Deploying a Read-Only Domain Controller for branch offices
A Read-Only Domain Controller (RODC) is the right DC for branch offices where physical security can't be guaranteed — a server room that's also a storage closet, an unmanned retail location, a remote site with no IT staff. If someone walks out with the hardware, an RODC limits the blast radius significantly: no writable AD database, a filtered password replication policy, and no FSMO roles. This runbook covers the complete deployment from pre-flight through verification.
RODCs are appropriate for branch offices with poor physical security, remote sites where WAN latency makes every authentication slow, or locations where local IT expertise is limited. If physical security is solid and the location has dedicated IT staff, a standard writable DC is simpler to manage.
Requirements and planning
Before deploying, document these decisions — they're harder to change after the fact:
- Password Replication Policy (PRP): Decide which accounts' passwords will be cached locally. Branch users should be in the Allowed list. Domain Admins and service accounts should always be in the Denied list.
- RODC Admin delegation: You can delegate local admin rights on the RODC to a non-Domain Admin account. For branch offices, this lets a local IT contact manage the server without AD write access.
- Domain functional level: Must be Windows Server 2003 or higher. RODCs require at least one writable Windows Server 2008+ DC in the domain.
- Hub DC: Identify which writable DC this RODC will replicate from. It should be the hub DC for the branch office's AD site.
Pre-flight: prepare AD for RODC deployment
Verify the domain is ready
# Run on an existing writable DC as Domain Admin
dcdiag /v
repadmin /replsummary
# Check the domain functional level (must be 2003 or higher)
(Get-ADDomain).DomainMode
Create the Password Replication Policy groups
Two built-in groups control PRP: Allowed RODC Password Replication Group and Denied RODC Password Replication Group. The Denied group takes precedence. Configure them before promotion:
# Add branch office users to the Allowed group
# (Replace with your actual group/user names)
Add-ADGroupMember -Identity "Allowed RODC Password Replication Group" `
-Members "BranchOffice-Users"
# Verify Denied group already contains sensitive accounts
# (Domain Admins, Enterprise Admins, and key service accounts should be here)
Get-ADGroupMember -Identity "Denied RODC Password Replication Group" |
Select-Object Name, ObjectClass
If a Domain Admin or service account's password is cached on the RODC and the hardware is compromised, the attacker has those credentials. Explicitly verify that all privileged accounts are in the Denied group before the RODC caches anything.
Pre-stage the RODC computer account (optional but recommended)
Pre-staging lets you set the PRP and delegated admin before the server is physically connected. This is the right approach for remote sites where a non-admin will rack the server.
# Run on a writable DC as Domain Admin
# Creates a pre-staged RODC account in the Domain Controllers OU
Add-ADDSReadOnlyDomainControllerAccount `
-DomainControllerAccountName "RODC-BRANCH01" `
-DomainName "corp.contoso.com" `
-SiteName "BranchOffice-Site" `
-AllowPasswordReplicationAccountName "BranchOffice-Users" `
-DenyPasswordReplicationAccountName "Domain Admins","Enterprise Admins" `
-DelegatedAdministratorAccountName "DOMAIN\branchadmin"
Promote the server to RODC
On the server at the branch office (must be joined to the domain first):
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
Import-Module ADDSDeployment
Install-ADDSDomainController `
-DomainName "corp.contoso.com" `
-ReadOnlyReplica:$true `
-InstallDns:$true `
-SiteName "BranchOffice-Site" `
-DatabasePath "C:\Windows\NTDS" `
-LogPath "C:\Windows\NTDS" `
-SysvolPath "C:\Windows\SYSVOL" `
-NoRebootOnCompletion:$false `
-Force:$true
If you pre-staged the account, the promotion wizard will detect the existing computer account and use those settings. If not, the PRP and delegation settings can be configured after promotion.
Post-promotion verification
Verify RODC-specific configuration
# Confirm the DC is flagged as read-only
Get-ADDomainController -Identity RODC-BRANCH01 |
Select-Object Name, IsReadOnly, Site
# View which accounts are in the PRP for this RODC
Get-ADDomainControllerPasswordReplicationPolicy -Allowed -Identity RODC-BRANCH01
Get-ADDomainControllerPasswordReplicationPolicy -Denied -Identity RODC-BRANCH01
Verify replication is working
# Check replication from the hub DC to the RODC
repadmin /showrepl RODC-BRANCH01
# Force an initial replication
repadmin /syncall RODC-BRANCH01 /AdeP
Test local authentication
Have a branch office user log in from the branch. The first login will authenticate against the hub DC (password not yet cached). Subsequent logins will authenticate locally once the password has been cached per the PRP. Verify caching worked:
# Check which accounts have passwords cached on the RODC
Get-ADDomainControllerPasswordReplicationPolicyUsage -Identity RODC-BRANCH01 -RevealedAccounts |
Select-Object Name, ObjectClass
Delegated administration
The delegated admin account can perform local administrative tasks on the RODC (restart services, install approved software) without any AD write access or Domain Admin rights. To set or change the delegated admin after promotion:
# Set delegated admin on an existing RODC
Set-ADAccountControl -Identity "RODC-BRANCH01$" -TrustedToAuthForDelegation $false
# The cleaner approach via the RODC computer account properties in ADUC:
# ADUC > Domain Controllers > RODC-BRANCH01 > Properties > Managed By tab
Summary
RODC deployment is straightforward if the Password Replication Policy and site placement are decided before the server is promoted. The critical decisions are which accounts go in the Allowed PRP list (branch users yes, privileged accounts never), which hub DC replicates to this RODC, and whether to pre-stage the account for non-admin site deployment. After promotion, verify the read-only flag, PRP assignments, and replication before handing the site over. If the hardware is ever compromised, you can run Get-ADDomainControllerPasswordReplicationPolicyUsage -RevealedAccounts to know exactly which account passwords were exposed and reset only those.