Prepopulating passwords
Applies To: Windows Server 2008
Credential Cashing
Credential caching is the storage of user or computer credentials. By default, a Windows Server 2008 read-only domain controller (RODC) does not store user credentials or computer credentials except for its own computer account and a special krbtgt account for that RODC. You must explicitly allow any other credentials to be cached on that RODC.
Password Replication Policy
When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domain controller that will be its replication partner. The Password Replication Policy acts as an access control list (ACL). It determines whether an RODC should be permitted to cache a password. After the RODC receives an authenticated user or computer logon request, it refers to the Password Replication Policy to determine if the password for the account should be cached. Subsequent logons by the same account can then be performed more efficiently.
Password Replication Policy Allowed and Denied Lists
Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODC operations. These new built-in groups are the Domain RODC Password Replication Allowed Group and the Domain RODC Password Replication Denied Group. These groups help implement a default Allowed List and a Denied List for the RODC Password Replication Policy.
By default, the Domain RODC Password Replication Denied Group contains the following members:
Enterprise Domain Controllers
Enterprise Read-Only Domain Controllers
Group Policy Creator Owners
Domain Admins
Cert Publishers
Enterprise Admins
Schema Admins
Domain-wide krbtgt account
By default, the Denied List attribute contains the following security principals, all of which are built-in groups:
Domain RODC Password Replication Denied Group
Account Operators
Server Operators
Backup Operators
Administrators
Expiration of cached passwords
After an RODC caches a password for a user, the password remains in the Active Directory database until one of the following conditions occurs:
The user changes the password. In this case, the password is not purged from the cache, but it is no longer valid.
The Password Replication Policy for the RODC in question changes so that the user's password should no longer be cached. In addition, the user tries to access a noncacheable resource by using a ticket-granting ticket (TGT) that the RODC issues.
Clearing cached passwords
There is no mechanism in Windows Server 2008 to clear the cached password for a given user on an RODC. In the event that an RODC is compromised, reset the passwords that are currently cached, and then rebuild the RODC.