Install and Configure RODC [Read Only Domain Controller] on Windows Server 2016


Keep in mind that

  • You need at least one writable domain controller to Install a Read Only Domain Controller


Firstly install the windows server 2016

Log in

2016 BB secondary-2017-09-02-14-31-28

Configure Network Card (provide a static IP address and DNS)

2016 BB secondary-2017-09-02-14-31-20

Add roles and features

2016 BB secondary-2017-09-02-14-46-50

Click Next to continue

2016 BB secondary-2017-09-02-14-47-04

select role based installation type (by default this option is selected)

2016 BB secondary-2017-09-02-14-47-09

Select the Server

2016 BB secondary-2017-09-02-14-49-09

Select Active Directory Domain Service Services Role

2016 BB secondary-2017-09-02-14-49-24

Keep the default features

2016 BB secondary-2017-09-02-14-49-30

Click Next

2016 BB secondary-2017-09-02-14-49-34

Click Install

2016 BB secondary-2017-09-02-14-49-41

Click Close after installation

2016 BB secondary-2017-09-02-15-39-28

Promote the server to a domain controller

2016 BB secondary-2017-09-02-15-39-38

Provide the domain name and user credentials for deployment operations

2016 BB secondary-2017-09-02-19-09-39

2016 BB secondary-2017-09-02-19-09-28

Provide DSRM password and select Read Only Domain Controller (RODC)

Directory Services Restore Mode (DSRM) is a special boot mode for repairing or recovering Active Directory. It is used to log on to the computer when Active Directory has failed or needs to be restored.

2016 BB secondary-2017-09-02-19-11-51

Keep the RODC options as it is

2016 BB secondary-2017-09-02-19-13-12


Keep the locations for AD DS database, log files and SYSVOL as it is

2016 BB secondary-2017-09-02-19-15-01

Review options before installation starts

2016 BB secondary-2017-09-02-19-15-16

Install Active Directory Domain Services

2016 BB secondary-2017-09-02-19-15-47

2016 BB secondary-2017-09-02-19-19-05

After Active Directory Domain Services installation restart the server

2016 BB secondary-2017-09-02-19-23-59

Check Installed Read-only Domain controller

2016 BB secondary-2017-09-02-22-55-33

Make sure to Connect to the RODC

2016 BB secondary-2017-09-02-23-10-36


Configure the Administrators role

Type dsmgmt in the run

2016 BB secondary-2017-09-02-23-36-20


local roles
add <DOMAIN>\<user> Administrators

2016 BB secondary-2017-09-02-23-36-09

Log in as other user

2016 BB secondary-2017-09-02-23-37-27

2016 BB secondary-2017-09-02-23-37-37


To Configure RODC password policies go to RODC properties

2016 BB secondary-2017-09-02-23-48-42

  • Configure password caching allowed and denied groups as per the requirement
  • Click on Advanced to display a list of users for which the passwords have been cached.

2016 BB secondary-2017-09-02-23-48-48


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s