How to join a domain with a read-only domain controller (RODC)
With Windows Server 2008, you have the option of installing read-only domain controllers (RODC). Read-only domain controllers enable you to deploy a domain controller that hosts read-only partitions of the Active Directory database. Deploying a read-only domain controller enables you to make Active Directory data and reliable authentication services available in locations that cannot ensure physical security required for a writable domain controller.
You can also deploy read-only domain controllers to handle special administrative or application management requirements. For example, you may have line-of-business applications that are required to run on a domain controller, or application owners who must have access to the domain controller to configure and manage operations but not allowed to modify Active Directory objects as they could with a writable domain controller. You can grant a non-administrative domain user the right to log on to the read-only domain controller while minimizing the security risk to the Active Directory forest.
For more information about read-only domain controllers, see the Read-Only Domain Controller (RODC) Planning and Deployment Guide.
Create a computer account for the computer in the DMZ that will connect to the read‑only domain controller using a writable domain controller as described in Creating computer objects for the target set of computers.
Note: You can create the computer account using the Access Manager console, an adedit script, or using the adjoin command with the --precreate command line option. However, be sure to create the computer account in a DMZ zone.
- In the console tree, expand Sites, and then expand the site of the domain controller that you want to receive configuration updates.
- Expand the Servers container to display the list of servers that are currently configured for that site.
- Double-click the server object that requires the configuration updates that you want to replicate.
- Right-click NTDS Settings below the server object, and then click Replicate configuration to the selected DC.
- In the Replicate Now message box, click OK.
- (Optional) Open a Command Prompt and use the repadmin
/showrepl command to verify successful replication on the read-only domain controller.
- Block the route from the UNIX computer to the writable domain controller, if necessary.
adjoin mydomain.local --password c%ntrify --name quad90 --selfserve
Because you have already created the computer account in Active Directory, you don’t need to specify the zone to join the domain.