(2011-11-04) Installing And Uninstalling AD On Windows Server 8 As An RWDC And As An RODC – Part 3
Posted by Jorge on 2011-11-04
The next step is to install an RODC using a two-step staged promotion of the RODC. In the first step the computer account, the server object, the NTDS Settings object and other stuff is pre-created on some RWDC and replicated to other DCs. This step should be considered as the highly trusted part of the promotion and should NEVER be delegated to less trusted admins. In the second step a stand alone server (NOT yet domain joined!), which has the exact same name as the name in the pre-created RODC objects, will be attached to the pre-existing objects in AD. This step can be considered a less trusted operation and can therefore be delegated to some non-Domain Admin. In previous version of Windows you could perform the first step through DCPROMO or ADUC. With this new version of Windows Microsoft is making it possible to use PowerShell to perform all these steps. And THAT’s what I’m going to use and show!
With Windows Server 2008 R2 Microsoft provides the “ActiveDirectory” Powershell module which allowed you to manage data in AD. Now, Microsoft also added the module called “ADDSDeployment” which will allow you to create AD forests, AD domains, promote and demote DCs, etc. It is kinda cool you can do this through PowerShell! Have I already mentioned this is COOL!?
As before, you need to import the correct PowerShell module as shown below and then use the correct CMDlet to pre-created the RODC objects in the first stage of the process. As you can see I’m using the FL shortcut CMDlet to output the result in formatted list instead of a formatted table, which is the default. My main reason is that in the formatted table I would not be able to completely read the message. With the FL shortcut CMDlet (formatted list) I can read everything.
Import-Module ADDSDeployment Add-ADDSReadOnlyDomainControllerAccount -DomainControllerAccountname R1FSRODC1 -DomainName ADCORP.LAB -SiteName BRANCH01 -ConfigureGlobalCatalog -InstallDNS -DelegatedAdministratorAccountName ADCORP\TK_R1_LclADAdmin-R1FSRODC1 -AllowPasswordReplicationAccountName "Allowed RODC Password Replication Group","ADCORP\GRP_R1_ALLOWCache-R1FSRODC1" -DenyPasswordReplicationAccountName "Denied RODC Password Replication Group","administrators","Account Operators","Backup Operators","Server Operators","ADCORP\GRP_R1_DENYCache-R1FSRODC1" | FL
Figure 1: Pre-Creating The RODC Objects In AD On An RWDC
Figure 2: Pre-Creation Of The RODC Objects Has Succeeded
In the NEXT PART we’ll take care of installation the AD binaries on the server that will become the actual RODC.
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########