none
RODC Password replication policy

    Question

  • We have 2 RODC setup in our office. These RODCs are connected over WAN link to writable DC's. 

    Yesterday our WAN link went down and due to that all the authentications were failing.

    Earlier we wrongly assumed that the users and computer passwords are cached in RODC by default.

    We went through few documentation.

    https://technet.microsoft.com/en-us/library/1e3f8afa-8cbd-4bef-86d9-fa7dcc0bb801(v=ws.10)#BKMK_CredCaching

    ** We want to enable password caching for domain users in RODC so that authentication works even if the writable DCs are unavailable. But have few concerns.

    1. What happens on a password change. I read somewhere that it will set its password value in the cache to NULL and fetch it from writable DC. can someone please confirm if I am right?

    2. Also i read that currently there is no mechanism to remove cached entries. Does this still hold through?

    3. Should I be aware of anything else.

    Suggestions appreciated.

    Tuesday, December 13, 2016 2:32 PM

All replies

  • Hi,

    <<<1. What happens on a password change. I read somewhere that it will set its password value in the cache to NULL and fetch it from writable DC. can someone please confirm if I am right?>>>

    If the password of a user is changed directly on a writeable domain controller, when any RODC that has the old password for that user performs a normal replication cycle that includes that password update, it has the effect of making it appear as if the password for that user is no longer present. (Although the old password is still present in the database on the RODC, the metadata that is associated with the password attributes mark the password as absent. Only on the next occasion that the user logs on by using the RODC will the new password be replicated to the RODC by an RSO operation.

    <<<2. Also i read that currently there is no mechanism to remove cached entries. Does this still hold through?>>>

    Yes, the password will still be valid for authentication purposes until the next replication cycle.

    Generally, we cannot remove a cached password from a RODC. To achieve almost the same result, you can remove the password from the RODC's cache. First, delete the user from the list of users whose credentials the RODC is allowed to cache; then, reset the password. At the next replication cycle, the RODC will see that the user's password has changed and that it no longer has permission to cache the user's credentials. The RODC will remove the user's credentials from its cache.

    More articles for your reference:

    Appendix A: RODC Technical Reference Topics

    https://technet.microsoft.com/en-us/library/cc754218(v=ws.10).aspx#BKMK_PWD

    RODC Trick: Remove a User’s Password from a RODC without forcing the user to change her password

    http://blogs.metcorpconsulting.com/tech/?p=1096

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, December 14, 2016 6:44 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 26, 2016 3:38 AM
    Moderator