Is it possible to create a user for AD on the RODC domain controller?

A

Andrew2022-02-28 11:34:06

Windows Server

Andrew, 2022-02-28 11:34:06

Hello. I want to deal with Rodc.
As far as I understood from the description, the RODC domain controller contains a read-only copy of the Active Directory database!
Raised a regular domain control (RWDC) on a virtual machine and added a RODC to it. I go to the RODC as a user belonging to the Domain Admins group, I go to AD users and computers, I click to add a user. Judas on the RWDC domain controller I go to AD users and computers and see the user added to the RODC. It turns out RODC all the same has access to the AD base not only on reading?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

H

hint000, 2022-02-28
@dr753

See which server the snap-in is connected to:

A

AntHTML, 2022-02-28
@anthtml

Well, if you are on a computer with the RODC service. by logging in as DC admin. added a user through the standard RSAT equipment connected to the RWDC, then the account will appear on the RWDC.
But if you didn't have access/rights to RWDC or the snap-in was connected to RWDC, then, depending on the rights, you could only view or edit the selected branch.

A

Andrey, 2022-02-28
@dr753

Thanks for the answer, got it. It turns out that when I run the AD users and computers snap-in on the RODC server, it connects to RWDC by default, so I create users not on rodc but on RWDC. To connect the snap-in specifically to the RODC, go to AD users and computers, right-click on the domain name, select the item change domain controller and select our RODC.