Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add RODC Creation Support #40

Closed
PlagueHO opened this issue Nov 7, 2015 · 11 comments · Fixed by #406 or #713
Closed

Add RODC Creation Support #40

PlagueHO opened this issue Nov 7, 2015 · 11 comments · Fixed by #406 or #713
Labels
enhancement The issue is an enhancement request.

Comments

@PlagueHO
Copy link
Member

PlagueHO commented Nov 7, 2015

Is there any plan to add support to install a server as an RODC?
@HemantMahawar HemantMahawar added the enhancement The issue is an enhancement request. label Nov 16, 2015
@oradcliffe
Copy link

Commenting here as I am also curious if this will be supported. Otherwise, I guess using a custom script block in the DSC template will do?

@capocruz
Copy link

capocruz commented Mar 13, 2017
edited
Loading

I'd like to see RODC in DSC as well. It's now 2017 and it's a simple parameter creation. Maybe write our own??

@johlju johlju added the help wanted The issue is up for grabs for anyone in the community. label May 1, 2018
@SSvilen
Copy link
Contributor

SSvilen commented May 25, 2019

Hi @johlju - is this still relevant?

@johlju
Copy link
Member

johlju commented May 25, 2019

@SSvilen If someone want to add this then I'm all for it, happy to review a PR that adds this. 🙂

@SSvilen
Copy link
Contributor

SSvilen commented May 31, 2019

I need to pre-provision the RODC account and then i need to promote it. Do I pick up a single domain controller to work with for both operations or is there another standard for such operations?

@johlju
Copy link
Member

johlju commented Jun 1, 2019
edited
Loading

The cmdlet Add-ADDSReadOnlyDomainControllerAccount can only specify the domain name and site name, so you could create the account on any DC and it should replicate, and it must of course have replicated before promoting the RODC. You can also specify the replication source DC if the RODC should replicate from a specific domain controller, so the account must have replicated to that DC before promoting the RODC.

@johlju
Copy link
Member

johlju commented Jun 1, 2019
edited
Loading

Not sure we should have a resource that creates that pre-staged account, should we? It is one-time thing, and nothing that can be enforced, and needs to be done by a domain admin. I think to solve this issue I think we at least need to support the parameter ReadOnlyReplica in the resource xADDomainController (for the cmdlet Install-ADDSDomainController).

@SSvilen
Copy link
Contributor

SSvilen commented Jun 1, 2019

You are right - you can provision RODC with Install-ADDSDomainController directly. But we could also build the functionality to pre-provision the account, couldn't we? I would still a part of xADDomainController - just a separate set of options.

@johlju
Copy link
Member

johlju commented Jun 1, 2019
edited
Loading

Creating a pre-staged (computer) account sounds more something xADComputer would do, not xADDomainController. Or another (new) resources.

But what node should create the pre-staged account? It wouldn’t be the node that will end up as RODC, because then it wouldn’t make since to use a pre-stage account in the first place. The node that should be RODC should be using xADDomainControlle with ReadOnlyReplica and an optional Credential that allows the DC to use the already created pre-staged account.

It’s not really making since to me to create the pre-staged account using a DSC resource. 🤔 It’s because it is a one time operation, the account cannot be enforced, nor can it enforce any properties.

Can someone provide a scenario where it would be good idea to have that functionality in a DSC resource?

@SSvilen SSvilen mentioned this issue Jun 23, 2019
Closed
9 tasks
@SSvilen SSvilen mentioned this issue Jul 1, 2019
Merged
9 tasks
johlju pushed a commit that referenced this issue Jul 17, 2019
@SSvilen @johlju
xADDomainController: Add RODC Creation Support (#406)
ca9fdbe 
- Changes to xAdDomainController
  - Add support for creating Read-Only Domain Controller (RODC) (issue #40).
  - Refactored unit tests for Test-TargetResource.
@johlju johlju removed the help wanted The issue is up for grabs for anyone in the community. label Jul 17, 2019
@jojiklmts
Copy link

  1. Where is my RODC provisioned with PowerShell DSC?

@johlju
Copy link
Member

johlju commented Aug 6, 2019

@jojiklmts sorry, not following you. But if you mean the support for RODC it has been merged and will be included in the release of ActiveDirectoryDsc (which hopefully be soon).

@Borgquite Borgquite mentioned this issue May 23, 2024
Closed
@Borgquite Borgquite mentioned this issue Jul 29, 2024
Merged
9 tasks
johlju pushed a commit that referenced this issue Aug 18, 2024
@Borgquite
ADReadOnlyDomainControllerAccount: New resource (#713)
7c3feec 
### Added

- ADDomainController
  - New parameter UseExistingAccount for attaching a server to an existing RODC account (issue #711).
- ADReadOnlyDomainControllerAccount
  - New resource for pre-creating Read Only Domain Controller accounts (issue #40 and issue #711).

### Fixed

- ActiveDirectoryDsc.Common
  - Fixed Get-DomainControllerObject to allow checking non-local domain controller accounts.
- Update build process to pin GitVersion to 5.* to resolve errors (issue #477).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement The issue is an enhancement request.
Projects
None yet
Milestone
No milestone
7 participants
@johlju @PlagueHO @SSvilen @oradcliffe @HemantMahawar @capocruz @jojiklmts