Installing Forefront TMG on a Domain Controller was not a supported scenario until Forefront TMG Service Pack 1 was been released. With Forefront TMG SP1 we are now able to install Forefront TMG on a Domain Controller under the role of Read Only Domain Controller (RODC). An RODC can be used for small branch offices which require a local Domain Controller but do not want to implement a full writeable Domain Controller in the branch office for security reasons.
As a prerequisite for installing a RODC, the Windows Forest Functional Level must be Windows Server 2008 or higher and you must prepare your Active Directory environment to allow a RODC installation with the command line tool ADPREP / RODCPREP which is a Windows Server component.
Next, we create a new Organizational Unit (OU) in Active Directory. This OU is used by a preparation script of Forefront TMG to create the accounts and groups (SQL groups for example) which are required for a Forefront TMG installation.
Figure 1: New OU for Forefront TMG
We can use the DSQUERY utility to locate the Distinguished Name (DN) for the newly created OU. You must note the DN of the OU to execute the script for the Forefront TMG installation.
Figure 2: Execute DSQUERY to note the name of the OU
The script which creates the Forefront TMG installation account and the SQL Server groups can be found here. Copy the content of the script into a Notepad file and save it with a name you want, then execute the script as shown in the following screenshot.
It is VERY important to enter the DN of the created OU with correct upper- and lowercase characters. The script is case sensitive!
Figure 3: Forefront TMG account preparation script
After the script has been executed sucessfully you will see the new created users and groups in the Active Directory Users and Computers SnapIn.
Figure 4: New created user accounts and user groups
If you forgot to specify the password of the Forefront TMG service account until the script executes, a disabled user account will be created. You have to set a password for the account and the account must be enabled.
Figure 5: Change the password of the TMG Service account if you didn’t specify one in the script
Now, it is time to precreate the RODC computer account before you install the RODC. Start Active Directory Users and Computers, locate the Domain Controllers OU and create the account.
Figure 6: Precreate RODC account
Specify the name of the RODC and the Active Directory site where the RODC will be installed. For the delegated RODC installation and Administration account specify the account created by the script earlier on.
Figure 7: RODC Account from the TMG script
The RODC computer account has been created in Active Diretcory.
Figure 8: Unoccupied DC account before RODC installation
Navigate to the properties of the RODC account, the Password Replication Policy tab and click ADD to add additional users / groups you want to replicate to the RODC.
Figure 9: RODC Password replication policy
Allow passwords to replicate to the RODC
Figure 10: Allow password replication to the RODC for the TMG accounts
Select all accounts and groups created earlier on by the script.
Figure 11: Select all TMG accounts and groups
After all prerequisted have been completed, you are now able to install the Read Only Domain Controller (RODC). Start DCPROMO on the new Windows Server 2008 R2 machine and follow the instructions of the wizard. Because we pre-created the RODC account in Active Directory, we will get an infomational message stating that the account already exists which we accept by clicking the OK button.
Figure 12: RODC installation
Forefront TMG Installation
After a successful RODC installation, we then continue by installing Forefront TMG on the Server. The setup process is almost the same as a Forefront TMG installation on a Windows member server.
First, we need to install the Forefront TMG preqrequisites. This must be done with a command line tool called Servermanagercmd which is the command line part of the UI tool Servermanager. This has been around since Windows Server 2008 to install roles and features on a Windows Server 2008 machine.
Figure 13: Installing Forefront TMG prerequistes
TMG SP1 Slipstream Installation
Because the RTM version of Forefront TMG doesn’t support the installation on an RODC you must create a Slipstream installation of Forefront TMG RTM with Forefront TMG SP1. Copy the content of the Forefront TMG DVD and the .MSP file of Forefront TMG to a local directory on the Server and execute the following command from the command line.
Figure 14: Forefront TMG SP1 Slipstream installation
After the Forefront TMG SP1 slipstream installs successfully, we can then start installing Forefront TMG on the RODC. The installation process is now the same as every Forefront TMG installation.
In this article we have seen how to install Forefront TMG on a Read Only Domain Controller (RODC). I personally never had to install a TMG Server on an RODC but as you have seen in this article it is possible without any issues if you are well prepared.