Posted in How To

Step-by-Step Guide: Create and configure an RODC GUI Powershell include comments

   April 20, 2023

Here is a step-by-step guide on how to create and configure a read-only domain controller (RODC) using both GUI and PowerShell with comments:

Creating an RODC using GUI:

  1. Open Server Manager and select “Add Roles and Features”.
  2. Click “Next” until you reach the “Server Roles” page.
  3. Check the “Active Directory Domain Services” role and click “Next”.
  4. Click “Next” until you reach the “Features” page.
  5. Check the “AD DS Snap-Ins and Command-Line Tools” feature and click “Next”.
  6. Click “Install” and wait for the installation to complete.
  7. Once the installation is complete, open “Active Directory Users and Computers”.
  8. Right-click on the domain and select “Create a new Domain Controller”.
  9. Click “Next” until you reach the “Additional Domain Controller Options” page.
  10. Select “Read-only domain controller (RODC)” and click “Next”.
  11. Follow the prompts to complete the installation.

Configuring an RODC using GUI:

  1. Open “Active Directory Users and Computers”.
  2. Right-click on the RODC and select “Properties”.
  3. Click on the “Password Replication Policy” tab.
  4. Click “Advanced”.
  5. Click “Add”.
  6. Enter the username or group name that you want to allow password caching for.
  7. Click “OK” to save the changes.

Creating an RODC using PowerShell:

  1. Open PowerShell with administrator privileges.
  2. Install the Active Directory PowerShell module by running the following command:Install-WindowsFeature RSAT-AD-PowerShell
  3. Run the following command to create a new RODC:Install-ADDSDomainController -DomainName <domainname> -InstallDNS:$true -ReadOnlyReplica:$true -SiteName <sitename> -Credential (Get-Credential)
  4. Follow the prompts to complete the installation.

Configuring an RODC using PowerShell:

  1. Open PowerShell with administrator privileges.
  2. Run the following command to allow password caching for a user or group:Set-ADDomainControllerPasswordReplicationPolicy -Identity <RODCname> -Allowed <username/groupname>
  3. To deny password caching for a user or group, run the following command:Set-ADDomainControllerPasswordReplicationPolicy -Identity <RODCname> -Denied <username/groupname>

Note: In both GUI and PowerShell, make sure to follow best practices when configuring RODCs, such as placing them in secure locations and limiting the users and groups that are allowed to cache passwords on them.

Share: XFacebookPinterestLinkedin
Author: tonyhughes