Beware the Read-only Domain Controller Schema Update
As mentioned in previous posts on this blog, the Windows Server 2008 read-only domain controller option allows you to install domain controllers in high risk environments where the domain controller might not be in an optimal physical security environment or perhaps there are no users with domain admin privileges at the branch office. With the read-only domain controller (RODC), non-domain admins can be configured to be allowed to log onto the domain controller but aren't able to make changes to the Active Directory, since the copy of the AD database on the RODC is read-only.
Windows Server 2008 makes the process of creating a RODC easy. All you need is an existing Windows Server 2008 domain controller in place already so that the RODC can create the read-only copy. Then you run the dcpromo command on the machine that will become the RODC and walk through the wizard. At the end of the wizard the machine automatically reboots itself and its a new domain controller in your domain.
Well, almost. The problem with the dcpromo command is that there isn't any information in the wizard that tells you that you need to update the schema to support the RODC. In order to do this, you need to copy the ADPREP directory from the Windows Server 2008 DVD. After you copy that directory, you need to run the command:
This step updates the permissions on all the DNS application directory partitions in the forest. This allows them to be replicated successfully by all RODCs that are also DNS servers. In order to run the command, you need to log onto a domain controller as an enterprise admin .
For more information on installing and managing RODCs, check out the Microsoft Step by Step guide at http://technet2.microsoft.com/windowsserver2008/en/library/8294cfa1-c828-4bba-82b2-e825e2f5a2401033.mspx?mfr=true
Just a heads up on a security issue that you might run into in the future.