Add or Remove Active Directory attributes from Read-Only Domain Controllers (RODCs)

In this Ask the Admin, I’ll show you how to add or remove Active Directory attributes from the read-only domain controllers (RODCs) filtered attribute set, to control whether sensitive data gets replicated to branch offices.

Read-only domain controllers were introduced in Windows Server 2008 and were designed to improve security in locations where server hardware can’t be physically secured, most commonly branch offices. While RODCs contain a copy of each domain partition, some Active Directory (AD) attributes are not replicated, so if an RODC is compromised, only a limited amount of data is exposed.

Attributes marked RODC_FILTERED are part of what’s known as the RODC filtered attribute set, or FAS, and are not replicated to RODCs. By default, the attributes included in FAS are:

• ms-PKI-DPAPIMasterKeys
• ms-PKI-AccountCredentials
• ms-PKI-RoamingTimeStamp
• ms-FVE-KeyPackage
• ms-FVE-RecoveryPassword
• ms-TPM-OwnerInformation

While it’s unlikely you’d want to remove any of these attributes from the RODC FAS, it might be useful to remove attributes that get added as part of extending the Active Directory schema. For example, in my recent article Secure Local Administrator Accounts with the Local Administrator Password Solution (LAPS) Tool on the Petri IT Knowledgebase, I showed you how to extend the AD schema to add two new attributes required by LAPS to store local administrator passwords (ms-MCS-AdmPwd) and expiry times (ms-MCS-AdmPwdExpirationTime) in Active Directory.

The PowerShell cmdlet included with LAPS used to extend the schema adds the ms-MCS-AdmPwd attribute to the RODC FAS, so if you want IT staff to be able to access local administrator passwords stored in AD directly from an RODC, the ms-MCS-AdmPwd attribute needs to be removed from the RODC FAS.

Using ADSI Edit to Modify the RODC FAS

Before you can modify Active Directory attributes, you need to be logged in as a schema administrator. ADSI Edit can be accessed from Server Manager on a domain controller or from a domain member that has the Remote Server Administration Tools (RSAT) installed. For more information on working with RSAT, see Remote Server Administration Tools (RSAT) for Windows 8: Download and Install on Petri.

For the purposes of this demo, I’ll log on to a Windows Server 2012 R2 domain controller as a domain administrator.

• Open Server Manager using the icon on the desktop taskbar or from the Start screen.
• Select ADSI Edit from the Tools menu.
• In ADSI Edit, select Connect to from the Action menu.
• In the Connection Settings dialog, make sure that Select a well known Naming Context is checked under Connection Point, and then select Schema from the drop-down menu, and click OK.
• In the left pane of ADSI Edit, double click Schema, and then on the distinguished name below Schema. A list of attributes will then appear in the central pane.
• Scroll down the list until you find the attribute you want to modify, in my case ms-MCS-AdmPwd.
• Double click the attribute.
• In the Properties dialog, scroll down on the Attribute Editor tab until you find the searchFlags attribute value.

Expand the Value field, and you’ll see not only the value setting in HEX, 0x388, but also the set bits: PRESERVE_ON_DELETE, CONFIDENTIAL, NEVER_AUDIT_VALUE, RODC_FILTERED. To remove the RODC_FILTERED bit from the attribute value, I need to set the 9th bit of the value to 0. To do this, I need to subtract 512 from the currently set decimal number.

• Double click the searchFlags attribute value, and change the number in the Integer Attribute Editor dialog to 392. That’s 512 subtracted from the original value of 904.
• Click OK.

IN the Properties dialog, you’ll now see that the HEX number of the searchFlags attribute value has changed, and the RODC_FILTERED flag has been removed from the list.

• Click OK in the Properties dialog.
• Close ADSI Edit.

Other flags can be removed from the searchFlags attribute value, such as CONFIDENTIAL, which prevents members of the Authenticated Users group, which includes the computer accounts of RODCs, from reading the attribute, even if it’s not replicated to a RODC. To remove the CONFIDENTIAL flag from the seachFlags attribute value, subtract 128 from the currently set decimal number.

Related Article:

• How to View the Attribute Editor in Active Directory