Password Replication Policy Administration

  • Article

Applies To: Windows Server 2008

This section provides procedures for the following administrative tasks that are related to Password Replication Policy for an RODC:

  • Configure the Password Replication Policy for an RODC

  • View current credentials that are cached on an RODC

  • Review whose accounts have attempted to authenticate to an RODC

  • Prepopulate the password cache for an RODC

  • Reset the current credentials that are cached on an RODC if it is stolen

Configure the Password Replication Policy for an RODC

Administrative credentials

To configure the Password Replication Policy for an RODC, you must be a member of the Domain Admins group.

To configure the Password Replication Policy for an RODC

  1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.

  2. Ensure that Active Directory Users and Computers points to the writable domain controller that is running Windows Server 2008, and then click Domain Controllers.

  3. In the details pane, right-click the RODC computer account, and then click Properties.

  4. Click the Password Replication Policy tab, as shown in the following figure.

  5. The Password Replication Policy tab lists the accounts that, by default, are defined in the Allowed List and the Denied List on the RODC. To add other groups that should be included in either the Allowed List or the Denied List, click Add. To add other accounts that will not have credentials cached on the RODC, click Deny. To add other accounts that will have credentials cached on the RODC, click Allow.

    Accounts that will not have credentials cached on the RODC can still use the RODC for domain logon. The credentials, however, will not be cached for subsequent logon using the RODC.

View current credentials that are cached on an RODC

By default, the only credentials that are cached on an RODC are for the computer account of the RODC itself and a krbtgt account.

Administrative credentials

Any domain user can view current credentials that are cached on an RODC.

To view current credentials that are cached on an RODC

  1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.

  2. Ensure that Active Directory Users and Computers points to the writable domain controller that is running Windows Server 2008, and then click Domain Controllers.

  3. In the details pane, right-click the RODC computer account, and then click Properties.

  4. Click the Password Replication Policy tab.

  5. Click Advanced.

  6. In the drop-down list, click Accounts whose passwords are stored on this Read-only Domain Controller, as shown in the following illustration.

Review whose accounts have attempted to authenticate to an RODC

Periodically, you should review whose accounts have tried to authenticate to an RODC. This information can help you plan updates that you intend to make to the existing Password Replication Policy. For example, look at which user and computer accounts have tried to authenticate to an RODC so that you can add those accounts to the Allowed List. After their credentials are cached on the RODC, the accounts can be authenticated by the RODC in the branch office when the wide area network (WAN) to the hub site is offline.

You can use the repadmin /prp move command to automatically move accounts that try to authenticate to an RODC to the Allowed List for that RODC. For more information, see Repadmin /prp (https://go.microsoft.com/fwlink/?LinkId=112118).

Administrative credentials

Any domain user can view which user and computer accounts have authenticated to an RODC.

To review the accounts that have been authenticated to an RODC

  1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.

  2. Ensure that Active Directory Users and Computers points to the writable domain controller that is running Windows Server 2008, and then click Domain Controllers.

  3. In the details pane, right-click the RODC computer account, and then click Properties.

  4. Click the Password Replication Policy tab.

  5. Click Advanced.

  6. In the drop-down list, click Accounts that have been authenticated to this Read-only Domain Controller, as shown in the following illustration.

Prepopulate the password cache for an RODC

You can prepopulate the password cache for an RODC with the passwords of user and computer accounts that you plan to authenticate to it. When you prepopulate the RODC password cache, you trigger the RODC to replicate and cache the passwords for users and computers before the accounts try to log on in the branch office.

Prepopulating the password cache helps ensure that a user can log on to the network in the branch office, even if the WAN link to the data center is offline. For example, suppose that a user who normally works in the data center travels to a branch office and attempts to log on there with a laptop. The RODC contacts the writable domain controller in the data center. If the Password Replication Policy allows it, the RODC caches the password. However, if the WAN link is offline when the user attempts to log on, then the logon attempt fails because the RODC has not yet replicated the password for the account.

To avoid this problem, you can prepopulate the password cache of the RODC in the branch office with the password of the user and the laptop. This eliminates the need for the RODC to replicate the password from the Windows Server 2008 domain controller over the WAN link.

In addition, prepopulating the password cache is a good idea if you build an RODC in a central location, such as in a data center, before you transport the RODC to the branch office. By prepopulating the password cache with the users and computers who will log on in the branch office, the RODC can authenticate those accounts without contacting the Windows Server 2008 domain controller over the WAN link.

You can prepopulate the cache only for accounts that the Password Replication Policy allows to be cached. If you try to prepopulate a password of an account that the Password Replication Policy does not allow to be cached, the operation fails.

You can prepopulate the password cache for an RODC by using Active Directory Users and Computers or by using the Repadmin command-line tool.

Administrative credentials

To prepopulate the password cache for an RODC, you must be a member of the Domain Admins group.

To prepopulate the password cache for an RODC by using Active Directory Users and Computers

  1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.

  2. Ensure that Active Directory Users and Computers points to the writable domain controller that is running Windows Server 2008, and then click Domain Controllers.

  3. In the details pane, right-click the RODC computer account, and then click Properties.

  4. Click the Password Replication Policy tab.

  5. Click Advanced.

  6. Click Prepopulate Passwords.

  7. Type the name of the accounts whose passwords you want to prepopulate in the cache for the RODC, and then click OK.

  8. When you are asked if you want to send the passwords for the accounts to the RODC, click Yes.

To prepopulate the password cache for an RODC by using the Repadmin command-line tool

  1. Log on to a writable domain controller that is running Windows Server 2008.

  2. Click Start, right-click Command Prompt, and then click Run as administrator.

  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  4. Type the following command. and then press ENTER:

    repadmin /rodcpwdrepl [DSA_List] <Hub DC> <User1 Distinguished Name> [<Computer1 Distinguished Name> <User2 Distinguished Name> …]

    In the command, use the values from the following table.

    Placeholder Value

    DSA_List

    The name of the RODC whose password cache you want to prepopulate.

    Hub DC

    The name of the writable Windows Server 2008 domain controller that is the replication partner of the RODC.

    User1, Computer1, ….

    The names of the user and computers whose passwords you want to cache on the RODC. You must add the computer accounts of the users or they cannot log on.

    For example, the following command prepopulates the password cache for RODC15 with the passwords for Mike Danseglio and his computer, MikeDanLaptop. The hub domain controller is named HUBDC12.

    Repadmin /rodcpwdrepl RODC15 HUBDC12 CN=MikeDan,OU=DatacenterUsers,DC=contoso,DC=com CN= MikeDanLaptop,OU=DatacenterComputers,DC=contoso,DC=com

Reset the current credentials that are cached on an RODC if it is stolen

Administrative credentials

To reset the current credentials that are cached on an RODC, you must be a member of the Domain Admins group.

To reset the current credentials that are cached on an RODC if it is stolen

  1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.

  2. Ensure that Active Directory Users and Computers points to the writable domain controller that is running Windows Server 2008, and then click Domain Controllers.

  3. In the details pane, right-click the RODC computer account, and then click Delete.

  4. To confirm the deletion, click Yes.

  5. In the Deleting Active Directory Domain Controller dialog box, select the Reset all passwords for user accounts that were cached on this read-only domain controller check box, as shown in the following figure. As an option, you can also select the Export the list of accounts that were cached on this read-only domain controller to this file check box to create a list of user accounts whose passwords must be reset after the RODC account is deleted. That list of accounts is not available after the RODC account is deleted.