How to Configure a Read-Only Domain Controller (RODC) on Windows Server 2025
A Read-Only Domain Controller (RODC) is a special type of domain controller introduced in Windows Server 2008 that holds a read-only copy of the Active Directory database. RODCs were designed specifically for scenarios where a full writable DC is impractical — such as branch offices with poor physical security, DMZ segments, or locations with unreliable WAN links. Because the RODC cannot perform write operations, the risk of an attacker using a compromised RODC to modify domain data is significantly reduced. Windows Server 2025 improves on the RODC foundation with enhanced credential caching controls and simpler delegation. This tutorial walks through every stage of planning and deploying an RODC in your environment.
Prerequisites
- Existing Windows Server 2025 (or mixed functional level) AD DS domain
- At least one writable DC running Windows Server 2008 or later (Windows Server 2025 recommended)
- Forest functional level of Windows Server 2003 or higher
- Domain functional level of Windows Server 2003 or higher
adprep /rodcprephas been run in the forest (required once; already done if your forest was originally created on Server 2008+)- Domain Admin credentials or delegated RODC installation rights
- Network connectivity from the RODC candidate server to a writable DC
Step 1: Prepare the Forest for RODC
If your forest was first created on Windows Server 2003 and you are introducing an RODC for the first time, run adprep /rodcprep from the Windows Server 2025 installation media on a writable DC. For forests already at a higher functional level this has already been done automatically:
# On a writable DC, run from the Server 2025 media (if needed)
# Mount ISO and run from the supportadprep folder
D:supportadprepadprep.exe /rodcprep
# Verify schema version supports RODC
Get-ADObject -Identity "CN=Schema,CN=Configuration,DC=contoso,DC=com" `
-Properties objectVersion | Select-Object objectVersion
# Schema version 88+ (Server 2019/2022/2025) already includes RODC support
Step 2: Install AD DS Role on the RODC Candidate
On the server you intend to promote to an RODC, install the Active Directory Domain Services role and management tools:
# Install AD DS role and management tools
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
# Verify the feature is installed
Get-WindowsFeature AD-Domain-Services | Select-Object Name, InstallState
Step 3: Promote the Server as an RODC
Use Install-ADDSDomainController with the -ReadOnlyReplica switch to promote the server as a Read-Only DC. This example joins an existing domain and replicates from a specific source DC to minimize WAN traffic:
# Promote server as RODC — interactive credential prompt
Install-ADDSDomainController `
-DomainName "contoso.com" `
-ReadOnlyReplica $true `
-SiteName "BranchOffice-Austin" `
-ReplicationSourceDC "DC01.contoso.com" `
-InstallDns $true `
-NoGlobalCatalog $false `
-DelegatedAdministratorAccountName "contosoBranchAdmin" `
-CriticalReplicationOnly $false `
-Force $true
# The server will restart automatically after promotion
To run this fully unattended (in an automation pipeline), provide credentials as a PSCredential object:
# Unattended RODC promotion
$DomainCred = Get-Credential -Message "Enter Domain Admin credentials"
$SafeModePwd = ConvertTo-SecureString "P@ssw0rd!DSRM" -AsPlainText -Force
Install-ADDSDomainController `
-DomainName "contoso.com" `
-ReadOnlyReplica $true `
-SiteName "BranchOffice-Austin" `
-ReplicationSourceDC "DC01.contoso.com" `
-InstallDns $true `
-NoGlobalCatalog $false `
-DelegatedAdministratorAccountName "contosoBranchAdmin" `
-Credential $DomainCred `
-SafeModeAdministratorPassword $SafeModePwd `
-CriticalReplicationOnly $false `
-Force $true `
-NoRebootOnCompletion $false
Step 4: Configure the Password Replication Policy
The Password Replication Policy (PRP) controls which accounts are permitted (or denied) to have their credentials cached on the RODC. By default, no passwords are cached — users must authenticate against a writable DC over the WAN. Caching passwords for branch office users improves logon speed and provides offline authentication if the WAN link fails.
# View which accounts are in the Allowed RODC Password Replication Group
Get-ADGroupMember -Identity "Allowed RODC Password Replication Group"
# View which accounts are in the Denied RODC Password Replication Group (default protection)
Get-ADGroupMember -Identity "Denied RODC Password Replication Group"
# Add branch office users to the Allowed group
Add-ADGroupMember -Identity "Allowed RODC Password Replication Group" `
-Members "jsmith", "bwilliams", "Austin-Computers"
# Alternatively, allow an entire OU's users (not a built-in feature — use group nesting):
$BranchUsers = Get-ADUser -SearchBase "OU=Austin,OU=Users,DC=contoso,DC=com" -Filter *
Add-ADGroupMember -Identity "Allowed RODC Password Replication Group" -Members $BranchUsers
To inspect the PRP directly on the RODC object:
# Get RODC password replication policy — allowed accounts
Get-ADDomainController -Filter {IsReadOnly -eq $true} | ForEach-Object {
Write-Host "RODC: $($_.Name)"
Get-ADDomainControllerPasswordReplicationPolicy -Identity $_.ComputerObjectDN -Allowed |
Select-Object Name, SamAccountName
}
# Get denied accounts on the RODC
Get-ADDomainController -Filter {IsReadOnly -eq $true} | ForEach-Object {
Get-ADDomainControllerPasswordReplicationPolicy -Identity $_.ComputerObjectDN -Denied |
Select-Object Name, SamAccountName
}
# Check which passwords are currently cached on a specific RODC
Get-ADDomainControllerPasswordReplicationPolicyUsage `
-Identity "RODC-Austin" `
-RevealedAccounts | Select-Object Name, SamAccountName, ObjectClass
Step 5: Delegate Local Administration Without Domain Admin Rights
One of the key RODC features is the ability to delegate local administrator rights on the RODC to a non-Domain Admin account. This is ideal for branch office IT staff who need to manage the server without receiving elevated domain privileges:
# Delegate local admin of the RODC to a specific user (specified during promotion)
# To change the delegated admin after promotion:
Set-ADAccountControl -Identity "RODC-Austin$" -TrustedForDelegation $false
# Use the RODC computer object's managedBy attribute for delegation
Set-ADComputer -Identity "RODC-Austin" -ManagedBy "contosoBranchAdmin"
# Alternatively, use the RODC staged installation and set the delegated admin
# when pre-creating the RODC account (see Step 7)
Step 6: Verify the RODC Installation
# Confirm RODC is recognized by the domain
Get-ADDomainController -Filter {IsReadOnly -eq $true} | `
Select-Object Name, Site, IsReadOnly, OperationMasterRoles
# Run DCDiag on the RODC to check health
dcdiag /s:RODC-Austin /test:advertising /test:replications /v
# Check replication status from the RODC
repadmin /showrepl RODC-Austin
repadmin /replsummary RODC-Austin
# Verify DNS is functioning
Resolve-DnsName contoso.com -Server RODC-Austin
Step 7: Staged RODC Installation (Pre-Create RODC Account)
In high-security environments, you may want to pre-create the RODC account in AD before the server is physically deployed at the branch office. A local technician with no domain privileges can then complete the installation on-site:
# On a writable DC — pre-create the RODC computer account (requires Domain Admin)
Add-ADDSReadOnlyDomainControllerAccount `
-DomainControllerAccountName "RODC-Austin" `
-DomainName "contoso.com" `
-SiteName "BranchOffice-Austin" `
-DelegatedAdministratorAccountName "contosoBranchAdmin" `
-AllowPasswordReplicationAccountName "Allowed RODC Password Replication Group" `
-DenyPasswordReplicationAccountName "Denied RODC Password Replication Group" `
-InstallDns
# On the branch server (run by the local tech — no DA rights required)
# The server must be joined to the domain first as a regular member server
Install-ADDSDomainController `
-DomainName "contoso.com" `
-UseExistingAccount $true `
-Credential (Get-Credential) `
-SafeModeAdministratorPassword (Read-Host -AsSecureString "DSRM Password") `
-Force $true
Conclusion
Deploying a Read-Only Domain Controller on Windows Server 2025 is a powerful way to extend AD services to locations where physical or network security cannot match your main data center standards. The RODC’s Password Replication Policy gives you precise control over which credentials are cached locally, minimising exposure if the server is stolen or compromised. Combined with delegated local administration, the RODC lets branch IT staff manage their local server without touching the broader domain. Once your RODC is in place, monitor its credential cache regularly, review PRP membership as users change roles, and run periodic dcdiag and repadmin checks to ensure healthy replication with your writable DCs.
