Scroll To Top

Understanding Read-Only Domain Controller

Posted in Networking, Security, Windows Server1 year ago • Written by Ghulam Abbas2 Comments

What is RODC?

It is a read-only copy of NTDS.dit file. Two copies of Ntds.dit are present in separate locations on a given domain controller: %SystemRoot%\NTDS\Ntds.dit This file stores the database that is in use on the domain controller. For the first time, RODC was introduced in windows server 2008, which contains a full replication of the domain database.

It was created for the places like a small branch, there is no IT staff, Less Secure.

Features of RODC:

  1. They have almost everything except most Passwords like domain Admins, Enterprise Admins, or high-level accounts.
  2. DNS is also RODC.

What are the prerequisites of RODC?

  1. The PDC Emulator has to be windows server 2008 or higher.
  2. Receive updates from Domain Controller.
  3. DFL (Domain function level) and forest function level (FFL), has to be windows server 2003 or higher. If you are working with server 2003 and you want to use RODC, you have to use ADPrep/ RODCprep commands. These commands will create an RODC platform. The adprep.exe command is located on the \support\ adprep folder on the Windows Server 2012 installation disk.
  4. On RODC Per Domain per Site.
  5. If any user is using Outlook, make sure that the RODC should be a part of Global Catalog.
  6. UGMC should be enabled by default.

Credentials Caching

While installing RODC in any method we have some sections to save the Credentials.

  1. RODC verifies login it will not forward to Domain Controller.
  2. You can save Account Passwords in two methods. Individuals                                                                                                                                               Group
  3. Admins are Denied for saving Credentials.
  4. If you the RODC compromised, Domain Controller has the ability to edit the RODC Users. Whether reset or Delete
  5. You can also cache computer accounts.

Administrator Role in RODC

Sometimes it may happen, Users need to install any Application, Service, or any to update. Since the User doesn’t have the ability to install software or any Application. Domain Controller Creates an Admin for them to do the job Administrator only on RODC. Or in other Definition Domain Controller Controls Admin and Admin controls RODC. Here is some Ability of Admins in RODC.

  1. Admins can Manage Share and Printers.
  2. Admins can Manage Drivers, Apps, and Updates.
  3. Admins can Manage Disk Fragmentation.

How to Add Admin in RODC?

You can add Admins in RODC in four methods.

  1. You can Add Admin while installing RODC.
  2. You can Add Admin while installing pre-staged RODC.
  3. You can Add Admin with Command line and Answer File with ADK.
  4. You can Add Admin from Post Installation like UI, Dsmgmt, NTDSutil.

How to install RODC from Server Manager?

When it comes to installing of any feature or any role they installation can be performed weather Graphically or from Command line with PowerShell. In today’s let’s take a look How to install that from Server Manager? After learning all the basics about RODC, so let’s go ahead and start How to install RODC in server 2016 from server Manager. For this Operation I am using VMware Workstation, you can use any Virtual Machine like Hyper-V, VirtualBox or another Virtual Machine.

Since RODC can’t perform only in one Operating System, I have already set my environment. On the left side that is my Domain Controller and on the left side, that is my RODC Operating System. In my RODC system I have already installed ADDS but yet I have configured that. So let’s go ahead and configure that.

Step #1. Open Server Manager.

Step #2. On the left pane, click AD DS. On the right-pane, click More in the yellow bar. Take a look at the screenshot.

Understanding Read-Only Domain Controller

Server Manager

Step #3. When the All Servers Task Details window opens (Take a look at the Screenshot), click Promote this server to a domain controller. The Active Directory Domain Services Configuration Wizard starts.

Understanding Read-Only Domain Controller

All Server Task Details and Notification

Step #4. On the Deployment Configuration page select the Add a domain controller to an existing domain. After selecting that Enter the Domain Name and Credential. When you are done click next.

Understanding Read-Only Domain Controller

Deployment Configuration

Step #5. On the Domain Controllers Options page, select Read-only domain controller (RODC). Type a Directory Service Restore Mode (DSRM) password in the Password and Confirm password text boxes. When you are done click next.

Understanding Read-Only Domain Controller

Domain Controller Options

Step #6. On the RODC Options page, Select in the Delegated Administrator account section (Administrator for RODC). When the Select User or Group dialog box opens, type the name of the account to be used as a delegated administrator in the Enter the object names to select the text box and click OK.  Also down that select Group or Clients that their account Password is replicated to the RODC. Also down their the accounts the accounts which are denied from replicating to the RODC. If you want again you can add them.

Understanding Read-Only Domain Controller

RODC Options

Step #7. On the Additional Options page click Next.

Understanding Read-Only Domain Controller

Additional Options

Step #8. On the Paths page, click Next.

Understanding Read-Only Domain Controller


Step #9.  On the Review Options page, click Next.


Understanding Read-Only Domain Controller

Review Options


Step #10.  On the Prerequisites Check page, click Install.

Understanding Read-Only Domain Controller

Prerequisites Check

Step #11.   When the installation is complete, restart the domain controller.


It was all about, Understanding Read-Only Domain Controller. I hope you have learned this article, I hope you will ask your questions, give us your suggestions, opinion about what articles we have to write. If you faced any problem tell us below by comment, Feel free to tell us. we’re waiting for your suggestion.

TAGS: , , , , , , ,

2 Comments so far. Feel free to join this conversation.

  1. Newton May 11, 2017 at 12:09 pm - Reply

    When you take a moment to consider what is held on a domain controller namely all of your Company user accounts, including your infrastructure accounts if these were to be compromised, it would be a massive security risk to your network.

    • Ghulam Abbas May 19, 2017 at 9:13 am - Reply

      yes, it’s risky, but the Domain controller should not give them the complete permission.

Leave A Response