Installing Forefront TMG on the RODC

This procedure describes how to install and configure Forefront TMG SP1 on a read-only domain controller (RODC).

Installing Forefront TMG SP1 on a read only domain controller

  1. Run the following from an elevated command prompt:

    ServerManagerCmd.exe -inputpath <DVD_path>\FPC\PreRequisiteInstallerFiles\WinRolesInstallSA_Win7.xml -logPath C:\Windows\TEMP\TMG-Prerequisites.log
  2. Prepare a Forefront TMG SP1 slipstream DVD with the following steps:

    1. Copy the Forefront TMG DVD and the Forefront TMG SP1 MSP file to a local drive on the target computer. For the purposes of this example, let’s assume this is c:\temp\TMG.

    2. At a command prompt, type the following command and press ENTER.

      msiexec /a c:\temp\TMG\FPC\MS_FPC_SERVER.msi /p TMG-KB981324-amd64-ENU.msp /qb /L*v c:\tmg\log.txt

      When the operation completes, you will have a full installation of Forefront TMG already upgraded to Service Pack 1.

  3. Run the upgraded setup program by typing c:\temp\TMG\FPC\setup.exe at a command prompt and pressing ENTER.

  4. Define the Internal network to include the branch subnets, and complete the installation. The Forefront TMG installation automatically identifies that it is running on a DC, and enables the system policy that allows DC traffic from the Internal network to the Forefront TMG server, as well as from the HQ DCs (if they are outside the internal network). See the table below for the list of allowed protocols.

  5. The Internal network computers require connectivity to the HQ DCs. If Forefront TMG functions as a network gateway between the Internal network and the HQ DCs, create a policy access rule that allows:

    • Name: Allow Directory Services access from Internal to HQ DCs

    • From: Internal Network

    • To: Domain Controllers computer set (created automatically during installation)

    • Protocols: All protocols from the table below






      LDAP for AD queries

      Rule name: Allow access to directory services on Forefront TMG

      LDAP (UDP)




      LDAP GC


      LDAPS GC


      Kerberos-Sec (TCP)



      Rule name: Allow Kerberos authentication to Forefront TMG

      Kerberos-Sec (UDP)


      Kerberos Password v5


      Microsoft CIFS (TCP)

      Microsoft CIFS (UDP)


      Group Policy download for branch machines

      Rule name: Authentication Services: Allow Microsoft CIFS to Forefront TMG




      Rule name: Authentication Services: Allow RPC to Forefront TMG



      DNS for branch machines

      Rule name: Allow DNS to Forefront TMG

      - Users: All users
      > [!IMPORTANT]
      > Make sure that the default gateway of the client machines is the Forefront TMG server. 
      > <P></P>
      1. Every branch account (user or computer) that is joined to the domain needs to have its password replicated to the RODC for authentication purposes. To replicate the password, complete the following steps on the HQ DC:

        1. In Active Directory Users and Computers, select the Domain Controllers branch, right-click the RODC and select Properties.

        2. Click the Password Replication Policy tab, and then click Add.

        3. Select Allow passwords for the account to replicate to the RODC, select all relevant local users for this branch and then click OK.

        4. On the RODC’s Properties page, click Advanced, and verify that the user accounts you added appear in the list of Accounts whose passwords are stored on this Read-only Domain Controller.

        5. Active Directory must complete replicating the user information to the RODC before you can log on with these accounts.

      Other Resources

      Installing Forefront TMG on a domain controller