none
RODC and Mobile Users

    Question

  • We tested W2k8 R2 RODC in a Branch Office scenario.
    All works as expected with one exception.

    Scenario:
    A Mobile User with windows 7 has never logged on in the branch site.
    His credentials are not prepopulated or cached on the RODC.
    The WAN connection is broken and only the RODC is available.

    Problem:
    In this case he couldn't log because the RODC hasn't this secrets.
    But he also can't use the cached logon of his machine because a DC (RODC) is available!
    A workaround is to remove the network connection, log-in local and attach the network cable again.

    But what is recommend solution (best practies) for mobile users which are also traveling between the branch offices. 
    I think it is bad to add all mobile users and computers to a allow list because in a case of compromise.

    A better way will be Windows 7 OS notice that there is only a RODC and the password are not cached and after a message it used the local cached logon information of the machine.
    Thursday, July 23, 2009 8:30 PM

Answers

  • We use a different group for people travelling between sites. Let call it "Roaming Users".
    Each office that these people will visit has this group in it's allowed password cache.

    This is prepopulated by us so whenever someone happens to travel to a office that he/she has never visited the RODC there will already have their password so that they can logon normally.
    • Marked as answer by goldfinger Saturday, February 06, 2010 1:39 PM
    Sunday, September 13, 2009 12:41 PM

All replies

  • We use a different group for people travelling between sites. Let call it "Roaming Users".
    Each office that these people will visit has this group in it's allowed password cache.

    This is prepopulated by us so whenever someone happens to travel to a office that he/she has never visited the RODC there will already have their password so that they can logon normally.
    • Marked as answer by goldfinger Saturday, February 06, 2010 1:39 PM
    Sunday, September 13, 2009 12:41 PM
  • It's by design. If the WAN-link is down you can't logon if your credentials aren't cached. The second suggestion with the "roaming users" is the way to go.
    Best regards

    Joachim Nässlander
    IT-Expert, Knowledge Factory
    (http://www.knowledgefactory.se)

    MVP Cluster
    Member of Microsoft Extended Experts Team (MEET)
    Blog: http://www.nullsession.com
    Wednesday, October 21, 2009 12:57 PM