locked
RODC Installation RRS feed

  • Question

  • I am planning to setup a RODC for a remote office but I am not sure whether or not I can have a fully setup RODC in the main office and send it to the branch office.

    What I am trying is setting up a Windows Server 2008 as RODC with DHCP role in the main office and sent it to a branch office.

    Between the main and branch office, a Site-To-Site VPN connection will be setup with Forefront TMG servers.

    Can I fully setup a RODC in the main office and send to a branch office? If it is possible, what I have to do with the IP address of the RODC as a branch office will be in another subnet and it becomes the DHCP server for the branch office?

    Do I have to do a staged installation or install from media?

    Thanks for your comments in advance.


    Kucheong
    Thursday, May 13, 2010 4:50 AM

Answers

  • Kucheong,

    If I understand you correctly you want to build and promte a RODC in your primary site then ship the physical server to the remote site and it will then be the DHCP server as well, is this correct?

    If this is the case then couple questions:

    1. I am assuming you already have a full 2008 DC is the primary site?

    2. the time to ship the RODC to the remote site is minimal, less that two weeks?

    If all the above is true and you have the remote site setup with a Site connector to the primary site with the 2008 Full DC then I do not see a problem.  What I would recommend is that you do not install/configure the DHCP role on the RODC server until it is online in the remote site.


    Sean McNeill Microsoft Gold Partner http://staterainfrastructure.blogspot.com/
    Thursday, May 13, 2010 5:05 AM
  • Kucheong,

    I had several issues with trying to get an RODC to play nice, finally decided on a standard domain controller.  My issues were with the DNS portion of the RODC and proper updates from the clients.

    Even though the RODC is a nice idea and sounds more secure, unless you have issues with any potential staff in the remote site being able to get onto the DC, I'd just install a standard domain controller.  An RODC might be more useful when you have an IT staff at a remote site, that you wish not to have RWDC access to the domain.

    As mentioned above, you will want to create a site container in Active Directory Sites and Services, drop the DC into that suite container, then create the subnet, and associate that subnet with that (newly created) site.

    What that does is tells the machines in that site, with the said IP subnet they belong to, to use that DC that is also associated with that site.

    My two cents :)

    James

    Thursday, May 13, 2010 7:31 PM

All replies

  • Kucheong,

    If I understand you correctly you want to build and promte a RODC in your primary site then ship the physical server to the remote site and it will then be the DHCP server as well, is this correct?

    If this is the case then couple questions:

    1. I am assuming you already have a full 2008 DC is the primary site?

    2. the time to ship the RODC to the remote site is minimal, less that two weeks?

    If all the above is true and you have the remote site setup with a Site connector to the primary site with the 2008 Full DC then I do not see a problem.  What I would recommend is that you do not install/configure the DHCP role on the RODC server until it is online in the remote site.


    Sean McNeill Microsoft Gold Partner http://staterainfrastructure.blogspot.com/
    Thursday, May 13, 2010 5:05 AM
  • Hi All,

    Yes I have a full Windows 2008 DC in the main office and a RODC (a VM on Hyper-V) will be shipped in one week.

    I have a few questions for you.

    Can I just change the IP address of RODC after it is online afthe branch office and install DHCP role?

    Do I have to create site for the branch office?

    You said a Site connector, did you mean Site-To-Site VPN connection?

    Thanks for your comment.


    Kucheong
    Thursday, May 13, 2010 5:11 AM
  • Kucheog,

    Yes you can re-IP the VM once it is is the remote site, and then install and configure DHCP for the remote location

    Yes it is strongly recommended you create a Active Directory Site for the remote location

    When I said site connector I meant a AD Sites and Serives connection between the primary and remote site.

     

    Hope this helps you!


    Sean McNeill Microsoft Gold Partner http://staterainfrastructure.blogspot.com/
    Thursday, May 13, 2010 5:57 AM
  • Hi,

    I agree with Sean. Additional, the following guide may be useful for you.

    Read-only Domain Controllers Step-by-Step Guide
    http://technet.microsoft.com/en-us/library/cc772234(WS.10).aspx

    Read-Only Domain Controller Planning and Deployment Guide
    http://technet.microsoft.com/en-us/library/cc771744(WS.10).aspx

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, May 13, 2010 9:09 AM
    Moderator
  • I didn't think about a site connector as I didn't know I need it.

    Let me tell you what I want to have in a bit more detail.

    I have a branch office, where about 40 users are now, but there isn't an IT person.

    The company used to have a SBS 2003 and the branch office was setup with a different domain from the main office. There is one DC, which does everything (DC, DHCP, File, Print server roles and a couple more roles) for them.

    Since I upgraded SBS 2003 to EBS 2008 last December and the DC in the branch office is too old, I would like to upgrade the DC to a new server with Windows server 2008 at the same time I would like to join the branch office as part of the main domain (forest).

    As part of my plan, I thought a RODC can be installed in the branch office so that users in the branch office don't need two IDs and passwords (one for email, one for local domain).

    So, I am planning a Site-To-Site VPN connection with Forefront TMG in both offices. Once I setup a Site-To-Site VPN connection (somehow it doesn't want to work for me though I did setup on both Forefront TMG and still working on it), I can send a RODC to the branch office and add DHCP role for the branch office.

    Can I setup connector in RODC?

    I am not sure how to setup site connector.

    Is there any article which explains about site connector?

    Thanks for your comment.


    Kucheong
    Thursday, May 13, 2010 5:51 PM
  • Kucheong,

    I had several issues with trying to get an RODC to play nice, finally decided on a standard domain controller.  My issues were with the DNS portion of the RODC and proper updates from the clients.

    Even though the RODC is a nice idea and sounds more secure, unless you have issues with any potential staff in the remote site being able to get onto the DC, I'd just install a standard domain controller.  An RODC might be more useful when you have an IT staff at a remote site, that you wish not to have RWDC access to the domain.

    As mentioned above, you will want to create a site container in Active Directory Sites and Services, drop the DC into that suite container, then create the subnet, and associate that subnet with that (newly created) site.

    What that does is tells the machines in that site, with the said IP subnet they belong to, to use that DC that is also associated with that site.

    My two cents :)

    James

    Thursday, May 13, 2010 7:31 PM