Skip navigation
Deploy a Read-Only Domain Controller (RODC) on Windows Server 2016

Deploy a Read-Only Domain Controller (RODC) on Windows Server 2016

Read-Only Domain Controller or RODC is a type of domain controller which holds a read-only copy of active directory database. In this post, I will discuss why RODC holds a read-only copy of AD database and why we need it in the enterprise network? We will also look into the deployment of an RODC Server 2016 with one write-able DC Server 2016 and one Windows 10 client in a test environment.

Why We Need an RODC?

RODC is deployed in branch offices because of the following important reasons.

  1. Physical security is not guaranteed in branch offices so read-only DCs are preferred instead of write-able DCs. If someone get an access to RODC, they won’t be able to make any changes because it holds a read-only copy of AD database. If they somehow change the database, they won’t be able to compromise the whole AD database because changes from RODC are not replicated to write-able DCs.
  2. There is a lack of trained IT staff in branch offices. An RODC is preferred, it is only used for users’ authentication and does not have time to time maintenance requirements including hardware updates, site-link changes, and user credential changes etc.
  3. Branch offices have poor network bandwidth connectivity with the head quarter. An RODC is deployed so the branch office users need not authenticate themselves from a write-able DC over a WAN link.  This reduces the amount of time required to log on for branch office users. 

Allowed and Denied RODC Password Replication Groups

RODC communicates with write-able DC for user authentication because by default account credentials are not cached locally on RODC. However, you can cache account credentials locally by adding users to allowed RODC password replication group. If a branch office users from this group log in, they will be authenticated locally provided the credentials have already been cached. 

Similarly, to prevent privileged accounts (domain admins, enterprise admins etc.) from being cached locally on RODC for security purposes they are by default added to denied RODC password replication group.


Before you start with installation and configuration of an RODC, make sure to check the following requirements.

  1. Administrator account has strong password
  2. Static IP is configured
  3. Latest updates from Microsoft are installed
  4. Firewall is turned off
  5. DNS server IP address in TCP/IPv4 properties is correct and it is pointing to DNS server of write-able DC (To verify, resolve the domain name from command prompt) 

Installing and Configuring an RODC 

Step 1. Open server manager dashboard and click Add roles and features

Step 2. Choose Role-based or feature-based installation and click Next

Step 3. Choose desired server from server pools you want to configure it as Read-Only Domain Controller and click Next

Step 4. Check the box against Active Directory Domain Services. As soon as you check a new box appears, click Add Features

Step 5. Click Next

Step 6. Click Next

Step 7. Click Next

Step 8. Click Install. This may take few minutes to complete

Step 9. Click Promote this server to a domain …. 

Step 10. Choose Add a domain controller …. Provide your domain name required credentials, when done click Next

Step 11. Choose Read only domain controller (RODC) and provide Directory Services Restore Mode (DSRM) password. Click Next

 Step 12. Click Next

Step 13. Click Next

Step 14. Click Next

Step 15. Click Next


Step 16. Click Install and wait for configuration to finish

Testing the Configuration
Once a server has been configured and rebooted, you can confirm few things about RODC.
Step 1. Login to RODC with domain admin credential and open users and computers console from server manager. Make sure you are connected to RODC and not any write-able DC. Try creating or deleting any account, you won’t. You will also notice the related greyed out icons 

Step 2. In ADUC console, click Domain Controller and then right-click Properties. Open Password Replication Policy tab. You will notice both allowed and denied password replication groups


We are done with deployment of RODC Server 2016 in branch office network. Leave your comments especially any issue you faced while following this guide.

In next article, we’ll see how we can configure RODC to cache user passwords.  










Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.