Deploy a Windows Server 2016 Read-Only Domain Controller

In this blog post, I’ll show you how to promote a Windows Server Core 2016 to be a read-only domain controller.

In my environment, I have two Domain Controllers that are Global Catalog Servers running Windows Server Core 2016 and now I’ll add a 3rd Read Only DC.

About Read-Only Domain Controllers

A read-only domain controller (RODC) was first released with Windows Server 2008 and the Idea behind it that it allows us to deploy a DC in remote sites where physical security is ideal.

RODC hosts a read-only copy of our Active Directory Database which no one can modify if the server becomes unsecured.


  • Faster login times on remote sites
  • Gives secure access to resources on the network
  • Secure ADDS on remote sites


  • We can only install one Read-Only Domain Controller per AD Site and per Domain.
  • A Domain Admin needs to run the Installation or a Delegated Administrator Account.
  • By default, RODS do not store passwords.


To install RODC I’ll start with Installing the PowerShell module for ADDS.

Add-WindowsFeature AD-Domain-Services, RSAT-AD-AdminCenter,RSAT-ADDS-Tools

Below, I’ll Install my RODC using PowerShell and configure it to be a DNS Server as well.

Install-ADDSDomainController -ReadOnlyReplica -DomainName test.local -SiteName "Default-First-Site-Name" -

InstallDns -NoGlobalCatalog:$true

Now, I’ll click close to restart the Server and wait for it to come up

Now that I finished my RODC Installation, I’ll run the PowerShell cmdlet below to verify that my DC is an RODC

Get-ADDomainController -Filter *


Read-Only Domain Controller In Windows Server 2016 can give us the much-needed security for our AD in remote sites.

Using RODC, we can also fast track the login time for remote users but not overloading remote sites with Global Catalog Servers that will replicate both ways.

I strongly recommended using RODC In the remote site where bandwidth and Security are not perfect.

Recommended Article