To pre-create a Read Only Domain Controller account in Active directory using PowerShell perform the following steps
- Create a Domain User Account called RODCADMIN and set Password
- Create a Security Group called Allowed Prepopulating and add in users you want to allow to cache credentials on a RODC, e.g Domain users and Domain Computers
- Run the following Powershell Command
Add-ADDSReadOnlyDomainControllerAccount -DomainControllerAccountName <RODC Computer> -DomainName <FQDN> -SiteName <AD Site Name> -AllowPasswordReplicationAccountName “<domain>\Allow RODC>” -DelegatedAdministratorAccountName “<domain>\RODCAdmin” -InstallDNS –NoGlobalCatalog –ReplicationSourceDC <Writeable Domain Controller FQDN>
- Once created do not join the machine you want to be a RODC to the domain, instead install the AD Domain Services role and then promote to a Domain Controller. These settings should automatically be gathered from AD during this process.
To pre-populate user passwords on a RODC take a look at this script available from technet gallery http://gallery.technet.microsoft.com/scriptcenter/Prepopulate-a-batch-of-34e6d0dc
Mark is an Independent Microsoft Teams Consultant with over 15 years experience in Microsoft Technology. Mark is the founder of Commsverse, a dedicated Microsoft Teams conference and former MVP. You can follow him on twitter @UnifiedVale