
close
close
In today’s Ask the Admin, I’ll show you how to change which users can have their account credentials cached on read-only domain controllers (RODC).
advertisment
Windows Server 2008 saw the introduction of RODCs to address some of the security risks of placing DCs in locations that lack the physical security of centralized datacenters. Read-only copies of the Active Directory (AD) database partitions and SYSVOL folder are hosted on RODCs to prevent attackers making global changes to AD.
When only a RODC is present on the local subnet, users are authenticated against a writeable DC, even if it’s located across a wide area network. But it’s possible to cache credentials of accounts that use the local branch office networks to improve login speed and reduce network traffic. Additionally, there’s a deny list preventing password caching of sensitive AD accounts, such as the domain administrator account.
For more information on RODCs, see Deploy a Read Only Domain Controller on the Petri IT Knowledgebase. You can also modify which AD attributes are replicated to RODCs using the filtered attribute set (FAS).
To perform the instructions below, you must have an existing AD domain with at least one RODC.
advertisment
Allowed RODC Replication Group in Windows Server 2012 R2 (Image Credit: Russell Smith)
Default groups denied replication to RODCs (Image Credit: Russell Smith)
Don’t forget that you can block credentials being cached by adding the relevant accounts to the Denied RODC Replication Group using the same process as above. And as with most permission scenarios, deny permissions override allow permissions. The Denied RODC Replication Group has the following members by default:
In this article I showed you how to configure which user and computer accounts can be cached on a RODC using built-in groups in Active Directory.
More from Russell Smith
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Active Directory
Microsoft Releases Out-Of-Band Patches to Fix Windows AD Authentication Issues
May 20, 2022 | Rabia Noureen
Cloud Conversations – Ståle Hansen on Digital Wellbeing and Viva Explorers
May 19, 2022 | Laurent Giret
Microsoft Rolls Out Azure AD Verifiable Credentials Service to More Customers
May 11, 2022 | Rabia Noureen
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group