In this IT Pro Challenge, learners will understand how to use the Active Directory Administrative Center to pre-create an RODC account and delegate it to a user, install Active Directory Domain Services, promote a domain member server to a Read-Only Domain Controller (RODC), create a password replication policy for an Active Directory group and then add that group to the Denied RODC Password Replication Group. The skills learners acquire in this virtual lab are useful for careers as a Windows Server or system administrator.
The virtual lab scenario is that you are a Windows Server administrator in charge of managing your company’s Active Directory domain controllers. To do this, you need to deploy a Read-Only Domain Controller (RODC). You will use a Windows Server 2016 domain controller (DC) and a Windows Server 2016 server (SVR1).
An RODC is a domain controller mode available in Windows Server 2008 and later that allows you to store a read-only copy of the Active Directory domain database and the SYSVOL folder on the domain controller itself. RODC supports unidirectional replication and is often installed in places like branch offices, where the security of the domain controller is not guaranteed. Some benefits of installing RODC are:
- Better logon times versus authenticating across a Wide Area Network (WAN)
- Better access to the authentication resource on the network
- Better performance
To start your task, you need to stage a delegated installation of an RODC and then promote a member server to an RODC. Finally, you need to configure the domain-wide Password Replication Policy (PRP), which determines those user credentials that can be cached on the RODC.
There are two “attributes” of PRP: the Allowed RODC Password Replication Group and the Denied RODC Password Replication Group. Users on the Allowed List will have cached credentials on the RODC, and users on the Denied List do not.
Stage a delegated installation of a read-only domain controller
Using the Active Directory Administrative Center on the DC, you need to pre-create an RODC computer account for the server and delegate the account to a specific user.
NOTE: Pre-creating, an RODC account link in the Active Directory Administrative Center, is the same as the Add-ADDSReadOnlyDomainController Windows PowerShell cmdlet.
Promote a domain member server to an RODC
On SVR1, you will use the Windows Server Manager to install the Active Directory Domain Services (AD DS) roles. You will then add the server as a domain controller and change the credentials required to operate. To verify your work, you will switch over to DC and verify that the server is now an RODC.
Configure a password replication policy by using the Active Directory Administrative Center
Finally, you will use the Server Manager to create an Active Directory group and then add it to the Denied RODC Password Replication Group. Passwords for this group are not cached on the RODC.
NOTE: The following security groups are default members of the Denied RODC Password Replication Group: Domain Admins, Cert Publishers, Domain Controllers, Enterprise Admins, Group Policy Creator Owners, Read-only Domain Controllers, and Schema Admins.
By completing this virtual lab, you will learn about RODC, how to stage a delegated installation of RODC, promote a domain member server to an RODC, and configure a domain-wide password replication policy.