Questions about RODC, cached passwords and user logon RRS feed

  • Question

  • Hi there,

    I set up a test scenario where I have two sites "head office" and "branch office". Why can I log on to CL1 with Administrator while the WAN link is down? Here is the setup:

    DC1 is in the head office,
    RDC1 is in the branch office,
    CL1 is in the branch office.

    User1 is in the “Allowed RODC Password Replication Group”,
    User2 and Administrator (domain) are not.

    I prepopulated the passwords for User1 and CL1 on the RDC1. I did logon to CL1 with all three user accounts successfully.

    I removed the WAN link and tried to log on with the user accounts:

    1. User1 logs on fast. (sounds good)
    2. User2 shows a wrong password error (expected behaviour, but unexpected error message)
    3. Administrator (loading icon spins for minutes but logs on eventually -> this is unexpected)

    Could someone explain to me, why the domain Administrator can authenticate when there is no connectivity to DC1, when the Administrator's password is explicitly denied from being replicated to RDC1 (“Denied RODC Password Replication Group”)?

    Saturday, July 19, 2014 9:06 PM

All replies