Convert DCs to RODCs in bulk using PowerShell (Part 3 of 3)

Part 3 of 3

First Post (Part 1 of 3)

Previous Post (Part 2 of 3)

Step 7 – Force a restart of the Servers

I now need to be sure that the servers are online. A quick way to test that a bunch of systems are online after a reboot it to use the Test-Connection cmdlet, for example to single ping the first ten servers that I demoted:

Test-Connection $Servers[0..9] -Count 1

After confirming the servers were back online I restarted them again, this oddly was necessary to freshen up the systems as they seemed a little flaky on the first restart after a demotion. Instead of using the Restart-Computer cmdlet I used the old shutdown.exe command as I found it more reliable dealing with unhappy servers, the command I used was:

$Servers[0..9] | % {  shutdown /r /m \\$($_) }

After the second restart I tested that PowerShell remoting with CredSSP authentication was again working using the same command as before:

icm $Servers { $ENV:ComputerName } -Authentication CredSSP -Credential $Cred

Step 8 – ReDCPROMO to RODC

Completing all the previous steps I was now ready to promote all the member servers to RODCs.

Much like the command used for step 6 here is the command I used to promote the first 10 servers.

icm $Servers[0..9] { dcpromo.exe /unattend:C:\SUPPORT\DCPROMORODCAnswerFile.txt | Tee-Object -filepath C:\SUPPORT\DCPROMORODCResultFile.txt } -Authentication CredSSP -Credential $Cred

Again the output for this command is both seen on the console and saved to the file C:\SUPPORT\DCPROMORODCResultFile.txt local to each server. Due to the IFM cache of AD the whole promotion completed very quickly, with some completing in only a few minutes.

You should now find the RODCs returned to the ‘Domain Controllers’ OU but now the DC Type will show Read-only.

Step 9 – Replicate the Passwords for the User and Computer Objects to the local RODC responsible for authentication

Now that all the DCs had been converted to RODCs I wanted to be sure that I pre-cached all the computer accounts and user account passwords local to that site using the groups created in Step 1. The command line tool RepAdmin can be used for such a task with the /rodcpwdrepl switch, this will first check the computer/user object is allowed to be cached and if confirmed will then add the password hash to the RODCs cache. Interestingly you can only add single user or computer account to the RODC cache using ADUC and not groups or as I needed all accounts contained within an OU.

I achieved this using the help of the Microsoft AD module. As mentioned before the AD Site Name in this company also matches up with the name of the OU holding the objects for that AD Site, so with that in mind I checked what the local site code was and then used that to construct the Distinguished Name of the OU, I then enumerated all users/computers and passed this onto the RepAdmin tool.

Here is the example of populating the RODC cache with User accounts:

icm $Servers[0..9] { import-module ActiveDirectory ; $siteCode = [DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite().name  ; Get-ADUser -SearchBase "OU=Staff,OU=Users,OU=$($siteCode),OU=Schools,DC=domain1,DC=sch,DC=uk" -filter * | % { Repadmin /rodcpwdrepl D1-$($siteCode)-001 D1-DC-001 $_.DistinguishedName }} -Authentication CredSSP -Credential $Cred

And finally here is the example of populating the RODC cache with Computer Accounts:

icm $Servers[0..9] { import-module ActiveDirectory ; $siteCode = [DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite().name  ; Get-ADComputer -SearchBase "OU=$($siteCode),OU=Schools,DC=domain1,DC=sch,DC=uk" -filter * | % { Repadmin /rodcpwdrepl D1-$($siteCode)-001 D1-DC-001 $_.DistinguishedName }} -Authentication CredSSP -Credential $Cred

You can easily confirm which accounts are cached on your server by selecting the properties on the RODC, selecting the “Password Replication Policy” tab, clicking the Advanced button and confirming that “Accounts Whose Password are stored on this Read-only Domain Controller” is selected from the drop down box.

I used this process to successfully convert over 150 full DCs to RODCs and I found it an excellent example of how PowerShell remoting can save you significant amounts of time and making a repetitive task like this a breeze!

A couple of final thoughts:

1. Be sure to monitor your replication over the coming days and get familiar with the repadmin command line utility.

2. It would be wise to remove the IFM caches from your local disks as soon as you are ready and be sure not to use them after the tombstone lifetime.

Thanks for reading.

Regards,

jfrmilner

This post is provided “AS IS” with no warranties or guarantees, and confers no rights.

[/sourcecode]