Step 3: Decide How to Define the Password Replication Policy

  • Article

Applies To: Windows Server 2008

Define a Password Replication Policy (PRP) for each read-only domain controller (RODC) that you deploy. The PRP determines which account passwords are allowed to be cached on an RODC and which account passwords are explicitly denied from being cached on an RODC. An account password cannot be cached on an RODC unless you add the account to the Allowed list for that RODC directly or the account is member of a group that is in the Allowed list. In addition, the account cannot be in the Deny list or a member of a group that is in the Deny list. You can specify the PRP during an RODC installation, and you can modify it as needed after the RODC is installed. You can define the PRP in any number of different ways, as in the following examples:

  • You can allow no account passwords from the domain to be cached. This is the default option and the most secure option.

  • You can allow all account passwords from the domain to be cached.

  • You can allow only account passwords from the branch office to be cached.

In most cases, the recommended way to specify the PRP is to include the users and computers that reside in a branch office in the Allowed RODC Password Replication Group for that RODC. However, each of these examples has advantages and disadvantages. For more information about the PRP, see Administering the Password Replication Policy (https://go.microsoft.com/fwlink/?LinkID=133488).

There are multiple ways to determine which users should be added to the Allowed list of a particular RODC:

  • Use office location data from your Human Resources (HR) systems to figure out which users are in which location. After you have that data, you can study how locations are covered by RODCs and whether users should have their accounts cached on it or not.

  • As an alternative, your organization may already have groups in place that map to each of your offices and contain users from these offices. You can use these groups to define your PRP. However, you have to ensure that resources from each branch office, including the computers for the users, are also cached on the RODC for that branch. You can maintain the group memberships by using applications such as Microsoft Identity Lifecycle Manager (ILM).

  • If you do not have an easy way to define what accounts should be cached on any given RODC that you deploy in a branch office, start with the default PRP and monitor the msDS-AuthenticatedToAccountList attribute to determine which users and computers have used a writeable Windows Server 2008 domain controller to access an RODC as a resource. Continue to monitor this attribute until you think that the Allowed list contains all or most users and computers that will frequently use the RODC to authenticate but the list does not contain many accounts that will use the RODC infrequently. For more information about the msDS-AuthenticatedToAccountList attribute, see Administering the Password Replication Policy (https://go.microsoft.com/fwlink/?LinkID=133488).