Adding Attributes to the RODC Filtered Attribute Set

Updated: April 26, 2012

Applies To: Windows Server 2008, Windows Server 2012

This topic includes procedures for adding an attribute to the filtered attribute set (FAS) for a read-only domain controller (RODC) and marking the attribute as confidential data. You can perform these procedures to exclude specific data from replicating to RODCs in the forest. Because the data is not replicated to any RODCs, you can be assured that the data will not be revealed to an attacker who manages to successfully compromise an RODC. In most cases, adding an attribute to the RODC FAS is completed by the developer of the application that added the attribute to the schema.

To add an attribute to an RODC FAS, you must first determine the current searchFlags value of the attribute that you want to add, and then set the following values for searchflags:

  • To add the attribute to the RODC FAS, set the 10th bit to 0x200.

  • To mark the attribute as confidential, set the 7th bit to 0x080.

For example, if the attribute that you want to add is indexed and no other bits are set, the current searchflags value is 0x001 (or 1, as stated in decimal format). If you set the 10th bit of the attribute to 0x200 (512) and the 7th bit to 0x080 (128), the new searchFlags value is 0x281 (or 641). In the following procedure, which uses a fictitious attribute named Contoso-App-Password, no other bits are set for searchFlags. Therefore, the current value is 0.

This example uses Ldifde.exe to determine the current searchFlags value and modify it. Ldifde.exe is a command-line tool that can create, modify, and delte directory objects. It is included in the Active Directory Domain Controller Tools. For more information about installing Active Directory Domain Controller Tools, see Installing Remote Server Administration Tools.

To perform the following procedure, you must be a member of the Schema Admins group.

  1. Click Start, right-click Command Prompt, and then click Run as administrator.

  2. Type the following command, and then press ENTER:

    ldifde –d CN=Contoso-App-Password,CN=Schema,CN=Configuration,DC=<domain> –f en_ldif –l searchflags

    where <domain> is the distinguished name of your forest root domain.

  3. Verify that the output of the file named en_ldif appears as follows:

    dn: CN=Contoso-App-Password,CN=Schema,CN=Configuration,DC=<domain>

    changetype: add

    searchFlags: 0

  4. Copy the contents of the output file to a new file named en-fas.ldif.

  5. Modify the new file, en-fas.ldif, so that it appears as follows, and then save it:

    dn: CN=Contoso-App-Password,CN=Schema,CN=Configuration,DC=<domain>

    changetype: modify

    add: schemaUpdateNow

    schemaUpdateNow: 1

    replace: searchFlags

    searchFlags: 640


    Be sure to include the terminator "-" character, or the following procedure will not work. If you are updating multiple schema objects at the same time, add an empty line between each object.

  6. Type the following command, and then press ENTER to import the modified en-fas.ldif file:

    ldifde –i -f en-fas.ldif

You can use this procedure to verify that an attribute is added to the RODC FAS.

To perform this procedure, you can be any authenticated user.

  1. Click Start, click Administrative Tools, and then click ADSI Edit.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. Right-click ADSI Edit, and then click Connect to.

  4. Click Select a well known Naming Context, click Schema, and then click OK.

  5. In the console tree, double-click Schema, and then click the CN=Schema,CN=Configuration,DC=<domain> container.

  6. In the details pane, right-click CN=Contoso-App-Password, and then click Properties.

  7. In the list of attributes, verify that the Confidential and RODC_Filtered flags are set.

Community Additions