Deploying a Windows Server 2016 read-only domain controller (RODC) with PowerShell

An RODC is a domain controller (DC) that holds a read-only copy of the Active Directory database and the SYSVOL folder. It supports unidirectional replication and only pulls data from its replication partner when the data changes on writable domain controllers. Enterprises can deploy RODCs in branch offices where they cannot guarantee physical security.

RODC characteristics ^

The following characteristics differentiate RODCs from writeable DCs (RWDC).

1. Write operations from clients are not possible on an RODC because it holds a read-only copy of the AD database.
2. An RODC does not replicate AD and SYSVOL folder data to to RWDCs.
3. An RODC holds a complete copy of the AD database, except for credentials and credential-like attributes, called a filtered attributes set (FAS).
4. When an RODC receives an authentication request from users from the branch site, it forwards the request to a writeable domain controller. Read more about the authentication process on RODCs here.
5. An RODC can cache credentials of least privileged users to provide better authentication performance to branch users. If the RODC has Password Replication Policy enabled and has already cached the credentials, it processes the authentication request locally. Read more about credential caching and FAS here.
6. It is possible to delegate rights to standard domain users for RODC administration. Read more about those RODC administration operations here.

 

Deploying an RODC ^

Prerequisites

Before you deploy an RODC, you need to have at least one writeable domain controller in your environment. In addition, the following conditions are required:

1. An administrator account has a strong password.
2. The server has a static IP address.
3. The server has the latest Windows updates installed.
4. The preferred DNS server IPv4 address is configured and points to the writeable DC.

Installing the Active Directory Domain Service

First, you have to install the Active Directory Domain Service (AD DS) feature on your Windows Server 2016 computer. To do so, execute the following PowerShell command and wait for the installation to complete.

If everything went well, you will end up with the result that the screenshot below displays.

Promoting a domain member to an RODC

The next step is to promote the server to an RODC with its own DNS server and global catalog by executing the command below. It will prompt you to provide the DSRM (Directory Services Restore Mode) password and credentials that have the permissions to add this DC to the domain.

You use the same cmdlet (Install-ADDSDomainController) for deploying a writable DC. The only difference is the ReadOnlyReplica parameter that installs the domain controller as an RODC. If you don’t specify the path to the Active Directory log, the database, and the SYSVOL folder, it will use the default paths.

After executing the command and successfully promoting your server to an RODC, the server will automatically reboot.

 

Configuring RODC password caching ^

The new RODC it still using a writeable DC for authenticating branch users and computers. To force the RODC to authenticate users and computer accounts, you have to ensure that the RODC caches the corresponding credentials. For this, you have to configure the Password Replication Policy (PRP) to ensure that it replicates and caches the credentials on the RODC for subsequent authentications.

Allowed and Denied Password Replication Groups

There are two groups in PRP: the Allowed and the Denied Password Replication Groups. The RODC caches account credentials for members of the Allowed Password Replication Group but not those of the Denied Password Replication Group. By default, accounts from privileged groups such as Enterprise, Schema, and Domain Admins are members of the Denied RODC Password Replication Group. To get the complete list, execute the following command:

Adding users accounts to the Allowed Password Replication Group

To add branch user accounts to the Allowed RODC Password Replication Group without the system asking for confirmation, execute the following PowerShell command:

The command fetches all user accounts from the Students organizational unit (OU) and then pipes those accounts to the Add-ADGroupMember cmdlet, which adds them to the group. To confirm that the operation succeeded, run the following command.

Prepopulating user passwords

If you would like to cache account credentials on the RODC before users log in, you can prepopulate their passwords by executing the following commands:

Getting an account list of stored RODC passwords

To get the list of accounts with cached passwords on the RODC, execute the following command:

This will return the list of accounts with names and object classes of credentials stored or cached on the RODC with the name “SRV-02.”

Clearing the RODC password cache

Once an RODC caches passwords, there is no way to delete them on it directly. However, resetting the passwords on a writeable DC also removes them from the password cache on the RODC. The same applies to computers; resetting their accounts removes their credentials from the RODC.

Let’s reset a password of the user with the name “John Ark”:

If you list the accounts with cached passwords using Get-ADDomainControllerPasswordReplicationPolicyUsage, John Ark’s account won’t appear anymore.