Site icon REBELADMIN

Password Replication in RODC

In last 2 posts I have explain benifits of the RODC and how we can deploy a RODC. if you haven't read them yet you can read them with following links,

Why Read-only domain controllers (RODC) ?
Step-by-Step guide to install Read-Only Domain Controller (RODC)

In RODC environment one of the great feature is the password replication. in RODC environment we can determine which passwords need to be cache in RODC and which accounts still need to be authenticate via writable domain controller. As example domain administrator accounts do not need to be cached on RODC. its always safe if it can be authaticate via routable DC for security purposes. so if a domain administrator login from a RODC enviornment, we can set system to forward the authtication request or service ticket to the writable domain controller.

Microsoft made this easy by introducing password replication policy (PRP) to RODC environment. by default system create domain-wide password replication policy two domain local security groups.

Allowed RODC Password Replication Group : Members of this group will allow to cache passwords in RODC. by default this group do not have any members.

Denied RODC Password Replication Group: Members of this group are deny to cache passwords in RODC. Some of the groups which are security critical are member of this group by default such as Administrators, Server Operators, Backup Operators, Account  Operators.

One of the biggest mistakes administrator do is only allow/deny user accounts. But computers it self also uses authatication and service tickets requests. so make sure you add computer accounts also in to these lists.

How to configure RODC password replication policy(PRP) ?

1) Login to a writable domain controller with domain administrator account
2) Open "Active Directory Users and Computers" snap in by Server Manager > Tools > Active Directory Users and Computers
3) Go to "Domain Controllers" OU

4) Click to select the RODC you need to configure PRP. Then right click and click on properties.

5) In the properties window click on "Password Replication Policy" tab

6) In there we can see the 2 groups i mentioned above.

7) We can add users to these groups. to add users/computers to those double click on the group. in here i will use "Allowed RODC Password Replication Group"

8) To add users/computers to group click on members tab and click on add.

9) Once users/computers added click on "OK" to apply changes.

Policy Usage Reports and Pre-Populate Credential Caching

Microsoft provided a easy method of reporting where we can check the status of password replication. in order to use this facility need to follow following steps.

1) Login to a writable domain controller with domain administrator account
2) Open "Active Directory Users and Computers" snap in by Server Manager > Tools > Active Directory Users and Computers
3) Go to "Domain Controllers" OU
4) Click to select the RODC you need to configure PRP. Then right click and click on properties.
5) In the properties window click on "Password Replication Policy" tab
6) Click on "Advanced" button

7) In here drop-down list there is 2 options listed

Accounts Whose Passwords Are Stored On This Read-Only Domain Controller: This option will list all the user accounts/computer accounts which are currently cached password on RODC.

Accounts That Have Been Authenticated To This Read-Only Domain Controller: This option will list the user accounts/computer accounts which were forwarded to writable domain controller for authentication and service tickets process. This is good place to identify the user accounts/ computer accounts which will still need to add to allow list for password caching.

In PRP lets assume we allowed USER A to cache his credentials in RODC. But it will not cache it right away. it will cache credential once user made first authentication request to the RODC. but microsoft given opertunity where we can pre-populate the caching. so when user login first time his password is already been cached on RODC.

In order to use this feature click on "Pre-Populate Passwords…" button in same advance window.

It will open up window where you can select the accounts you need. once its selected it will pop-up following information window. click on yes to accept the changes.
before do this make sure you have already allow that user/computer account in Allow list of password caching.

if you have any questions please feel free to contact me on rebeladm@live.com

Exit mobile version