Shulou(Shulou.com)06/02 Report--

Read-only domain controller (rodc) deployment

RODC hosts read-only partitions of Active Directory Domain Services (AD DS) databases, which means that users or applications cannot directly modify RODC's AD DS databases, and organizations can easily deploy domain controllers in locations where physical security cannot be guaranteed.

RODC is designed to be deployed in a branch-office environment. Branch offices usually have relatively few users, poor physical security, relatively low network bandwidth to connect to midline sites, and lack local IT knowledge.

The other steps to deploy the extra domain controller are the same as in the first article, "Windows Server 2016 deploying the first Active Drectory domain controller"

First, after adding Active Directory Domain Services, click promote this server to domain controller.

Select "add domain controller to existing domain", enter the domain name "test.local" configured by the first domain controller, click change to enter the account and password with the right to add domain control, and then complete the stand-alone next step.

On the domain controller selection page, check read-only domain controller (RODC) (R), enter the directory restore mode password, and click next to continue.

The RODC options page, under "allow password to be copied to an account of RODC", determines whether credentials can be copied from a writable domain controller to RODC. If the policy allows, the writable domain controller copies the password to the RODC, and the RODC caches these credentials, which remains by default and clicks next.

Specify which domain controller to copy from, and click next by default.

Specify the location of the AD DS database, log files, and susvol. Click next by default here.

Check the options, check the previous configuration, if you have any questions, you can click back to make changes, and then click next.

After the prerequisite check is passed, the stand-alone "install" will be installed, and the server will be restarted automatically after installation. After the restart, the RODC read-only domain controller is created.

Check Active Directory users and computers under the Domain Controllers about RODC DC type is "read-only, GC", read-only domain controller has been created.

After we created the RODC, we couldn't wait to test whether we could no longer create new\ change domain account properties, and found that the miraculous creation of the user was successful, because we also needed to change the domain controller to rodc.

Open the Active Directory users and computers Manager, right-click "Active Directory users and computers" and select "change Domain controllers":

Select this domain controller or AD LDS instance as the configured RODC at this time, and click OK.

Remind the selected read-only domain controller, where "OK" is selected by default

At this point, we found that the shortcut menu bar about new users, new groups, new organizational units, etc., is gray and cannot be clicked.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.