locked
Password Authentication on RODC RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

     

    From whatever I read about RODC, I understand that RODC doesn't store user passwords?

     

    I have two questions here..

     

    1.  If RODC has to get back to the RWDC every time for password authentication, what will happen in a scenario where the WANLink is down?  Does that mean if the WANLink is down the RODC will not be able to authenticate users?

     

    2. Passwords are also stored in AD.  That being said, if the entire AD is replicated to the RODC server, will it not have the Password too?

     

    Thanks for your detailed answers in advance

    Wednesday, February 27, 2008 8:08 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote
    >>>I have a RODC and I store passwords locally.  Now, adminsitrator is changing the password for a user in the remote >>>RWDC.  Before it gets replicated to the RODC,

     

    When the password is changed or reset against an RWDC, the password never automatically replicates to the RODC. However, part of the metadata is replicated to the RODC and with that the RODC knows the stored password has become invaled and it will remove it from its database. The user will not be able to use the old password. if he does, the RODC forwarda auth to the RWDC and the RWDC sees the password is incorrect and it will tell the RODC to deny logon. If the user uses the new password the RODC still forwards auth to the RWDC which will auth the user. After that the RODC inbound replicates the password using the Relicate Single Object method and store it in its DB.

     

    When the password is changed or reset against an RODC, the RODC will forward the change to a W2K8 RWDC and after that it will automatically inbound replicate the password using the "Replicate Single Object" method assuming the account for which the password was reset/changed is still allowed to be cached/stored.

     

    Thursday, February 28, 2008 7:22 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

     

    An RODC does store passwords for a specific set of users based on the Password Replication Policy that is set for that specific RODC

     

    When a user attempts to login at a site with an RODC - if the RODC does not have that users password in its cache the RODC will contact the RWDC - the RWDC will supply the RODC with the users password

     

    The RODC will also check whether the user account exists within the Password Replication Policy - if the account does exist then the RODC will hold a copy of that password - so that in future whether the wan is up or down that user can login

     

    If the user account does not exist in the Password Replication Policy then the password for that user will not be replicated to the RODC and whenever that user tries to login the RODC will always have to contact the RWDC for authentication of that user

     

    check out: http://technet2.microsoft.com/windowsserver2008/en/library/ce82863f-9303-444f-9bb3-ecaf649bd3dd1033.mspx?mfr=true

     

    also after creating an RODC - in AD U&C you can right click on the RODC to see what Password Replication Policy is being used and what groups/users can have their passwords cached on the RODC

     

     

    Thursday, February 28, 2008 12:00 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

     

    Hi,

     

    I agree with Luke. The Password Replication Policy defines whether a user or a computer's credentials are allowed to replicate from a writable domain controller to an RODC.

     

    For the second question, an RODC database holds all Active Directory Domain Service objects and attributes that a writable domain controller holds except for accounts passwords. In an RODC, passwords are never replicated to its database. Instead, they can only be cached according to Password Replication Policy.

    Thursday, February 28, 2008 8:55 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

     

    Both the above posts are upto the mark.  Thanks for the same.

     

    I just have another clarification on the same.  We are talking about caching of passwords.  By caching of passwords we mean temporary caching, right?  If that is the case, say I reboot my RODC and when the RODC comes up after the reboot the WAN Link is down.. in this scenario, no user can login to the domain, right?

     

    Thanks for all your help.

     

     

    Thursday, February 28, 2008 1:03 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    In addition to what others said...

     

    The Passwords are cached or not depending on the configuration of the Password Replication Policy for that RODC. The password remain cached whether or not you reboot the RODC. Caching is not really the correct word here. It should be Storage or something like that.

    The password ONLY replicate to the RODC if it is allowed for that particular account and DURING authentication (on-request) or when pre-populated (on-demand). If will NOT automatically replicate to the RODC like other attributes.

    The password on the RODC becomes invalid when the password is changed on some RWDC. If it is still allowed to replicate to the RODC, the new password will replicate and otherwise it will not

     

    Thursday, February 28, 2008 5:07 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanks Jorge for your valuable input.

     

    I need some help in the below scenario to understand how Windows will react:

     

    Scenario:

     

    I have a RODC and I store passwords locally.  Now, adminsitrator is changing the password for a user in the remote RWDC.  Before it gets replicated to the RODC, the user logs in the RODC site with is old password.  What will happen now?  Is RODC checking for password changes everytime the user logs in?  or in this scenario will RODC will the user get authenticated with the old password?

     

     

    Thursday, February 28, 2008 6:06 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    >>>I have a RODC and I store passwords locally.  Now, adminsitrator is changing the password for a user in the remote >>>RWDC.  Before it gets replicated to the RODC,

     

    When the password is changed or reset against an RWDC, the password never automatically replicates to the RODC. However, part of the metadata is replicated to the RODC and with that the RODC knows the stored password has become invaled and it will remove it from its database. The user will not be able to use the old password. if he does, the RODC forwarda auth to the RWDC and the RWDC sees the password is incorrect and it will tell the RODC to deny logon. If the user uses the new password the RODC still forwards auth to the RWDC which will auth the user. After that the RODC inbound replicates the password using the Relicate Single Object method and store it in its DB.

     

    When the password is changed or reset against an RODC, the RODC will forward the change to a W2K8 RWDC and after that it will automatically inbound replicate the password using the "Replicate Single Object" method assuming the account for which the password was reset/changed is still allowed to be cached/stored.

     

    Thursday, February 28, 2008 7:22 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    based on Jorge's comment - if a user attempts to change their password against an RODC and the WAN link is down to an RWDC then the password change will fail

     

    this is because the RODC does not have permissions to write to the NTDS

     

    Jorge, which piece of metadata is modified to identify an account that has had their password changed?? and what is the latency of this piece of metadata being replicated to the RODC's??

    Friday, February 29, 2008 12:29 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    HI all.

    I want to note that the issue discussed here (latency of password replication) is not specific to RODCs.

    Take 2 writable DCs. Do the password change on one. Immediately attempt to log on the second DC using your old password... it works! This is due to replication latency and is nothing new.

    However, it the user tries to log on the (RO)DC with the new password, the (RO)DC will attempt to contact the PDC to check the password. Again, nothing new here.

    Hope that helps. Thanks,

    Gregoire

     

     

     

    Friday, February 29, 2008 8:38 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    To get information on the details you want, especially about passwords, see Appendix A: Technical Reference Topics http://technet.microsoft.com/en-us/library/cc754218.aspx, which is specific to RODCs.
    Saturday, November 22, 2008 3:04 AM