Search the Petri IT Knowledgebase

The Unofficial M365 Changelog

Sponsors

Podcasts

Learning Center
search icon

close

Icon for Latest Whitepaper

Latest Whitepaper

Choosing an MFA Solution for Your Active Directory Environment? Ask These 15 Questions.
Icon for On-Demand Webinar

On-Demand Webinar

Combating Cyberattacks in 2022: Prepare to Defend Your Active Directory
Icon for Upcoming Conference

Upcoming Conference

GET-IT Microsoft Cloud Security and Compliance 1-Day Virtual Conference
Icon for Ebook

Ebook

The Forrester New Wave™: SaaS Application Data Protection, Q4 2021

Home

Active Directory

Controlling Password Replication on Read-Only Domain Controllers

Author avatar - Russell Smith

Russell Smith

 |

Aug 8, 2016

password-hero-img-aspect

In today’s Ask the Admin, I’ll show you how to change which users can have their account credentials cached on read-only domain controllers (RODC).

advertisment

Windows Server 2008 saw the introduction of RODCs to address some of the security risks of placing DCs in locations that lack the physical security of centralized datacenters. Read-only copies of the Active Directory (AD) database partitions and SYSVOL folder are hosted on RODCs to prevent attackers making global changes to AD.

When only a RODC is present on the local subnet, users are authenticated against a writeable DC, even if it’s located across a wide area network. But it’s possible to cache credentials of accounts that use the local branch office networks to improve login speed and reduce network traffic. Additionally, there’s a deny list preventing password caching of sensitive AD accounts, such as the domain administrator account.

For more information on RODCs, see Deploy a Read Only Domain Controller on the Petri IT Knowledgebase. You can also modify which AD attributes are replicated to RODCs using the filtered attribute set (FAS).

Cache credentials on an RODC

To perform the instructions below, you must have an existing AD domain with at least one RODC.

advertisment

  • Log in to any domain controller with an account that has permission to modify AD group membership.
  • Open Server Manager from the Start screen.
  • In Server Manager, select Active Directory Users and Computers (ADUC) from the Tools menu.
Allowed RODC Replication Group in Windows Server 2012 R2 (Image Credit: Russell Smith)

Allowed RODC Replication Group in Windows Server 2012 R2 (Image Credit: Russell Smith)

  • In Active Directory Users and Computers, expand your AD forest and domain in the left pane, and click the Users container.
  • In the right pane of (ADUC), double click Allowed RODC Replication Group.
  • In the group dialog box, switch to the Members tab.
  • Click Add at the bottom of the dialog, then enter the names of any users or groups you’d like to add to Allowed RODC Replication Group, and then click Check Names.
  • If matching accounts are found in AD, the names will appear underlined in the dialog box after clicking Check Names.
  • Once you’re done adding accounts, click OK.
  • Click OK in the group dialog box to complete the process.
Default groups denied replication to RODCs (Image Credit: Russell Smith)

Default groups denied replication to RODCs (Image Credit: Russell Smith)

Don’t forget that you can block credentials being cached by adding the relevant accounts to the Denied RODC Replication Group using the same process as above. And as with most permission scenarios, deny permissions override allow permissions. The Denied RODC Replication Group has the following members by default:

  • Enterprise Domain Controllers
  • Enterprise Read-Only Domain Controllers
  • Group Policy Creator Owners
  • Domain Admins
  • Cert Publishers
  • Enterprise Admins
  • Schema Admins
  • Domain-wide krbtgt account

In this article I showed you how to configure which user and computer accounts can be cached on a RODC using built-in groups in Active Directory.

More from Russell Smith

TwiIT ep21

Project Volterra, Hybrid Loop, and NPUs to Supercharge AI on Your Devices
TWiIT ep20

Windows 11 Approved for Broad Deployment and 'One Outlook' Drops for Insiders
This Week in IT Ep 19

Microsoft Takes on Rival Calendly with Outlook Bookings - Plus the Latest IT News Updates

advertisment

Petri Newsletters

Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.

advertisment

More in Active Directory

Windows Server 4 Hero Approved

Microsoft Releases Out-Of-Band Patches to Fix Windows AD Authentication Issues

May 20, 2022 | Rabia Noureen

Cloud Conversations

Cloud Conversations – Ståle Hansen on Digital Wellbeing and Viva Explorers

May 19, 2022 | Laurent Giret

Network Security

How to Access Active Directory

May 17, 2022 | Michael Reinders

Cloud Computing

Microsoft Rolls Out Azure AD Verifiable Credentials Service to More Customers

May 11, 2022 | Rabia Noureen

Network Security

Active Directory vs. Azure AD (and Other Identity Providers)

May 9, 2022 | Michael Taschler

Security

Apple Finally Discontinues Support for macOS Server App

Apr 25, 2022 | Rabia Noureen

Most popular on petri

X

Log in to save content to your profile.

Login

Sign Up

Username/Email

Password

Forgot Password?

Login

Article saved!

Access saved content from your profile page. View Saved

Reach out

Contact Us

Advertising

About Us

Media Kit

Learn More

Podcasts

Learning Center

Webinars

Sitemap

Windows

Cloud

Office 365

Servers

Join The Conversation

Create a free account today to participate in forum conversations, comment on posts and more.

Copyright ©2019 BWW Media Group

Terms and Conditions of Use

 |

Privacy Policy