Export (0) Print
Expand All
4 out of 4 rated this helpful - Rate this topic

Administering the Password Replication Policy

Updated: April 26, 2012

Applies To: Windows Server 2008, Windows Server 2012

This topic describes the steps for viewing, configuring, and monitoring the Password Replication Policy (PRP) and password caching for read-only domain controllers (RODCs).

You can view the PRP in a graphical user interface (GUI) by using the Active Directory Users and Computers snap-in or in a Command Prompt window by using the Repadmin tool. The following procedures describe how to view the PRP.

noteNote
You can perform the following procedures on any Windows Server 2008 domain controller or any computer in the forest or a trusted forest that has the Active Directory Domain Controller Tools from the Remote Server Administration Tools (RSAT) installed. For more information about RSAT, see RODC Administration.

Any domain user can view the PRP.

noteNote
If you are managing an Active Directory domain from a different forest, security identifier (SID) filter quarantining must be configured to allow for external administrative authentication, which may not be desirable from a security standpoint. In addition, if selective authentication is enabled, the domain controller that is targeted for management must be allowed for authentication.

  1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER.

  2. Ensure that you are connected to the correct domain. To connect to the appropriate domain, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain.

  3. Expand Domain Controllers, right-click the RODC account object for which you want to modify the PRP, and then click Properties.

  4. Click the Password Replication Policy tab. An example is shown in the following illustration.

    Password Replication Policy RODC
  1. Open a Command Prompt window. To open a Command Prompt window, click Start, point to All Programs, click Accessories, and then click Command Prompt.

  2. To view the accounts that are configured in the PRP, use the command repadmin /prp view <hostname> allow|deny. Substitute the actual host name or fully qualified domain name (FQDN) of the appropriate RODC for hostname in the command, and then type either allow or deny to the see the accounts that are allowed or not allowed to have their passwords cached on the RODC, respectively. The following examples show how to view the accounts that are configured in the PRP that applies to an RODC with host name RODC2 in the domain hq.cpandl.com:

    • To view the accounts that are allowed to have their passwords cached on the RODC, type repadmin /prp view rodc2.hq.cpandl.com allow, and then press ENTER.

    • To view the accounts that are denied from having their passwords cached on the RODC (also known as the Deny list), type repadmin /prp view rodc2.hq.cpandl.com deny, and then press ENTER.

noteNote
For more information, see Repadmin /prp (http://go.microsoft.com/fwlink/?LinkId=120184).

You should periodically review the accounts that have been authenticated to an RODC. This information can help you plan updates that you intend to make to the existing PRP. For example, you may want to review which user and computer accounts have authenticated to an RODC so that you can add those accounts to the Allowed List.

ImportantImportant
You will probably see more accounts in the Accounts that have been authenticated to this Read-only Domain Controller list than will have passwords cached. Although you may see accounts of writeable domain controllers or members of the Domain Admins group in the list of authenticated accounts, it does not necessarily indicate that those accounts authenticated to the domain through the RODC. Instead, it means that the RODC in one way or another verified the credentials of those accounts. All default administrative accounts and domain controllers are denied explicitly or through their membership from having their passwords cached. If there are additional accounts that you want to make sure are not cached, include them in the Deny list or make them members of the Denied RODC Password Replication Group. The Deny list comprises of the accounts that are specifically denied in the PRP from caching their credentials on the RODC.

CautionCaution
When you view and access the PRP through Active Directory Users and Computers, be sure to target the console to a Windows Server 2008 writeable domain controller. Changes and tracking information are updated first on the writeable domain controller and then replicated to the RODC.

Any domain user can view accounts that have authenticated to the RODC.

  1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER.

  2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain. To connect to the appropriate domain or domain controller, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain or Change Domain Controller, respectively.

  3. Click Domain Controllers.

  4. In the details pane, right-click the RODC computer account, and then click Properties.

  5. Click the Password Replication Policy tab.

  6. Click Advanced.

  7. In the drop-down list, click Accounts that have been authenticated to this Read-only Domain Controller, as shown in the following illustration.

    Advanced Password Replication Policy for RODC
  1. Open a Command Prompt window. To open a Command Prompt window, click Start, point to All Programs, click Accessories, and then click Command Prompt.

  2. Run the command repadmin /prp view <hostname> auth2. Substitute the actual host name of the RODC that you want to query. For example, if you want to review the list of authenticated accounts for RODC2 in the hq.cpandl.com domain, type repadmin /prp view rodc2.hq.cpandl.com auth2, and then press ENTER.

In addition to reviewing the list of authenticated users, you may decide to periodically clean up the list of accounts that are authenticated to the RODC. Cleaning up this list may help you more easily determine the new accounts that have authenticated through the RODC.

Membership in the Domain Admins group of the domain in which the RODC is a member, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

  1. Open an elevated Command Prompt window using the credentials of a Domain Admin. To do this, click Start. In Start Search, type runas /user:<domainName>\<domainAdminAccountUser> cmd, and then press ENTER. Replace <domainName> with the domain name, and replace <domainAdminUser> with the name of a user account that is a member of the Domain Admins group in that domain.

  2. To clear all entries from the list, run the command repadmin /prp delete <hostname> auth2 /all. Substitute the actual host name of the RODC that you want to clear. For example, if you want to clear the list of authenticated accounts for RODC2, type repadmin /prp delete rodc2 auth2 /all, and then press ENTER.

You can configure the PRP in the GUI by using the Active Directory Users and Computers snap-in or from a Command Prompt window by using the repadmin command. You can use the following procedures to configure the PRP.

Review the following considerations before you configure the PRP:

  • Although there is a default security group named Allowed RODC Password Replication Group, by default this group grants its members the ability to cache passwords on any RODC in the domain. As a security best practice, create separate security groups for each RODC to allow the caching of passwords on only that RODC and then prepopulate the groups with the appropriate accounts.

  • If more than 1,500 accounts (users, computers, or groups) are added to the Allowed list (the msDS-RevealOnDemandGroup attribute) of an RODC, the RODC stops caching passwords for all security principals in the Allowed list. This occurs when you add security principals using either the repadmin /prp <RODCName> allow <User_Name> command or by directly modifying the msDS-RevealOnDemandGroup attribute of the RODC using a tool such as Active Directory Users and Computers. As a workaround, add the security principals (users, computers, groups) that you want to be cached on the RODC to a group, add that group to the Allowed list, and then remove these security principals from the Allowed List. Because they are members of that group that is in the Allowed List, the RODC can replicate their passwords.

    After 1,500 security principals are in the Allowed List and the RODC stops caching passwords, if you attempt to cache the password for a user in the Allowed List—using repadmin /rodcpwdrepl for example—you will see the following error message:

    “Unable to replicate secrets for user CN=user… on read-only DC dsp17a30 from full DC <GUID=126c27dc-cbb2-41b0-b847-71e5d6b69ea2>.

    Error: Replication access was denied. (8453)”



  • Membership in the Domain Admins group of the domain in which the RODC is a member, or equivalent, is the minimum required to configure the PRP for an RODC. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

  1. Open Active Directory Users and Computers as a member of the Domain Admins group. To open Active Directory Users and Computers as a member the of Domain Admins group, click Start. In Start Search, type runas /user:<domain>\<username>, and then press ENTER. Substitute the actual domain name for <domain>, and type the name of a user account that is a member of the Domain Admins group for <username>. Enter the account password when you are prompted. Type dsa.msc, and then press ENTER. Close the Command Prompt window.

    Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain. To connect to the appropriate domain or domain controller, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain or Change Domain Controller, respectively.

  2. Click Domain Controllers, and in the details pane, right-click the RODC computer account, and then click Properties.

  3. Click the Password Replication Policy tab.

  4. The Password Replication Policy tab lists the accounts that, by default, are defined in the Allowed list and the Deny list on the RODC. To add other groups that should be included in either the Allowed list or the Deny list, click Add.

    • To add other accounts that will have credentials cached on the RODC, click Allow passwords for the account to replicate to this RODC.

    • To add other accounts that are not allowed to have credentials cached on the RODC, click Deny passwords for the account from replicating to this RODC.

      noteNote
      Accounts that are denied from caching credentials on the RODC can still use the RODC for domain logon, but the RODC will contact another domain controller to verify the account logon credentials and it will not cache those credentials for subsequent logons.

  5. Click OK.

  6. In the Select Users, Computers, or Groups dialog box, under Enter the object names to select, type the account name that you want to add, click Check Names to resolve the account name, and then click OK. You can enter multiple account names at the same time by separating them with a semicolon.

    noteNote
    You may experience some latency between authorizing a user to cache their password and the user actually being allowed to cache the password. You can reduce the latency by purging the Kerberos ticket cache on the domain controller that you are modifying. To purge the ticket cache, run the command klist -li 3e7 purge from an elevated command prompt on the writeable domain controller. However, running this command will purge all Kerberos tickets that are issued to the local system and may temporarily interrupt other services that are running on the writeable domain controller.

  1. Open an elevated Command Prompt window using the credentials of a Domain Admin. To open an elevated Command Prompt window using the credentials of a Domain Admin, click Start. In Start Search, type runas /user:<domainName>\<domainAdminAccountUser> cmd, and then press ENTER. Replace <domainName> with the domain name, and replace <domainAdminUser> with the name of a user account that is a member of the Domain Admins group in that domain.

  2. Run the command repadmin /prp add|delete <hostname> allow <AccountLdapPath>. Replace <hostname> with the actual host name of the applicable RODC, and then type the Lightweight Directory Access Protocol (LDAP) path to the account that you want to include for <AccountLdapPath>. For example, if you want to add an account named RODC2users from a top-level organizational unit (OU) named West in the domain hq.cpandl.com to the Allowed List (or remove it from the Allowed List) for the RODC computer with a hostname of RODC2, use one of the following commands:

    noteNote
    To find the LDAP distinguished name of a directory object from the command line, you can use the dsquery command. For example, if you want to find the distinguished name of a group that has “RODC” as part of its name from a computer in the local domain, you can run the command dsquery group –name *RODC*. The asterisks around “RODC” indicate that any number of characters can come before or after the letters RODC. If instead you want to find the distinguished name of a computer or user, substitute either the word computer or the word user (respectively) for the word group in the command. For more information about dsquery command syntax, see Dsquery (http://go.microsoft.com/fwlink/?LinkId=120196).

    • To allow the account RODC2users to be cached on RODC2, run the command repadmin /prp add rodc2.hq.cpandl.com allow cn=RODC2users,ou=west,dc=hq,dc=cpandl,dc=com.

    • To remove the account from the Allowed List, run the command repadmin /prp delete rodc2.hq.cpandl.com allow cn=RODC2users,ou=west,dc=hq,dc=cpandl,dc=com.

You cannot use repadmin /prp commands to add an account to the Deny List or remove an account from the Deny List. To configure the Deny List, you can use the Active Directory Users and Computers snap-in or you can create a script. For example, if you want to deny the RODC2Admins group, located in the Branch2 OU, from caching passwords on RODC2 in the hq.cpandl.com domain, you can use the following script.

'The following items specify to Clear, Update, Append, or Delete a property of an Active Directory object
Const ADS_PROPERTY_CLEAR = 1
Const ADS_PROPERTY_UPDATE = 2
Const ADS_PROPERTY_APPEND = 3
Const ADS_PROPERTY_DELETE = 4

Const ATT = "msDS-NeverRevealGroup"
'The setting for ATT determines which list will be modified
'msDS-AuthenticatedToAccountlist is for the authenticated to or Auth2 list
'msDS-RevealedList is for the password revealed or cached list
'msDS-RevealOnDemandGroup is for the allowed to authenticate list
'msDS-NeverRevealGroup is for the denied from authenticating list

'PRPObj defines the object that needs to be modified in the PRP list
PRPObj = "CN=RODC2Admins,OU=Branch2,DC=hq,DC=cpandl,DC=com"

'RODCObj defines the RODC for which the PRP should be modified
RODCObj = "LDAP://CN=RODC2,OU=Domain Controllers,DC=hq,DC=cpandl,DC=com"

'Sets the object to modify based on the LDAP path set in RODCObj
Set objComputer = GetObject(RODCObj)

'Implements the change, which depending on the word after ADS_PROPERTY_ is a CLEAR, UPDATE, APPEND, or DELETE operation
objComputer.PutEx ADS_PROPERTY_APPEND, ATT, Array(PRPObj)
objComputer.SetInfo

'Confirms that the modification has taken place (this is optional)
wscript.echo "Modified list attributes for object " & PRPObj 

'Closes the script
wscript.quit(0)

The Repadmin tool has one capability that the Active Directory Users and Computers snap-in does not have when it comes to allowing accounts to cache passwords. You can use a single repadmin command to create a security group that allows members to cache passwords and prepopulate that group with accounts from the list of accounts that were authenticated by the RODC (also known as the Auth2 list). If you have already created a security group that is used to allow accounts to cache their passwords, you can specify that group as the group to which the accounts will be added. If you have not created a security group, a new group will be created for that purpose in the default Users container of the domain in which the RODC is a member. You can use the following procedure to use the repadmin /prp move command to move accounts from the Auth2 to the Allow list. The Allow list comprises the accounts that have been given the Allow permission in the PRP to cache their credentials on the RODC.

noteNote
When you use the repadmin /prp move command to copy accounts from the Auth2 list to the Allow list on the RODC, all accounts in the Auth2 list are moved (you cannot select individual accounts). The Allow list is the list of accounts that are specifically granted Allow permissions to cache their credentials on the RODC. Accounts that are specifically denied (either directly or through group membership) from having their passwords cached will not be copied from the Auth2 list to the Allow list.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

  1. Open an elevated Command Prompt window using the credentials of a Domain Admin. To open an elevated Command Prompt window using the credentials of a Domain Admin, click Start. In Start Search, type runas /user: <domainName>\<domainAdminAccountUser> cmd, and then press ENTER. Replace <domainName> with the domain name, and replace <domainAdminUser> with the name of a user account that is a member of the Domain Admins group in that domain.

  2. Run the command repadmin /prp move <hostname> <GroupName>. Substitute the actual name of the RODC for <hostname> and the actual name of the security group for <GroupName>. If you do not want to clear the list of accounts that have authenticated to the RODC, include the /noauth2cleanup command. You can also specify that only user accounts or only computer accounts be transferred by using the /users_only or /comps_only parameters, respectively.

    For example, to move the current list of only the users from RODC2 to the Allowed List, type Repadmin /prp move rodc2 /users_only.

noteNote
You cannot selectively move entries from the Auth2 list to the Allow list using the repadmin /prp move command. However, when you have created an appropriate group, you can use Active Directory Users and Computers, Dsadd, and similar tools to add users or computers to that group.

You can use the Resultant Policy tab in the Advanced Password Replication Policy dialog box for an RODC to determine whether certain accounts are allowed to cache their passwords or not. This can be useful if you want to make sure that certain accounts, which should be able to authenticate by using an RODC when a connection to a writeable domain controller is not available, are cacheable on the RODC. You can also use this feature to make sure that sensitive accounts, which should not be cached on the RODC, are not cacheable.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

  1. Open Active Directory Users and Computers as a member of Domain Admins. To Open Active Directory Users and Computers as a member of Domain Admins, click Start. In Start Search, type runas /user:<domain>\<username>, and then press ENTER. Substitute the actual domain name for <domain>, and then type the name of a user account that is a member of the Domain Admins group for <username>. Type the account password when you are prompted. Type dsa.msc, and then press ENTER. Close the Command Prompt window.

  2. Ensure that you are connected to the correct domain. To connect to the appropriate domain, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain..

  3. Click Domain Controllers.

  4. In the details pane, right-click the RODC computer account, and then click Properties.

  5. Click the Password Replication Policy tab.

  6. Click Advanced.

  7. Click the Resultant Policy tab.

  8. Click Add.

  9. In the Select Users or Computers dialog box, under Enter the object names to select, type the account name that you want to add, click Check Names to resolve the account name, and then click OK. To enter multiple account names at the same time, separate the account names with semicolons.

In addition to periodically reviewing the accounts that have been authenticated to the RODC, you should also check the accounts that have passwords cached on the RODC. Verify that only the appropriate account passwords are cached. You can use Active Directory Users and Computer or Repadmin to perform this task.

ImportantImportant
When a network connection to a writeable domain controller is not available, a user is able to log on through an RODC only if the passwords of both the user account and the computer account (of the workstation that the user is accessing) are cached on the RODC.

Any domain user can view the accounts with cached passwords.

noteNote
If you find an account with a cached password that should not be in the list, ensure that the account is added to the Deny list and then change the account’s password. You may also want to further investigate the situation to determine whether additional security issues occurred.

  1. Open Active Directory Users and Computers. To Open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER.

  2. Ensure that you are connected to the correct domain. To connect to the appropriate domain, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain..

  3. Click Domain Controllers.

  4. In the details pane, right-click the RODC computer account, and then click Properties.

  5. Click the Password Replication Policy tab.

  6. Click Advanced.

  7. In the drop-down list, click Accounts whose passwords are stored on this Read-only Domain Controller, as shown in the following illustration.

    RODC cached accounts
  1. Open a Command Prompt window. To open a Command Prompt window, click Start, point to All Programs, click Accessories, and then click Command Prompt.

  2. Run the command repadmin /prp view <hostname> reveal. Insert the actual host name of the RODC for <hostname>. For example, to see the accounts with cached passwords on an RODC with the host name RODC2 in the domain contoso.com, type repadmin /prp view rodc2.contoso.com reveal.

    ImportantImportant
    If you have a large number of accounts cached, the repadmin /prp view <hostname> reveal command might return only a subset of the accounts. For more information, see Repadmin /PRP might return only a subset of accounts.

You can prepopulate the password cache for an RODC with the passwords of user and computer accounts that you plan to authenticate to the RODC. To prepopulate the password cache of the RODC is to submit entries into the password cache by using the Prepopulate button, as opposed to waiting for the password cache to be populated automatically as users log on. When you prepopulate the RODC password cache, the RODC replicates and caches the passwords for users and computers before their accounts attempt to log on to the computers that are authenticated by the RODC.

Prepopulating the password cache helps ensure that a user can log on to the network using the RODC, even when a link to a writeable domain controller is not available. For example, suppose that a user who used to work in a data center transfers to a branch office with his computer. The RODC contacts the writable domain controller in the data center. If the PRP allows it, the RODC caches the password. However, if the wide area network (WAN) link is offline when the user attempts to log on, the logon attempt fails because the RODC has not cached the password for the account.

To avoid this problem, you can prepopulate the password cache of the RODC in the branch office with the password of the user and his computer. This makes it unnecessary for the RODC to replicate the password from the writeable Windows Server 2008 domain controller over the WAN link.

In addition, prepopulating the password cache is a good idea if you build an RODC in a central location—for example, in a data center—before you transport the RODC to the branch office. When you prepopulate the password cache with the users and computers who will log on in the branch office, the RODC can authenticate those accounts without contacting a writeable Windows Server 2008 domain controller over the WAN link.

You can prepopulate the password cache for an RODC by using the Active Directory Users and Computers snap-in or by using the Repadmin command-line tool.

noteNote
You can prepopulate the cache only for accounts that the PRP allows to be cached. If you try to prepopulate a password of an account that the PRP does not allow to be cached, the operation fails. Also, there can be latency between the RODC and the writeable domain controller after PRP permission changes are implemented. If you recently allowed an account permission to cache its password on an RODC, you may not immediately be able to prepopulate the password cache. You can reduce the latency by purging the Kerberos ticket cache on the domain controller that you are modifying. To purge the ticket cache, run the command klist -li 3e7 purge from an elevated Command Prompt on the writeable domain controller. However, running this command will purge all Kerberos tickets that are issued to the local system and may temporarily interrupt other services that are running on the writeable domain controller.

Membership in Domain Admins, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

  1. Open Active Directory Users and Computers as a member of Domain Admins. To open Active Directory Users and Computers as a member of Domain Admins, click Start. In Start Search, type runas /user:<domain>\<username>, and then press ENTER. Substitute the actual domain name for <domain>, and type the name of a user account that is a member of the Domain Admins group for <username>. Type the account password when you are prompted. Type dsa.msc, and then press ENTER. Close the Command Prompt window.

  2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain. To connect to the appropriate domain or domain controller, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain or Change Domain Controller, respectively..

  3. Click Domain Controllers.

  4. Click Domain Controllers.

  5. In the details pane, right-click the RODC computer account, and then click Properties.

  6. Click the Password Replication Policy tab.

  7. Click Advanced.

  8. Click Prepopulate Passwords.

  9. Type the name of the accounts whose passwords you want to prepopulate in the cache for the RODC, and then click OK.

  10. When you are asked if you want to send the passwords for the accounts to the RODC, click Yes.

  1. Open an elevated Command Prompt window using the credentials of a Domain Admin. To open an elevated Command Prompt window using the credentials of a Domain Admin, click Start. In Start Search, type runas /user: <domainName>\<domainAdminAccountUser> cmd, and then press ENTER. Replace <domainName> with the domain name, and replace <domainAdminUser> with the name of a user account that is a member of the Domain Admins group in that domain.

  2. Run the command

    Repadmin /rodcpwdrepl <hostnameRODC> <hostnameWDC> <User1LdapPath> <Computer1LdapPath> <User2LdapPath> <Computer2LdapPath>, where:

    • <hostnameRODC> is the host name or fully qualified domain name (FQDN) of the target RODC’s password cache that you want to prepopulate. If you are running the command from outside the target domain, use the FQDN.

    • <User1LdapPath> is the LDAP distinguished name of the first user account password that you want to prepopulate.

    • <Computer1LdapPath> is the LDAP distinguished name of the first computer account whose password you want to populate. You must add the computer accounts of the users or they will not be able to log on.

    • <User2LdapPath> is the LDAP distinguished name of the second user account password that you want to populate.

    • <Computer2LdapPath> is the LDAP distinguished name of the second computer account whose password you want to prepopulate. You must add the computer accounts of the users or they will not be able to log on.

    • <hostnameWDC> is the host name or FQDN of the writable Windows Server 2008 domain controller that is the replication partner of the RODC. If you are running the command from outside the target domain, use the FQDN.

For example, assume that you want to prepopulate the password cache for an RODC named RODC2 in the domain hq.cpandl.com. You want to use the writeable domain controller named WS2008A to transfer the passwords for a user account for Mike Danseglio (MikeDan) and his computer named MDVista1. The MikeDan account is in a top-level organizational unit (OU) named B1 Users, and the MDVista1 account is in the default Computers container. To accomplish all this, run the following command:

repadmin /rodcpwdrepl rodc2.hq.cpandl.com ws2008a.hq.cpandl.com “cn=mikedan,ou=b1 users,dc=hq,dc=cpandl,DC=com” cn=mdvista1,cn=Computers,dc=hq,dc=cpandl,dc=com

See Also

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.