How to join a domain with a read-only domain controller (RODC)

With Windows Server 2008, you have the option of installing read-only domain controllers (RODC). Read-only domain controllers enable you to deploy a domain controller that hosts read-only partitions of the Active Directory database. Deploying a read-only domain controller enables you to make Active Directory data and reliable authentication services available in locations that cannot ensure physical security required for a writable domain controller.

You can also deploy read-only domain controllers to handle special administrative or application management requirements. For example, you may have line-of-business applications that are required to run on a domain controller, or application owners who must have access to the domain controller to configure and manage operations but not allowed to modify Active Directory objects as they could with a writable domain controller. You can grant a non-administrative domain user the right to log on to the read-only domain controller while minimizing the security risk to the Active Directory forest.

For more information about read-only domain controllers, see the Read-Only Domain Controller (RODC) Planning and Deployment Guide.

To join a domain that has a read-only domain controller:

  1. Create a computer account for the computer in the DMZ that will connect to the read‑only domain controller using a writable domain controller as described in Creating computer objects for the target set of computers.

    Note:   You can create the computer account using the Access Manager console, an adedit script, or using the adjoin command with the --precreate command line option. However, be sure to create the computer account in a DMZ zone.

  2. Use Active Directory Sites and Services or the repadmin program to replicate the computer account in the read-only domain controller. For example,

    • In the console tree, expand Sites, and then expand the site of the domain controller that you want to receive configuration updates.
    • Expand the Servers container to display the list of servers that are currently configured for that site.
    • Double-click the server object that requires the configuration updates that you want to replicate.
    • Right-click NTDS Settings below the server object, and then click Replicate configuration to the selected DC.
    • In the Replicate Now message box, click OK.
  3. (Optional) Open a Command Prompt and use the repadmin
    /showrepl
    command to verify successful replication on the read-only domain controller.
  4. Block the route from the UNIX computer to the writable domain controller, if necessary.
  5. Run the adjoin command with the self-service option. For example:

    adjoin mydomain.local --password c%ntrify --name quad90 --selfserve

    Because you have already created the computer account in Active Directory, you don’t need to specify the zone to join the domain.