While using a Read Only Domain Controller as a Host is possible, it is not a best practice. Nonetheless, a few customers are running into issues when attempted. One of our SCVMM engineers researched the issue and has developed the method below that addresses security needs of SCVMM. This will also appear as a Knowledge Base article soon. Remember, this is not a best practice, and troubleshooting will mean demotion to a member server from RODC. Thanks Steve!

What is a Read Only Domain Controller? http://technet.microsoft.com/en-us/library/cc732801(WS.10).aspx

Summary

A Read Only Domain Controller (RODC) can only be used as a Host if it was already a Host prior to being promoted. If a RODC needs to be used as a Host and was not previously managed by SCVMM, it will have to be demoted to a member server and made a managed Host prior to promotion back to RODC.

IMPORTANT: Although a Read Only Domain Controller can be used as Host in SCVMM, this is not the recommended usage of a Read Only Domain Controller.

Requirements

  • System Center Virtual Machine Manager 2008 or 2008 R2
  • A Host machine that was added to SCVMM via the Admin
  • Console-NOT manual installation of the VMMAgent.
  • VMMServer Computer Account in BUILTIN\Adminstrators group in Active Directory
    • Created when Host is added via SCVMM Admin Console
  • Virtual Machine Manager Servers local group on Host
    • Created when Host is added via SCVMM Admin Console

Resolution

  1. If the server is currently a RODC, it must be demoted to a member server via DCPROMO.
  2. Add the member server to SCVMM via the Admin Console. You must not install the VMMAgent manually or necessary groups will not be created.
  3. Once the member server can be managed by SCVMM, proceed with the next steps.
  4. Log onto a Domain Controller and go to Active Directory Users and Computers
  5. Add the VMM Server Computer Account to the Built-In Administrators Group in Active Directory
    clip_image002
  6. (VMM Server=AP2118514 in this example)
  7. On the member server, START>RUN>DCPROMO
  8. Follow the wizard, and select Read Only Domain Controller as an option, leaving DNS and Global Catalog checked.
  9. After the DCPROMO wizard completes , allow the reboot to complete
  10. On the RODC, under CONTROL PANEL>WINDOWS FIREWALL, clicked on “Allow a Program through Windows Firewall”
    • Make sure these are checked:
      • Hyper-V
      • Hyper-V Management Clients
      • Windows Management Instrumentation (WMI)
      • Windows Remote Management
  11. On the SCVMM Admin Console, selected the host (now an RODC) and selected REFRESH from the ACTION panel.
    • Action should complete successfully.
  12. Created a new VM on the host as a test
    • Action should complete successfully.

NOTE: If the steps above do not work, demote the server to a member server and start over. This time, after Step 7, on the “Delegation of RODC Installation and Administrators” section of the wizard, set BUILTIN\Administrators as the group.

Applies to: Windows Server 2008, SCVMM 2008, SCVMM 2008 R2