Впервые функционал контроллера домена, доступного только на чтение (RODC — read-only domain controller), был представлен в Windows Server 2008. Основная цель RODC контроллера домена — возможность безопасной установки собственного контролера домена в удаленных филиалах и офисах с плохими WAN каналами и в которых сложно обеспечить физическую защиту сервера с ролью ADDS. Контроллер домена RODC содержит копию базы Active Directory, доступную только на чтение. Это означает, что никто, даже при получении физического доступа к такому контроллеру домена, не сможет изменить данные в AD (в том числе сбросить пароль администратора домена).
В этой статье мы рассмотрим, как установить новый контроллер домена RODC на базе Windows Server 2022/2019 и особенности управления им.
Содержание:
- Что такое контроллера домена на чтение RODC?
- Установка RODC из графического интерфейса Server Manager
- Установка контроллера домена на чтение (RODC) с помощью PowerShell
- Политики репликации и кэширования паролей на RODC
Что такое контроллера домена на чтение RODC?
Основные отличия RODC от обычных контроллеров домена, доступных для записи (RWDC):
- Контроллер домена RODC хранит копию базы AD, доступную только для чтения. Клиенты не могут вносить изменения в базу такого контролера домена;
- RODC не реплицирует данные AD и папку SYSVOL на другие контроллеры домена (RWDC) (используется односторонняя репликация);
- Контроллер RODC хранит полную копию базы AD, за исключением хэшей паролей объектов AD и других атрибутов, содержащих чувствительную информацию. Этот набор атрибутов называется Filtered Attribute Set (FAS). Сюда относятся такие атрибуты, как ms-PKI-AccountCredentials, ms-FVE-RecoveryPassword, ms-PKI-DPAPIMasterKeys и т.д. Можно добавить и другие атрибуты в этот набор, например пароли компьютеров, хранящиеся в открытом виде в атрибуте ms-MCS-AdmPwd при использовании LAPS;
- При получении контроллером RODC запроса на аутентификацию от пользователя, он перенаправляет этот запрос на ближайший RWDC контроллер;
- Контроллер RODC может кэшировать учетные данные некоторых пользователей (это ускоряет аутентификацию и позволяет пользователям авторизоваться на контроллере домена, даже при отсутствии связи с RWDC);
- Вы можете относительно безопасно предоставить административный доступ и RDP вход на контроллер домена пользователям без предоставления прав на других DC или Domain Admins (например, для доступа к серверу техническому специалисту филиала);
- DNS служба на RODС работает только на чтение.
Требования, которые должны быть выполнены для разворачивания Read-Only Domain Controller.
- На сервере должен быть назначен статический IP;
- Windows Firewall должен быть отключен или корректно настроен для прохождения трафика между DC и доступов от клиентов;
- В качестве DNS сервера должен быть указан ближайший RWDC контроллер;
- Вы можете установить RODC как на Windows Server Full GUI, так и на Windows Server Core редакцию.
- Не стоит размещать RODC в одном сайте с RWDC.
Установка RODC из графического интерфейса Server Manager
Откройте консоль Server Manager и добавьте роль Active Directory Domain Services (согласитесь с установкой всех дополнительных компонентов и средств управления).
На этапе указания настроек нового DC, укажите что нужно добавить новый контроллер домена в существующий домен (Add a domain controller to an existing domain), укажите имя домена и, если необходимо, данные учетной записи пользователя с правами администратора домена.
Выберите, что нужно установить роль DNS сервера, глобального каталога (GC) и RODC. Далее выберите сайт AD, в котором будет находится новый контролер и пароль для доступа в DSRM режиме.
Далее нужно указать пользователя, которому нужно предоставить административной доступ к контроллеру домена (Delegated administrator account), а также список учетных записей/групп, пароли которых разрешено (Accounts that are allowed to replicate passwords to the RODC) и запрещено (Accounts that are denied from replicating passwords to the RODC) реплицировать на данный RODC (можно задать позднее).
Укажите, что данные базы AD можно реплицировать с любого DC.
Replicate from ->
Any domain controller
Затем укажите пути к базе NTDS, ее журналам и папке SYSVOL (в случае необходимости их можно перенести на другой диск позднее).
После проверки всех условий, можно запустить установку роли ADDS.
Также вы можете развернуть RODC с помощью функции Staged. Она заключается в предварительном создании учетной записи компьютера RODC в консоли ADUC и базовой настройки. Для этого щелкните правой кнопкой по контейнеру Domain Controllers и выберите Pre-create Read-Only Domain Controller account.
При установке ADDS на сервере с таким же именем, появится надпись:
A Pre-created RODC account that matches the name of the target server exists in the directory. Choose whether to use this existing RODC account or reinstall this domain controller.
Выберите опцию Use existing RODC account, чтобы использовать настроенный аккаунт RODC в AD.
После завершения установки роли и перезагрузки сервера вы получите RODC контроллер. Вы можете проверьте состояние контроллера домена согласно статье.
При подключении консолью ADUC (dsa.msc) к RODC все кнопки создания новых объектов AD станут неактивными (серыми). Также на RODC нельзя изменить атрибуты объектов AD. Все остальные действия в консоли Active Directory, в том числе поиск, работают как обычно.
Установка контроллера домена на чтение (RODC) с помощью PowerShell
Для разворачивания нового RODC с помощью PowerShell, нужно установить роль ADDS и PowerShell модуль ADDS.
Add-WindowsFeature AD-Domain-Services, RSAT-AD-AdminCenter,RSAT-ADDS-Tools
Теперь можно запустить установку RODC:
Install-ADDSDomainController -ReadOnlyReplica:$true -DomainName yourdimain.com -SiteName "Default-First-Site-Name" -InstallDns:$true -NoGlobalCatalog:$false
После окончания работы командлет запросит перезагрузку сервера.
Выведите список DC в вашем домене с помощью командлета Get-ADDomainController из модуля AD PowerShell:
Get-ADDomainController -Filter * | Select-Object Name,IsReadOnly
У RODC значение атрибута IsReadOnly должно быть True
Чтобы вывести все RODC в домене, выполните:
Get-ADDomainController –filter {IsReadOnly –eq $true}
Если вы хотите сначала создать аккаунт RODC в домене, исопльзуйте такую команду:
Add-ADDSReadOnlyDomainControllerAccount -DomainControllerAccountName SPB-RO-DC1 -DomainName winitpro.ru -DelegatedAdministratorAccountName "winitpro\kbuldogov" -SiteName SPB_RO_Site
Затем при повышении Windows сервер до DC используйте команду:
Install-ADDSDomainController -DomainName winitpro.ru -Credential (Get-Credential) -LogPath "C:\Windows\NTDS" -SYSVOLPath "C:\Windows\SYSVOL" -ReplicationSourceDC "SPB-DC01.winitpro.ru" – UseExistingAccount
С помощью PowerShell вы также не сможете изменить атрибуты объектов AD при подключении к RODC. Если вы хотите изменить атрибуты объекта из сайта с RODC, указать адрес ближайшего RWDC с помощью параметра
–Server
, который доступен у командлетов Set-ADUser, Set-ADComputer, New-ADUser и т.д.
Политики репликации и кэширования паролей на RODC
На каждом RODC можно задать список пользователей, компьютеров и серверов, чьи хэши пароли можно или нельзя реплицировать на данный контролер домена.
Все компьютеры, пользователи и сервера в кэше RODC смогут аутентифицироваться на этом контроллере домена, даже если отсуствет связь с RWDC.
По умолчанию в домене создаются две новые глобальные группы
- Allowed RODC Password Replication Group
- Denied RODC Password Replication Group
Первая группа по умолчанию пуста, а во второй содержатся административные группы безопасности, пароли пользователей которых нельзя реплицировать и кэшировать на RODC с целью исключения риска их компрометации. Сюда по-умолчанию входят такие группы, как:
- Group Policy Creator Owners
- Domain Admins
- Cert Publishers
- Enterprise Admins
- Schema Admins
- Аккаунт krbtgt
- Account Operators
- Server Operators
- Backup Operators
В группу Allowed RODC Password Replication Group обычно добавляются группы пользователей филиала, в котором находится RODC.
Если в домене развернутся несколько контроллеров домена на чтение, лучше создать такие группы для каждого RODC. Привязка групп к контроллеру домена RODC выполняется в свойствах сервера в консоли ADUC на вкладке Password Replication Policy .
В окне Advanced Password Replication Policy for RODC_name можно просмотреть:
- Accounts whose passwords are stored on this Read-Only Domian Controller – список пользователей и компьютеров, чьи пароли закешированы на этом RODC
- Accounts that have been authenticated to this Read-Only Domain – список пользователей и компьютеров, которые подключены через этот RODC
На вкладке Resultant Policy можно выбрать учетку пользователя и узнать, будет ли его пароль кэшироваться на RODC.
Вы можете управлять группами RODC с помощью PowerShell. Вывести список пользователей в группе AD:
Get-ADGroupMember -Identity "Denied RODC Password Replication Group" | ft Name, ObjectClass
Добавить в группу RODC всех активных пользователей из определенного OU Active Directory:
Get-ADUser -Filter {Enabled -eq "True"} -SearchBase 'OU=SPBOffice,DC=winitpro,DC=ru' | ForEach-Object {Add-ADGroupMember -Identity 'Allowed RODC Password Replication Group' -Members $_ -Confirm:$false }
Чтобы закешировать пароль пользователей из OU на RODC, используйте скрипт:
$users = Get-ADUser -Filter {Enabled -eq "True"} -SearchBase 'OU=SPBOffice,DC=winitpro,DC=ru'
foreach ($user in $users) {
Get-ADObject -identity $user | Sync-ADObject -Source SPB-DC01 ‑Destination SPB-RO-DC1 -PasswordOnly
}
Вывести список пользователей и компьютеров, чьи пароли находятся в кэше RODC можно с помощью командлета:
Get-ADDomainControllerPasswordReplicationPolicyUsage -Identity SPB-RO-DC1 ‑RevealedAccounts
Нельзя удалить пароль определенного пользователя из кэша RODC. Но вы можете сделать эти данные недействительными, сбросив пароль пользователя из оснастки ADUC или с помощью Set-ADAccountPassword.
The Read-Only Domain Controller, or RODC for short, as one can understand by its name, has a read-only copy of Active Directory. It is mainly used in branch offices where the physical security of the server cannot be guaranteed, there is no fast and sufficient (WAN) connection with a central point or no specialized IT staff. I will not extend to why to include an RODC in your environment, but how to do this.
Install a Read-Only Domain Controller (RODC)
The installation of an RODC can be done in two ways. The classic case is to install the Active Directory Domain Services role and then to promote the RODC, a process that is similar to a new addition of a Domain Controller into the Active Directory infrastructure. The other way is to pre-create an RODC account (Staged) with pre-defined settings and then deploy it into the infrastructure. In the current article, we will see the first case.
Install the Active Directory Domain Services role
Open Server Manager, click Manage and then Add Roles and Features.
Immediately afterward, the wizard window will open. In the Before You Begin section, click Next to continue.
In the Installation Type section, select Role-based or feature-based installation and click Next to continue.
In the Server Selection section, make sure the server you want is selected and click Next to continue.
Under Server Roles, select Active Directory Domain Services. Once you do this, you will be asked to add some additional features. Click the Add Features button and then click Next to continue.
In the Features section, you do not have to choose something, just click Next to continue.
In the AD DS section, some information about AD DS is displayed, just click Next to continue.
Finally, in the Confirmation section, click the Install button to proceed to install the role.
Promote the server to a Domain Controller
Once the role is completed, if you do not close the window, you will be prompted to promote the server to a Domain Controller (DC).
Alternatively, you can open the same window through Server Manager, as shown in the figure below.
In essence, this is the Active Directory Deployment Configuration wizard that will guide you to add another Domain Controller to the Active Directory environment.
In the Deployment Configuration section, since the forest already exists, enable Add a domain controller to an existing domain, and then type the domain name in the corresponding field. In our case is meraki.edu. You will also need to provide the credentials of an account that has the ability to add DC to the existing domain, such as the Domain Administrator. To proceed, click Next.
Under Domain Controller Options, enable (if desired) the Domain Name System (DNS) Server and Global Catalog options, leave the default Site Name and type the Directory Services Restore Mode (DSRM) password. Be sure to keep this in your documentation. The most important part here is to enable the Read-only Domain Controller (RODC) option. Click Next to continue.
In the RODC Options section, select a user or group account with the delegated administrator privileges. Also, at this point, you can set up Password Replication Policy, which accounts will be allowed to replicate passwords to the RODC and which will not. However, this is something you can change at any time in the future. Click Next to continue.
In the Additional Options section, you can select from which Domain Controller to replicate to the current DC. If you do not have a specific reason, leave the default Any domain controller and click Next to continue.
In the Paths section, choose where the NTDS, SYSVOL, and LOG folders will reside on your server. In our case I will leave the default ones, you can choose another disk based on your preferences and setup.
In the Review Options section, you will see a summary of the settings you have selected. Once you’re sure you have not made a mistake, click Next to continue.
In the Prerequisites Check section, the prerequisites will be checked. Here, if even one error occurs, then you will not be able to continue and you will need to fix it before proceeding. Otherwise, if only warning messages are displayed but the check has ‘passed’ as shown in the picture, click the Install button to proceed.
At this point, you will need to wait a few minutes until the installation process is completed. The server will automatically reboot immediately and after that, the RODC will be ready.
Keep in mind that
- You need at least one writable domain controller to Install a Read Only Domain Controller
TUTORIAL
Firstly install the windows server 2016
Log in
Configure Network Card (provide a static IP address and DNS)
Add roles and features
Click Next to continue
select role based installation type (by default this option is selected)
Select the Server
Select Active Directory Domain Service Services Role
Keep the default features
Click Next
Click Install
Click Close after installation
Promote the server to a domain controller
Provide the domain name and user credentials for deployment operations
Provide DSRM password and select Read Only Domain Controller (RODC)
Directory Services Restore Mode (DSRM) is a special boot mode for repairing or recovering Active Directory. It is used to log on to the computer when Active Directory has failed or needs to be restored.
Keep the RODC options as it is
Keep the locations for AD DS database, log files and SYSVOL as it is
Review options before installation starts
Install Active Directory Domain Services
After Active Directory Domain Services installation restart the server
Check Installed Read-only Domain controller
Make sure to Connect to the RODC
Configure the Administrators role
Type dsmgmt in the run
Type
local roles add <DOMAIN>\<user> Administrators
Log in as other user
To Configure RODC password policies go to RODC properties
- Configure password caching allowed and denied groups as per the requirement
- Click on Advanced to display a list of users for which the passwords have been cached.
An RODC holds a read-only copy of the Active Directory database and doesn’t allow any changes in AD data. It is mostly deployed in branch offices due to poor physical security. If some one gets access to the RODC, he won’t be able to change the global data. If an intruder somehow manages to change the data on the RODC, it won’t be replicated to write-able DCs due to unidirectional replication (from wrote-able to read-only DC).
In this guide, I am going to show you how to deploy an RODC in Windows Server 2016.
Prerequisites
Cross check the following prerequisites
- Administrator account has strong password.
- Static IP is configured.
- Firewall is turned off.
- Latest updates from Microsoft are installed.
- You have at least one writeable DC.
- DNS settings in TCP/IPv4 are pointing to DNS server of write-able DC.
To get started, open server manager dashboard and click on ‘Add roles and features’. Then follow the wizard.
Step 1. Verify the tasks listed in the window and then click Next.
Step 2. Choose Role-based or feature-based installation and click Next.
Step 3. Choose desired destination server from servers pool and click Next.
Step 4. Choose active directory domain services from server roles. As soon as you check the box a new window will appear, click Add Features.
Step 5. Click Next.
Step 6. Click Next.
Step 7. Click Next.
Step 8. Click Install and wait for an installation to finish. This may take several minutes to complete.
Step 9. Click Promote this server to a domain controller.
Step 10. Choose Add a domain controller to an existing domain. Provide the domain name and the appropriate credentials having permission to add a domain controller to an existing domain. Click Next.
Step 11. Choose Read only domain controller (RODC) and provide the DSRM password. Click Next.
Step 12. Click Next.
Step 13. Click Next.
Step 14. Click Next.
Step 15. Click Next.
Step 16. Click Install and wait for configuration to finish. When configuration finishes, the server will be rebooted.
Step 17. Login to RODC with admin credentials. Open active directory user and computers (ADUC) console and make sure you are connected to Read Only DC and not to write-able DC. Notice the greyed out icons and try updating the AD data. You won’t.
The whole point behind Active Directory and its multi-master model is that an Active Directory domain controller in one location has essentially the same copy or view of the database as does every other DC in the entire Active Directory domain. Now this is great because every single domain controller can be a writable domain controller, however every single domain controller, as you can imagine, contains every single object in Active Directory. Now, in a world where our domain controllers can be locked behind closed doors, that’s a perfectly acceptable thing. A would-be attacker would have to break into our offices, and then once inside break further into the data center itself in order to find and then take off with that domain controller server itself. You can imagine that an environment that had 10s of thousands of different usernames and passwords, well, the loss of a single Active Directory domain controller because it wasn’t properly secured, could mean the repermissioning, the repasswording of every single user. Now for that reason Microsoft includes this RODC role, that again, is only intended when you have a domain controller that you for some reason cannot lock away.
RODC, addresses branch office scenarios where you may have no local IT staff, few users, potentially expensive wide area network links, and limited physical security. What exactly does the read-only domain controller offer us as an IT professional, by means of security and convenience?
Enhance security
The RODC’s chief purpose is to provide an enhanced security in a branch office domain controller as opposed to installing say, a full fledged read-write domain controller. The read-only domain controller is an ordinary domain controller like any other in your domain, except all of its directory partitions, particularly it’s domain partition, are read only. The read-only nature of course means that you lessen the chance of someone maliciously altering active directory data. Again, critical if you’re in a branch office that doesn’t have local staff, local IT staff. Now the read only nature of the RODC extends to DNS, any active directory domain services domain controller worth its salt is going to also be a DNS server.
RODC is compatible with other windows server features that enhance security. It reduces the exploitation or attack surface of the machine. There is also option for BitLocker for your data volumes to make sure that if, for instance, somebody steals your RODC and tries to get confidential data from that data volume, they will fail in that attempt. And then again, more specifically, with the security piece, we have cashed credentials also known as the password replication policy, the FAS or FAS, filtered attribute set, and ARS which is administrative role separation.
Password Replication Policy (PRP)
The PRP is an access control list of sorts, that specifies which domain, user, and computer accounts can have their password hashes cached on the RODC. You might have a hundred users, organization wide, but only few in the branch office. Isn’t it silly to replicate all of the password hashes for all the domain users to the branch office? Specially if you don’t have additional layers of security down, like maybe the branch office has a full read-write domain controller. Even worse, a malicious user could feasibly steal that machine if it’s not physically secured and brute force attack to figure out what the passwords are that are represented by those hashes. It’s not a good deal. Least service means, if you’re not using a service, don’t even install it. We can extend that to password security by not replicating any passwords for any users who do not exist in the branch office.
What RODC can give your branch users? It gives them convenience. Because their password hashes are locally cached, so their domain log-ons are going to be much faster. They’ll also be able to log-on, not just to local cached credential log-on, but a true blue domain controller log-on, even if the WAN and the headquarters branch fails. Now of course if the WAN connection fails to the headquarters, the users wouldn’t be able to necessarily connect to headquarters resources anyway. But presumably you have locally in that branch office, the printers, the shared folders, the local internet website replica, whatever else that they need on campus, so they shouldn’t be so dependent upon the headquarter’s site. You should also know that high security groups, domain admins, enterprise admins, even the sub-administrative groups are automatically denied, as far as RODC password caching is concerned.
Domain administrator in the central site can pre-create an RODC computer account. That’s a different process actually than simply pre-staging an ordinary computer account that you might do for operating system deployment. There’s actually a wizard specifically for pre-creating or staging read-only domain controller accounts. Once you have that created, you’ll then specify one or more users who are delegated admins in that branch office location. Now this is a special kind of delegated administration. These delegated admins can attach the local RODC that you may have shipped to that branch office, and maybe you’re walking the delegated admin through plugging it in, getting on the network, update server and so forth. RODC delegated admins are delegated administrative authority only on that RODC. So you may actually have more than one RODC in one or more branches just because one person has those privileges on RODC in Site A, that gives him or them absolutely zero administrative privileges out of the box on an RODC in Site B. Administrator role separation isn’t available on writeable DCs.
INSTALL Read-Only Domain Controller (RODC)
There are 2 ways of doing it. We can configure it when promoting server to a domain controller or we can pre-create RODC computer account. When you pre-create RODC computer account you configure everything in advance, which users will have their passwords cached and replicated etc. and when you promoting server to a dc those options will be grayed out.
Let’s install RODC using pre-created account. I will not focus on usuall way because it is straightforward, install AD DS role and promote server to a domain. When you do that you will need to select RODC and do the same thing about configuring password replication policy you will see here so no need to do the same thing twice.
To use second option you will need to open ADUC and right-click on Domain Controller OU and select Pre-Create Read-Only DC Account.
When wizard opens ,Mark Use advanced mode installation and click Next
First it asks us, do we have the creds to do this? I’m logged on as a domain administrator so I’m good. Click Next
Now we specify the computer name. Now this is important, it says, the server must not be joined to the domain before you install active directory domain services on it. Now there’s some important captchas here before you fill this in. It says, principally, that before the server can be attached to the account that you’re creating, and become an RODC, it must be named with the same name that you specify here. I already have a server named RODC so I will use that name for it host name. Click Next
Next it’s asking us for a site, I only have one site so I don’t have much options to choose here but you will specify your branch site. You’ll notice fromprogress dialogues (when you click on Next), it’s essentially doing the same thing that we do when we run the active directory domain services installation wizard normally. We’re just running the wizard in a different context than usual.
I’m going to do DNS server and global catalog. Note that read-only domain controller option is grade out. It also tells us that it detects that there are already 2 DNS server that’s authoritative for mehic.se domain. Click Next
Specify the password replication policy window, here you can either allow to replicate passwords to this DC, or deny from replicating passwords to this DC. It is in this location where if you have multiple different remote sites, one for different geographic locations, it’s probably a good idea for you to configure multiple different replication groups for each site so that you further constrain down just which passwords are gonna be on this machine. High privilege groups like administrators, and server operators, et cetera, are set to deny by default. This is where you can remove entries that are not relevant, or add additional groups to the list.
NOTE: if an account is in the denied replication group, please know that this doesn’t prevent a user from logging on through a RODC, it just simply denies the RODC the ability to locally cache the password. So in other words, the WAN link will have to be available so the RODC can pass over the WAN and get an authentication token from a read-only domain controller.
Click on ADD
When you click on add it will ask you if this going to be an allow or a deny. I will select Allow. When you click OK it will ask you to add groups
I have a group called HBG Users, Click Ok
Here it is, so anybody in this group will have their passwords cached. (Now if you decide not to mess with this right now, that’s okay because you can always come to this part after)
Once done click next
Delegation of RODC Installation and Administration Window, This is the administrative role separation and you can choose a group or a user, who is going to be delegated admin or admins on this server. I have a group called HBG Delegated Admins, click next
As usual, we can export settings if you’re looking at an automated process or I’m just going to go ahead and do it. When you click next it will tell you that now that we’ve completed the account creation, we can attach the server that we want to be the RODC by running the ad roles, wizard and server manager.
When you click Finish you will see that we have the RODC account, it’s disabled, unoccupied DC account. So far so good.
Switch to your RODC server and open powershell as admin and type in
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools -IncludeAllSubFeature
That completed successfully, and we don’t need a restart. That’s always good news. Now we need to bring up the server manager (you can run servermanager in powershell to open it) and refresh our view and we should get a little alert, click on the Promote this server link….
Deployment Configuration window, We’re adding a domain controller to an existing domain, it’s mehic.se, I’m going to need to change those credentials to specify domain credentials.
Click Next
When you click next you will see this message, A pre-created RODC account that matches the name of the target server exists in the directory. Choose whether to use the existing RODC account or reinstall. I’m going to leave the default of course, and everything else here is grayed out, read-only because that’s been part of the pre-staged account. I have to supply the appropriate DSRM password. You may not want to give a delegated admin that password. Click Next
Here we can configure the additional options that, most of this here has to do with any domain controller, RODC or not. We won’t do an install from media, we’ll replicate from any domain controller, click next
we’ll use the standard paths here for ADDS
And then we’ll choose the Next button, and the Install button, to complete the installation of our RODC.
That’s it. Now when that is done your server will reboot and when it is up and running open server manager and start ADUC and go through some of the additional management tasks that you may wish to do here on this machine. You will notice that you will be able to make changes and that is because you will be connected to a different domain controller and not RODC. To change ADUC to your RODC you will need to right-click on the domain (mehic.se) or a ADUC node and select change domain controller
Before we continue make sure that Advanced Features are enabled.
Now click on Domain Controllers OU and right-click on our RODC and select properties
The first of which is Password replication policy tab, where you’ll see configured the allow and deny settings for any of these groups that were part of that original installation process and the group that we added when we pre-configured this account. So it’s here where you would add additional groups if you wanted to be those where your password was replicated down.
Click the Advanced Button
Here we can identify the actual accounts themselves that have been replicated down to this RODC. So you can see here that the computer account for RODC has been downloaded, and this Kerberos ticket-granting ticket user has been downloaded as well. So it’s here where you can actually identify which users have their passwords on this machine, as well as, should you have need to repopulate those passwords, you can do so by clicking on Prepopulate Passwords
If you expand Display users and computers that meet the following criteria, it will allow you to see a list of accounts whose passwords are currently cached on the RODC, and accounts that have been authenticated.
If you click on Accounts that have been authenticated to this RODC, you will notice that we have an entry for administrator, domain admin, who’s been authenticated, but whose password does not appear in the local cache. That’s because the domain administrator is part of the denied RODC password replication group,
Click now on the Resultant Policy Tab, here we will have the ability to identify which potential users and computers will be downloaded as part of the different policies that you’ve set up in the previous screen so here we can test whether a particular user is part of the replicated group or not. Let’s see how this works?
I will click on Add and add one user who is in Allow group and add one user who is not in RODC group.
Sales1 user –> exists in the users container, and there’s an implicit deny, which means that Sales1 isn’t in the actual denied group, but his password cache setting is implicitly denied because he’s just not at all indicated in the branch office.
HBG1 User –> His resultant settings is allow
Let’s go back to Policy Usage Tab, and let’s click on Prepopulate Passwords,
This is where you can in fact do a manual cache of an account as long as it’s not in the denied group. What if Sales1 User plans to log on to the branch office? We can prepopulate his password. Click on the Prepopulate Passwords and add the user
Notice that it gives us an error. This account must fist be added to the allowed list in order for this to take place. It’s nice that we’ve got these layers of security
Let’s add our user to Allowed list. You will find that group under the Users OU
Once done, let’s go back to RODC Properties and see if we are able to add it.
NOTE: If you receive the same error again that is because AD didn’t replicate changes immediately.
And here it is. Let’s close this and check one more tab.
Next tab is Managed By, we can identify which group of users should have access to administrators RODC, so like my HBG Delegated Admins, for example here in mehic.se. (This option is pre-populated because we configure this when we created that RODC account) This group now could perform all the usual management tasks of dealing with this as being a Windows server, but would have no access to do anything associated with Active Directory and the things commonly associated with account operators and domain admins.
Now, in a worst case scenario, if the RODC is compromised and you need to reset it, what we’re going to do is right click and select delete.
Warning message pops up, click yes
And notice, we get the supplemental dialog box after we answer yes. The text here is instructive. If the RODC is compromised or stolen, Microsoft recommends that you reset account passwords that the hashes for which were stored in the RODC. And by default, it’s going to reset all user account passwords that are cached on that RODC. You can also reset the computer account passwords, but notice that if you do that, all of the computers that are part of that remote site will need to be rejoined to the domain. If you don’t want to go through with this, you can just hit view list to look at impact. And it just simply shortcuts to this advanced password replication dialog that we saw earlier. If you choose not to export, the delete button becomes available. If you do choose to export, you have to specify a directory path and a file name, CSV file name, before delete becomes relevant.
That’s it. I hope this has been informative for you.
Thanks for reading!
Cheers,
Nedim