In last post, we have seen how to install the Read Only Domain Controller. Now the question is, is only installing RODC sufficient. Answer is NO. After the installation, we have to check few necessary settings before make RODC functional. Let’s see why.
Currently I have shutdown my writable DCs and only my RODC is up and running. Now see what happens if we try to login in RODC. When you try to login in your RODC when all of your DCs are off, it will not be able to find the domain controller to log in.
This is really weird how come a domain controller needs a domain controller to login? Well, that’s why we need RODC. It’s not DC, it’s read only DC which gives such wonderful security. Then what’s the use of RODC if it doesn’t allow me to login? Well, it will. Just power on any of your writable DC and it will allow you to login. You have to do few necessary settings to enable RODC login permanently but that we will discuss in next article. In this article, let’s explore RODC a bit.
First power on any writable DC and login to RODC. But when you login to RODC and go to Server Manager, you will not find any Active Directory role in that.
That’s because by default, RODC doesn’t install AD DS Tools. We have to manually install it. To install the tools, run following commands:
Import-Module Active Directory
Add-WindowsFeature RSAT-ADDS-Tools
Once it’s installed, you will get the confirmation.
After that, when you again go to Server Manager, you can see Active Directory related options. But to make it functional, you have to reboot your server once.
Now the first thing you have to do is to open Active Directory Users and Computers and change the domain controller to the RODC. By default, it’s selected as any of the writable DC, so you have to change it. To do that, right click on “Active Directory Users and Computers” and select “Change Domain Controller”.
Select the RODC from the list and click on OK.
It will ask for a confirmation, click OK.
Now you are connected with RODC. Go and try to delete any object in AD. Well, you are in RODC, so you will not find that option at all. All the modification options will be grayed out.
Similar way, you can’t create any object. You will not get the option at all.
Go to the Domain Controller OU, you will get list of all domain controllers there. The RODCs will be specifically mentioned as “Read Only”.
I hope you are now familiar with RODC console and options. Now the only thing left is the final important settings which you have to do in all RODC. Stay tuned.
…cont