How to Remotely Promote Server Core to a Read Only Domain Controller (RODC)

Reading Time: 2 minutes

If you would like to promote a Windows 2008 server core o/s to a RODC but the server is at a remote location, you can run into multiple road blocks. Firewall ports need to be opened, remote management needs to be enabled plus you need configuration information configured. The following text should help assist you in building this remote installation.

By default Server core has the firewall enabled. To open up the ports on the Firewall requires either setting up group policy if a domain machine or logging locally and configuring. By default, when a server role is installed, the correct ports are automatically configured to allow the role to function as well as to allow remote management, so no additional work is required.

Configuring the firewall:
To open the firewall for remote management, as a local admin from a command prompt on server core, key in the following:

netsh advfirewall firewall set rule group="Remote Administration" new enable=yes

Enabling Remote Management:
To enable remote management via the Remote Shell, as a local admin from a command prompt on server core key in the following:

Winrm quickconfig

If you want to run this on a secure channel you can open an HTTPS listener, as a local admin from a command prompt on server core key in the following:

winrm quickconfig -transport:https

Installing the DNS role:
To install DNS, from a command prompt on the remote workstation key in the following (Be sure to replace servercore = Remotely Managed Server):

Winrs -r:servercore start /w ocsetup DNS-Server-Core-Role

Promoting to an RODC: (Performing a Staged RODC Installation)

Start by pre-creating the server account (From Microsoft’s pre-staged deployment):

Save the text below and execute the following command to pre-create the RODC account (Note: Be sure to replace DomainName with your Domain Name)

dcpromo.exe /CreateDCAccount /ReplicaDomainDNSName:DomainName.com /unattend:\\longhorn\netlogon\precreate.txt

The next line is the start of pre-create RODC unattended text file

; DCPROMO unattend file 
; Usage: 
; dcpromo.exe /CreateDCAccount /ReplicaDomainDNSName:pbbergs.com /unattend:\\longhorn\netlogon\precreate.txt 
; 
[DCInstall] 
; Read-Only Replica DC promotion (stage 1) 
DCAccountName=servercore 
; RODC Password Replication Policy 
PasswordReplicationDenied="BUILTIN\Administrators" 
PasswordReplicationDenied="BUILTIN\Server Operators" 
PasswordReplicationDenied="BUILTIN\Backup Operators" 
PasswordReplicationDenied="BUILTIN\Account Operators" 
PasswordReplicationDenied="PBBERGS\Denied 
RODC Password Replication Group" 
PasswordReplicationAllowed="PBBERGS\Allowed RODC 
Password Replication Group" 
SiteName=Default-First-Site-Name 
InstallDNS=Yes 
ConfirmGc=Yes 
ReplicationSourceDC=Longhorn.pbbergs.com

The end of the pre-create RODC unattended file

To install the Domain Services role and promote the server core to a Domain Controller, from a command prompt on the remote workstation key in the following:

Winrs -r:servercore dcpromo /unattend:c:\unattended\promote.txt

The next line is the start of the dcpromo RODC unattended text file

; DCPROMO unattend file (automatically generated by dcpromo) 
; Usage: 
; dcpromo.exe /unattend: \\longhorn\netlogon\answer.txt 
; 
[DCInstall] 
; 
ReplicaOrNewDomain=Replica 
ReplicationSourceDC:"pbbergs.com" 
InstallDNS=Yes 
ConfirmGc=Yes 
CriticalReplicationOnly=Yes 
DatabasePath="C:\Windows\NTDS" 
LogPath="C:\Windows\NTDS" 
SYSVOLPath="C:\Windows\SYSVOL" 
; Set SafeModeAdminPassword to the correct value prior to using the unattend file 
SafeModeAdminPassword=pa$$w0rd 
; Run-time flags (optional) 
RebootOnCompletion=Yes

Hopefully this article has helped you to get started, it is not trivial, and it took me multiple attempts on many steps to get it correct and working.

I would love to hear feedback on your success or problems that may have arisen in your attempt to remotely promote a server core to a RODC.