Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2011-11-04) Installing And Uninstalling AD On Windows Server 8 As An RWDC And As An RODC – Part 3

Posted by Jorge on 2011-11-04


The next step is to install an RODC using a two-step staged promotion of the RODC. In the first step the computer account, the server object, the NTDS Settings object and other stuff is pre-created on some RWDC and replicated to other DCs. This step should be considered as the highly trusted part of the promotion and should NEVER be delegated to less trusted admins. In the second step a stand alone server (NOT yet domain joined!), which has the exact same name as the name in the pre-created RODC objects, will be attached to the pre-existing objects in AD. This step can be considered a less trusted operation and can therefore be delegated to some non-Domain Admin. In previous version of Windows you could perform the first step through DCPROMO or ADUC. With this new version of Windows Microsoft is making it possible to use PowerShell to perform all these steps. And THAT’s what I’m going to use and show!

With Windows Server 2008 R2 Microsoft provides the “ActiveDirectory” Powershell module which allowed you to manage data in AD. Now, Microsoft also added the module called “ADDSDeployment” which will allow you to create AD forests, AD domains, promote and demote DCs, etc. It is kinda cool you can do this through PowerShell! Have I already mentioned this is COOL!? Smile

As before, you need to import the correct PowerShell module as shown below and then use the correct CMDlet to pre-created the RODC objects in the first stage of the process. As you can see I’m using the FL shortcut CMDlet to output the result in formatted list instead of a formatted table, which is the default. My main reason is that in the formatted table I would not be able to completely read the message. With the FL shortcut CMDlet (formatted list) I can read everything.

Import-Module ADDSDeployment Add-ADDSReadOnlyDomainControllerAccount -DomainControllerAccountname R1FSRODC1 -DomainName ADCORP.LAB -SiteName BRANCH01 -ConfigureGlobalCatalog -InstallDNS -DelegatedAdministratorAccountName ADCORP\TK_R1_LclADAdmin-R1FSRODC1 -AllowPasswordReplicationAccountName "Allowed RODC Password Replication Group","ADCORP\GRP_R1_ALLOWCache-R1FSRODC1" -DenyPasswordReplicationAccountName "Denied RODC Password Replication Group","administrators","Account Operators","Backup Operators","Server Operators","ADCORP\GRP_R1_DENYCache-R1FSRODC1" | FL

image

Figure 1: Pre-Creating The RODC Objects In AD On An RWDC

image

Figure 2: Pre-Creation Of The RODC Objects Has Succeeded

In the NEXT PART we’ll take care of installation the AD binaries on the server that will become the actual RODC.

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

3 Responses to “(2011-11-04) Installing And Uninstalling AD On Windows Server 8 As An RWDC And As An RODC – Part 3”

  1. […] second part showed you the promotion of a server to an RWDC, the first one in an AD forest. In the third part I will promote a server to an RODC using the staged deployment option for […]

  2. […] to perform the second stage of the promotion (the first stage of the RODC promotion was done in part 3).To promote to a DC using Server Manager click on the link called “Promote this server to a […]

  3. […] Part – 3 […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: