Vista understand the Read-only Domain Controller functionality out of the box, some Microsoft products do not. For these products Microsoft released the RODC compatibility pack for down-level clients. Typical symptoms for Windows XP and Windows Server 2003 are described in Microsoft Knowledgebase article 944043.

Active Directory sites

When installing Read-Only Domain Controllers for new remote locations, prepare Active Directory sites and corresponding IP subnets.

     

Example

In this blogpost I'm using an example environment and an example Read-Only Domain Controller implementation. The example is pretty simple. Below are its characteristics:

    

Fully Qualified Domain Name (FQDN) for the domain Domain.local
NetBIOS name for the domain DOMAIN
Username with Enterprise Admins / Domain Admins membership Administrator
Password for the above account P@ssw0rd1
Directory Services Restore Mode (DSRM) Password P@ssw0rd
Username for delegated account (Staged Deployment only) RODCAdmin

A new site named "Remote location" has been defined, along with a corresponding IP range. The server that will become the Read-Only Domain Controller has been given an IP address in the range of the "Remote location".

The new Read-only Domain Controller in our example will be the only Domain Controller in the remote location and will become a DNS server and Global Catalog. Our Server Core Read-only Domain Controller comes prepared with a dedicated E:\ partition to place the Active Directory database, transaction logs and system volume (SYSVOL) onto.

      

Scripting

On both Full Installations and Server Core Installations of Windows Server 2008 you can script the Promotion of a (member) server to a Domain Controller using dcpromo.exe.

By appending command line switches to dcpromo.exe you can script the command. A full overview of all the dcpromo.exe command line switches can be found on this page on Microsoft TechNet.

To script the Read-only Domain Controller (RODC) promotion for our example you could use the following command:

dcpromo.exe /unattend /UserDomain:DOMAIN /UserName:Administrator
/Password:"P@ssw0rd1" /InstallDNS:yes
/ReplicaOrNewDomain:ReadOnlyReplica
/ReplicaDomainDNSName:domain.local /ConfirmGC:yes
/DatabasePath:"E:\NTDS" /LogPath:E:\NTDS" /SYSVOLPath:"E:\SYSVOL"
/SiteName="Remote Location"
/SafeModeAdminPassword:"P@ssw0rd"

    

Answerfile

As an alternative to installing your Read-only Domain Controller with a script you can use an answerfile. This might certainly be a way to make the promotion process less error-prone , but shows your password to everyone who has access to the file before execution.

Note:
The passwords get stripped after promotion, whether successful or unsuccessful.

To use an answerfile with dcpromo.exe use any of the below two commands:

dcpromo.exe /unattend:C:\dcpromo.txt

     or

dcpromo.exe /answer:C:\dcpromo.txt

The contents of the Answerfile for our example should look like below:

[DCInstall]
; Add Read Only Domain Controller
createOrjoin= join
replicaDomainDNSName = domain.local
RebootOnSuccess = Yes
ReplicaOrNewDomain = ReadOnlyReplica
UserDomain = DOMAIN
Sitename = "Remote Location"
Username = administrator   
Password = "P@ssw0rd1"
InstallDNS = Yes
ConfirmGc = Yes
CreateDNSDelegation = No
DatabasePath = "F:\NTDS"
LogPath = "F:\NTDS"
SYSVOLPath = "F:\SYSVOL"
SafeModeAdminPassword = "P@ssw0rd"

More examples of answerfiles can be found in Microsoft Knowledgebase article 947034, which shows how to use unattended mode to install and remove Active Directory Domain Services on Windows Server 2008-based Domain Controllers.

      

Staged Deployment

Although the Graphical User Interface (GUI) for dcpromo.exe is not available on a Server Core installation you can use it partially to create Server Core Domain Controllers if you prefer it. Through the Graphical User Interface on a Domain Controller on a Full Installation of Windows Server 2008 you can perform the first step of a Staged Deployment.

A Staged Deployment includes the following two steps:

  1. Preparing the Read-only Domain Controller account
  2. Attaching a server to the previously created Read-only Domain Controller account

Preparing the RODC account  

To pre-create a Read-only Domain Controller within a Staged Deployment perform the following steps:

  1. Open the Active Directory Users and Computers MMC Snap-in on a full installation of Windows Server 2008 Domain Controller, a full installation of Windows Server 2008, installed as a Domain member with the Remote Server Administration Tools installed or a Windows Vista installation with the Remote Server Administration Tools installed.
          
  2. Right-click on the Organizational Unit (OU) in which you want to deploy your Read-only Domain Controller.
       
         Tip:
         In a default Active Directory environment you would right-click the OU named
         Domain Controllers
    , which has the Default Domain Controllers Policy applied.
        
    From the context menu select the option named Pre-create Read-only Domain Controller account... .
        
  3. The Active Directory Domain Services Installation Wizard now starts.
    In the Welcome to the Active Directory Domain Services Installation Wizard screen select the Use advanced mode installation option and click Next >
         
         Note:
         You don't need to select this option if your scenario doesn't require you to set
         any of the advanced options. The delegated admin however might be able to
         specify these settings however.
       
  4. In the Operating System Compatibility screen click Next >
        
  5. Advanced mode only: In the Network Credentials screen select another account with membership of the Domain Admins group or accept the default of the currently logged on credentials. Click Next > when done.
        
  6. In the Specify the Computer Name screen supply the Computer Name. Click Next >.
            
  7. In the Select a Site screen select the Active Directory site in which you want to place the Read-only Domain Controller. In the case of our example you'd choose the  Active Directory site named Remote location you created earlier. Click Next >.
        
  8. In the Additional Domain Controller Options screen select the additional options for your Domain Controller. In our example we choose to additionally install DNS server and Global catalog options, which were selected by default. Hit the Next > button when done.
        
  9. Advanced mode only: In the Specify the Password Replication Policy screen change the default policy if needed and hit the Next > button.
        
  10. In the Delegation of RODC Installation and Administration screen set the Group or user account within Active Directory you want to enable to attach a Windows Server 2008 box to the Read-Only Domain Controller account. Click Next >.
        
  11. In the Summary screen review your selections, click Next > and click Finish when done.

    

Attaching a server to the account

The second step of a Staged Deployment consists of attaching a server to the pre-created Read-only Domain Controller account. In this case I will be using an answer file, which is the most likely way to help your local Server Core admin out.

          Tip!
          Alternatively you can use scripting to attach the server to the pre-
          created Read-only Domain Controller account.

[DCInstall]
; Read-Only Domain Controller Installation using pre-created RODC account
ReplicaDomainDNSName=Domain.local
UserDomain=DOMAIN
UserName=RODCAdmin
Password=*
DatabasePath = "F:\NTDS"
LogPath = "F:\NTDS"
SYSVOLPath = "F:\SYSVOL"
SafeModeAdminPassword = "
P@ssw0rd"
RebootOnCompletion=Yes

Instruct the local Administrator for the site in which you intend to place the Read-only Domain Controller to create an answerfile containing the above text. When necessary refer to the Getting installation files onto Server Core for more information. 

Instruct the administrator to perform the following command:

dcpromo.exe /UseExistingAccount:attach /unattend:C:\dcpromo.txt

Where C:\dcpromo.txt represents the location of the answerfile.

     

Installation from Media

A consideration in multi-site Active Directory environments with little available bandwidth is to use Install from Media (IFM) media when you promote a Domain Controller. Using this kind of media prevents the new Domain Controller to replicate the Active Directory database from another Domain Controller during promotion. Just like a Staged Deployment Installation from Media is also a two step process:

  1. Preparing the media
  2. Installing the Domain Controller using the media

Preparing the media

To create media for the promotion of a Read-only Domain Controller you can logon to a Windows Server 2008 Domain Controller using an account with administrative permissions and perform the following actions:

  1. Open a command prompt with administrative privileges and run the following command: ntdsutil . This will start the NTDS utility in interactive mode.
        
  2. Type activate instance ntds to select the Active Directory database.
        
  3. Type IFM to enter the IFM Media Creation context
        
  4. Type Create RODC C:\InstallationMedia to create IFM media with SYSVOL for a Read-only DC into the C:\InstallationMedia folder.
        
  5. Type q to exit the IFM context. Type q a second time to exit the NTDS utility.
        
  6. Close the command prompt window.

       

Installing the Domain Controller using the media

With the media you created in step 1 you can promote the Read-only Domain Controller. Using the Media will considerably reduce the amount of traffic. Traffic will occur of course and the amount of replication traffic depends on the amount of changes to the Active Directory in the time between creation of the media and promotion of the Domain Controller.

After you have created the media you can ship it or take it to the location of the Read-only Domain Controller and transfer the files onto it.

Note:
Take a good look at the security of the media during shipping to the remote location. From a security point of view the media must be considered as a physical Domain Controller.

To promote the Domain Controller you can use any of the three methods above on the side of the Read-only Domain Controller. To show you the appropriate switches a choose to use scripting. This resulted in the following command:

dcpromo.exe /adv /unattend /UserDomain:DOMAIN
/UserName:Administrator /Password:"P@ssw0rd1" /InstallDNS:yes
/ReplicaOrNewDomain;ReadOnlyReplica
/ReplicaDomainDNSName:domain.local /ConfirmGC:yes
/DatabasePath:"E:\NTDS"
/LogPath:"E:\NTDS" /SYSVOLPath:"E:\SYSVOL"
/SiteName="Remote Location"
/SafeModeAdminPassword:"P@ssw0rd"
/ReplicationSourcePath:"C:\InstallationMedia"
 

In my case I transferred the files to the C:\InstallationMedia folder on the Server Core box, but running it from a CD, DVD or memory stick would also suffice.

     

Concluding

There are four ways to promote your Server Core box to a Read-Only Domain Controller. Depending on your needs you can use the most appropriate method:

Method Pros Cons
Scripting Easy
Fast
Error-prone ("fat finger syndrome")
No delegation options
No Graphical User Interface
Not repeatable
Answerfile Fast
Repeatable (with changes)
Getting the file on the box
No delegation options
No Graphical User Interface
Staged Deployment Graphical User Interface
Delegated (when necessary)
Possibly time consuming
Needs communication and consultation
Install from Media Decreased Network traffic Security measures during shipping

    

Further Reading

You lose AD, you can’t do anything… 
Directory Services in Windows Server "Longhorn" 
Read-Only Domain Controller and Server Core  
Step-by-Step Guide for Read-only Domain Controllers
Windows Server 2008 dcpromo Changes 
Active Directory Domain Services: Install from (restored backup) media (IFM) 
Command Line switches for DCPROMO 
Windows Server Codename Longhorn  
Installing AD on writable and read-only DCs from a media set 
Deploying Windows Server 2008 Read Only Domain Controllers  
Performing a Staged RODC Installation 
Determine the Number of Domain Controllers 
RODC deployment guide 
RODC Compatility Pack for Legacy OSes 
RODC compatibility pack for down-level clients 
How to promote Server Core to be a RODC 
Creating an Unattend Installation File for DCPROMO in Windows Server 2008   
PowerShell script to automate deployment of Read-only Domain Controllers on Hyper-V  
Install It - Read-Only Domain Controller on Windows Server 2008 
Installing Windows 2008 Active Directory on Server Core (Existing Forest)  
Read-Only Domain Controllers - What's Old is New Again  
Windows Server 2008 Core - Active Directory Domain Services  
Active Directory Domain Services: Install from (restored backup) media (IFM)     
The Crosby Blog - Windows Server 2008 Core: Read-Only DC (using the scripting method) 
Understanding “Read Only Domain Controller” authentication  
Installing Active Directory on Server Core with an Answer File 
How to Promote Server Core Installation to a Read Only Domain Controller 
Windows Server 2008 dcpromo Changes III (or Server Core Setup) 
How to Configure a Server Core Domain Controller: Vanilla to First DC in a Forest 
Install AD DS from media  

Webcasts

Lazy Admin - Creating a Read Only DC (using an answerfile)
Dennis Chung  - DCPromo Server Core as a DC in existing Domain (using an answerfile)

Posted: Sunday, July 13, 2008 9:54 AM by Sander Berkouwer

Comments

Syed Khairuddin said:

I was called to troubleshoot an Installation of a RODC server at one of my customers place last 3 days back. I beleive it was really a very good troubleshoot which I want to share with you guys. The scenario was as follows.

The Customer was having Windows 2008 Writable Domain Controllers and some Windows 2003 ADC'S. So before introducing RODC in the environment we full filled all the requirements like running ADPREP /rodc was ran so schema is extended and all other things which Microsfot recommends to Do from the following guide http://technet.microsoft.com/en-us/library/cc731243(WS.10).aspx inspite of that Whenever  we ran DCPROMO and checked RODC and hit next a  failure message  poped up stating "An error occurred while loading the default Password Replication Policy.  The error was: The network address is invalid.".  

Solution:

  My customers missed to precreate the RODC account so that there is  Password Replication Policy to find.  Once that was done the promotion went on through using the  dcpromo /UseExistingAccount:Attach  command.

# May 25, 2010 2:14 PM
Anonymous comments are disabled