Sysadmin Lab

My lab environment and my findings

bookmark bookmark
Admin On October - 21 - 2010

I did some testing of RODC in my lab.

By default, no passwords are saved for neither users or computers in a RODC (except for its own computer account and a special krbtgt account for that RODC). This makes sense from a security perspective, because if the RODC is compromised you really don't have to worry since it doesn't contain much valuable information.

But maybe it's a good idea to replicate the users at this site so they can login even though the WAN-link is down? This can be done by Properties on the RODC in ADUC and the Password Replication Policy (PRP) tab. Here you can specify which group's members password should be replicated to this RODC or not (below are the default groups). Typically, you would have a group for each site where you have a RODC.

This could also be automatically configured in the answer file:

PasswordReplicationDenied=
PasswordReplicationAllowed=

Here you also can check the Advanced... button to get more info which accounts that have authenticated with this RODC and some other useful info which can help you make changes to the PRP. The Resultant Policy tab will let you add a user to see if this user's password would be cached or not.

When a RODC receives a logon request, it attempts to replicate the credentials from a writeable Windows 2008 DC. The writable DC refers to the PRP to determine if the credentials should be cached on the RODC or not. If allowed, the writeable DC replicates the credentials to the RODC and the RODC caches it locally. Subsequent logons are then authenticated to the cached RODC and no communication to the writeable DC is needed.

There's no way to clear the cache on the RODC. What you need to do is to reset the passwords of all the cached accounts and then the credentials are no longer valid to access any resources. This is also what you should do if the RODC gets compromised before re-installing the RODC. This is much easier than to manually try figure out which accounts were cached on this RODC. Simply use ADUC to Delete the DC and you will get a question:

But what is that Prepoluate Passwords? Well, let's say you have 100 users at this branch office and you have added their group to the PRP. Instead of waiting for all the users to login, you can tell the DCs to start replicating these passwords.

From Microsoft: In addition, prepopulating the password cache is a good idea if you build an RODC in a central location, such as in a data center, before you transport the RODC to the branch office. By prepopulating the password cache with the users and computers who will log on in the branch office, the RODC can authenticate those accounts without contacting the Windows Server 2008 domain controller over the WAN link. You can prepopulate the cache only for accounts that the Password Replication Policy allows to be cached. If you try to prepopulate a password of an account that the Password Replication Policy does not allow to be cached, the operation fails. You can also use the Repadmin command-line tool.

Categories: Windows

One Response

  1. chris says:

    Thanks, I'm studying for my 70-640 test right now, and I keep missing the questions over this. Hopefully now I won't. Love the site.

Leave a Reply