Precreate 2012 R2 RODC computer object in Active Directory

To pre-create a Read Only Domain Controller account in Active directory using PowerShell perform the following steps

  1. Create a Domain User Account called RODCADMIN and set Password
  2. Create a Security Group called Allowed Prepopulating and add in users you want to allow to cache credentials on a RODC, e.g Domain users and Domain Computers
  3. Run the following Powershell Command
    Add-ADDSReadOnlyDomainControllerAccount -DomainControllerAccountName <RODC Computer> -DomainName <FQDN> -SiteName <AD Site Name> -AllowPasswordReplicationAccountName “<domain>\Allow RODC>” -DelegatedAdministratorAccountName “<domain>\RODCAdmin” -InstallDNS –NoGlobalCatalog –ReplicationSourceDC <Writeable Domain Controller FQDN>
  4. Once created do not join the machine you want to be a RODC to the domain, instead install the AD Domain Services role and then promote to a Domain Controller. These settings should automatically be gathered from AD during this process.

To pre-populate user passwords on a RODC take a look at this script available from technet gallery http://gallery.technet.microsoft.com/scriptcenter/Prepopulate-a-batch-of-34e6d0dc

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s