How to Set Up Read-Only Domain Controllers on Windows Server 2019

March 19, 2026
Tutorials
Comment off

Introduction to Read-Only Domain Controllers

A Read-Only Domain Controller (RODC) is a domain controller that hosts a read-only copy of the Active Directory database. RODCs were designed specifically for branch office scenarios where physical security cannot be guaranteed. If an RODC is stolen or compromised, the damage is limited because it holds no writable copy of AD and caches only the passwords of explicitly permitted accounts. Windows Server 2019 fully supports RODC deployment and administration. This tutorial covers planning, deploying, and managing RODCs in a branch office scenario.

When to Use RODCs

Deploy RODCs in locations where a full domain controller is needed for local authentication but where the server cannot be physically secured to the same standard as your primary datacenter. Typical scenarios include branch offices with unlocked server rooms, retail locations, factory floors, and remote sites connected over unreliable WAN links. An RODC provides local Kerberos authentication, Group Policy downloads, and DNS resolution without the risk of writable AD exposure.

RODC Key Characteristics

RODCs have several important properties: the AD database is read-only (no writes accepted locally), passwords are not stored by default (only accounts in the RODC Password Replication Policy can be cached), the RODC holds a filtered attribute set (certain sensitive attributes are never replicated to RODCs), and administration can be delegated to local non-DA accounts. Replication flows only from full DCs to the RODC, never from RODC to full DCs.

Prerequisites for RODC Deployment

RODCs require a forest functional level of Windows Server 2003 or higher. All domain controllers in the domain must run Windows Server 2003 or later. Additionally, at least one Windows Server 2008 or later writable DC must be available as the replication source. On Windows Server 2019 domains these requirements are automatically met.

Get-ADDomain | Select-Object DomainMode
Get-ADForest | Select-Object ForestMode

Preparing the Domain for RODC

Run adprep to ensure the schema and domain are prepared for RODCs. On Windows Server 2019, adprep is integrated into the AD DS installation and runs automatically. For older forests being upgraded, run adprep manually from the Server 2019 installation media.

adprep /rodcprep

Installing the RODC Role

Install the Active Directory Domain Services role on the branch office server. Then promote it as an RODC using the Install-ADDSDomainController cmdlet with the -ReadOnlyReplica switch. The following example promotes a server as an RODC in the yourdomain.com domain.

Install-WindowsFeature AD-Domain-Services -IncludeManagementTools

Install-ADDSDomainController `
    -DomainName "yourdomain.com" `
    -ReadOnlyReplica `
    -SiteName "BranchOffice-London" `
    -InstallDns `
    -CreateDnsDelegation:$false `
    -NoGlobalCatalog:$false `
    -ReplicationSourceDC "DC01.yourdomain.com" `
    -SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssword123!" -AsPlainText -Force) `
    -Force

Staged RODC Installation

For maximum security, use the staged RODC installation process. An administrator pre-creates the RODC computer account in AD with all settings configured, then a local non-admin technician completes the promotion on-site. This means a branch office technician can install and configure the RODC without needing Domain Admin credentials.

Step 1: Pre-create the RODC account from a writable DC:

Add-ADDSReadOnlyDomainControllerAccount `
    -DomainControllerAccountName "RODC-London" `
    -DomainName "yourdomain.com" `
    -SiteName "BranchOffice-London" `
    -DelegatedAdministratorAccountName "yourdomainbranchadmin" `
    -InstallDns `
    -NoGlobalCatalog:$false

Step 2: On the branch server, complete the promotion using the pre-created account:

Install-ADDSDomainController `
    -UseExistingAccount `
    -DomainName "yourdomain.com" `
    -SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssword123!" -AsPlainText -Force) `
    -Force

Configuring the Password Replication Policy

The Password Replication Policy (PRP) controls which account passwords the RODC is allowed to cache. By default, the Allowed RODC Password Replication Group and Denied RODC Password Replication Group exist in the domain. Add accounts whose passwords should be cached on the RODC to the Allowed group. Add sensitive privileged accounts to the Denied group.

# Create a group for branch office users
New-ADGroup -Name "London-RODC-PRP-Allow" -GroupScope Global -GroupCategory Security

# Add users to the allowed group
Add-ADGroupMember -Identity "London-RODC-PRP-Allow" -Members "user1","user2","branchlaptop01$"

# Configure the PRP on the RODC
Set-ADAccountControl -Identity "RODC-London$" -PasswordNeverExpires $false
Add-ADDomainControllerPasswordReplicationPolicy -Identity "RODC-London" `
    -AllowedList "London-RODC-PRP-Allow"
Add-ADDomainControllerPasswordReplicationPolicy -Identity "RODC-London" `
    -DeniedList "Domain Admins","Enterprise Admins","Schema Admins"

Viewing Cached Passwords on an RODC

Audit which account passwords are currently cached on a specific RODC using Get-ADDomainControllerPasswordReplicationPolicy with the -Revealed switch. This is an important security audit step.

Get-ADDomainControllerPasswordReplicationPolicy -Identity "RODC-London" -Revealed

RODC Local Administrator Delegation

A powerful feature of RODCs is the ability to delegate local administrator rights to a non-Domain-Admin user or group without granting them any domain-level permissions. The delegated admin can restart the RODC, manage local services, and perform other local administrative tasks on that specific RODC only.

# Check current delegated admin
Get-ADDomainController -Identity "RODC-London" | 
    Select-Object Name, IsReadOnly, ManagedBy

# Set delegated admin via ADUC or PowerShell
Set-ADComputer -Identity "RODC-London" -ManagedBy "yourdomainbranchadmin"

Resetting Cached Credentials After RODC Compromise

If an RODC is stolen or compromised, reset the passwords for all accounts whose credentials were cached on it. Use Get-ADDomainControllerPasswordReplicationPolicy with -Revealed to get the list, then reset each password.

$cachedAccounts = Get-ADDomainControllerPasswordReplicationPolicy -Identity "RODC-London" -Revealed
foreach ($account in $cachedAccounts) {
    $newPass = ConvertTo-SecureString (New-Guid).Guid -AsPlainText -Force
    Set-ADAccountPassword -Identity $account.SamAccountName -NewPassword $newPass -Reset
    Write-Host "Reset password for: $($account.SamAccountName)"
}

Conclusion

Read-Only Domain Controllers are a well-architected solution for branch office security on Windows Server 2019. By limiting password caching through the Password Replication Policy, allowing delegated local administration, and preventing any writes to the AD database, RODCs dramatically reduce the blast radius of a physical security incident at a remote location. Combine RODCs with BitLocker Drive Encryption on the server volume to further protect the cached credentials against offline attacks.