locked
Replication timelines with RODC in remote AD site RRS feed

  • Question

  • Hi all,

    I'm having a challenging time finding documentation on actual timelines.

    AD Site 1
    DC01

    AD Site 2
    RODC01

    User1, User2, User3 & User4 & Computer1 & Computer2 are all allowed to cache password on RODC & their passwords are prepopulated on RODC.

    Now as DC01 & RODC01 are in separate sites, I guess they'll follow the inter-site replication interval which is once every 3 hours (180 minutes). 

    So, if a user User1 changes password at the main site (ADSite1), drives over to site 2, and before the replication cycle has kicked in, when he logs in, if he enters the new password, will it RODC1 not authenticate him, because his password was prepopulated? What if the link between it & DC01 was down.

    Same with account deletion.

    I looked at technet articles, it explains authentication in great detail, and talks about single object replication that RODC performs, however it does not talk about scenarios like above.

    Any help or a link to the right resource would be very helpful.

    Cheers

    Shah

     

    Friday, October 7, 2011 10:47 PM

Answers

  • passwords do not replicate the same way and other data in the directory, especially between an RWDC and an RODC.
     
    Between RWDCs, passwords replicate like any other piece of data in the directory. In addition to that, the following ALSO applies:
    * when a password is changed/reset on some RWDC, that RWDC will forward the password automatically to the RWDC with the PDC FSMO. This occurs over the NetLogon secure channel the RWDC has with the RWDC hosting the PDC FSMO. The exception to this behavior (in other words, it will not be forwarded) is if the AvoidPdcOnWan registry option has been configured on the initial RWDC (see: http://support.microsoft.com/kb/225511).
    * when a user tries to authenticate against a specific RWDC and the password provided does not match the password on that specific RWDC, then that RWDC will automatically retry authentication of that same user against the RWDC hosting the PDC FSMO. If authentication against the RWDC with the PDC FSMO succeeds, then the user can log on and the forwarding RWDC (the initial RWDC against which authentication was tried) will instantly inbound replicate the password.The exception to this behavior (in other words, it will not be forwarded) is if the AvoidPdcOnWan registry option has been configured on the initial RWDC (see: http://support.microsoft.com/kb/225511). If authentication against the RWDC with the PDC FSMO fails, the user is presented with an error stating the username or password is incorrect.
    * the new password on both the initial RWDC and RWDC with the PDC FSMO role with replicate that new password in the normal way using AD replication to other RWDCs in the same AD domain, with or without change notification depending on the location of the RWDC (from an AD site perspective) and whether or not change notification has been enabled on one or more AD site links
     
     
    Between an RWDC and an RODC, that�??s a different story.
    A password NEVER replicates automatically from an RWDC to an RODC, no matter what happens!. Remember though that this does not apply to password related metadata, such as pwdLastSet attribute. The password related metadata does replicate automatically from an RWDC to an RODC. So, how does a password replicate from an RWDC to an RODC? On thing is for sure and that is that it will always occur on demand/request. Two on demand/request scenarios exist, being:
    [1] the user authenticates against the RODC while the (new) password is not cached yet �??> the RODC forwards authentication to the RWDC which the RODC has setup a secure channel with and after authentication the RODC uses the �??replicate single object�?� method to get the latest password of that user account. The RWDC will only allow on demand/request replication to the RODC when that account is explicitly listed in the �??Allowed To Cache List�?� of that RODC and not explicitly listed in the �??Denied To Cache List�?� of that RODC. This of course will only work when the RODC can reach any RWDC. If the RODC cannot reach the RWDC, the authentication forwarding will not work and the inbound replication of the (new) password will also not work
    [2] the admin pre-populates the password of the user/computer account in question on the RODC using ADUC, scripting (e.g. PowerShell) or REPADMIN
    Remember that an RODC will ALWAYS try to inbound replicate the password using the �??Replicate Single Object�?� method, whether or not the user/computer is listed in the �??Allowed To Cache List�?�. It is the task of the RWDC to enforce the configuration of the �??Allowed To Cache List�?� and the �??Denied To Cache List�?�. That�??s WHY an RODC can only replicate the default domain NC from a W2K8 or higher RWDC and not from a W2K/W2K3 RWDC. The W2K/W2K3 RWDC do not understand the password replication policy configuration of an RODC and will therefore not enforce it.
    When a password is changed/reset on an RWDC, the password related metadata (e.g. pwdLastSet attribute) is replicated to the RODC. Based upon that information the RODC knows the locally stored password (if any) is not valid anymore in the AD domain and will therefore invalidate it. After that it will try to inbound replicate the (new) password using the �??replicate single object�?� method.
     
     
    Also see the following posts:
     

    <o:p></o:p>

    Account deletion replicates using regular AD replication to both RWDCs and RODCs.

     

    Cheers,<o:p></o:p>


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <o:p></o:p>

    "_Shah_" wrote in message news:6bd5db37-a2f7-4534-bd63-18544035475a@communitybridge.codeplex.com...

    Hi all,

    I'm having a challenging time finding documentation on actual timelines.

    AD Site 1
    DC01

    AD Site 2
    RODC01

    User1, User2, User3 & User4 & Computer1 & Computer2 are all allowed to cache password on RODC & their passwords are prepopulated on RODC.

    Now as DC01 & RODC01 are in separate sites, I guess they'll follow the inter-site replication interval which is once every 3 hours (180 minutes).

    So, if a user User1 changes password at the main site (ADSite1), drives over to site 2, and before the replication cycle has kicked in, when he logs in, if he enters the new password, will it RODC1 not authenticate him, because his password was prepopulated? What if the link between it & DC01 was down.

    Same with account deletion.

    I looked at technet articles, it explains authentication in great detail, and talks about single object replication that RODC performs, however it does not talk about scenarios like above.

    Any help or a link to the right resource would be very helpful.

    Cheers

    Shah

     


    Jorge de Almeida Pinto [MVP-DS] (http://jorgequestforknowledge.wordpress.com/)
    Tuesday, October 11, 2011 3:37 PM
  • Hi Shah-

    To address one of your questions about what happens if a bad password is attempted before replication.  When a user attempts a bad password, the domain controller (in your case, the RODC) will communicate with the PDC Emulator to ensure that the password is current.  So, assuming that you have network connectivity, the situation you describe will not be a problem.

    See the following TechNet article about how domain controllers verify passwords.  It is a bit dated so it doesn't dive into RODCs but it provides good info for your situation.

    http://technet.microsoft.com/en-us/library/cc780271(WS.10).aspx

    I would recommend that you drop down your replication interval to 15 minutes unless there are other constraints preventing that.

    Brian

    Friday, October 7, 2011 11:04 PM
  • Hi,

     

    Now as DC01 & RODC01 are in separate sites, I guess they'll follow the inter-site replication interval which is once every 3 hours (180 minutes). 

    Yes, It is.

    If a user User1 changes password at the main site (ADSite1), drives over to site 2, and before the replication cycle has kicked in, when he logs in, if he enters the new password, will it RODC1 not authenticate him, because his password was prepopulated? What if the link between it & DC01 was down.

    RODC can only replicate from a writable Windows Server 2008 domain controller. There is no mechanism to erase passwords after they are cached on an RODC. If you want to clear a password that is stored on an RODC, an administrator should reset the password in the hub site. In the branch that contains the RODC on which the password may have been compromised, the password will still be valid for authentication purposes until the next replication cycle.

    Same thing is applicable for account deletion, single object or bulk objects changes, If you have deleted account on RWDC and WAN is offline then that deleted account will still be valid for log in attempt until the next replication cycle.

     RODC uses unidirectional replication:

    Because no changes are written directly to the RODC, no changes originate at the RODC. Accordingly, writable domain controllers that are replication partners do not have to pull changes from the RODC. This means that any changes that user might make at branch locations cannot replicate from the RODC to the rest of the forest. This also reduces the workload of bridgehead servers in the hub and the effort required to monitor replication.

     

    RODC unidirectional replication applies to both AD DS and Distributed File System (DFS) Replication of SYSVOL. The RODC performs normal inbound replication for AD DS and SYSVOL changes. 

     

    RODC Frequently Asked Questions http://technet.microsoft.com/en-us/library/cc754956(WS.10).aspx

    AD DS: Read-Only Domain Controllers: http://technet.microsoft.com/en-us/library/cc732801(WS.10).aspx

    Regards,
    Abhijit Waikar.
    -------------------------------
    MCSA|MCSA:Messaging|MCTS|MCITP:SA 
    My Blog: http://abhijitw.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Saturday, October 8, 2011 2:47 AM
  • Hi,

    Florian wrote an excellent article about the user authentication in a site with a rodc.

    Please also check out:

    http://www.frickelsoft.net/blog/?p=232

    The answers to your questions are:

    - Yes, they follow the normal intersite replication interval

    - When he enters the new password and this is not replicated to the rodc yet, it will check it on the pdc emulator when the wan is up

    "Does an RODC perform password validation forwarding even when it has a password for a user?

    Yes, in the case where a user presents a password that does not match what the RODC has stored locally, the RODC will forward the authentication request. The RODC forwards the request to the writable Windows Server 2008 domain controller that is its replication partner, which in turn forwards the request to the PDC emulator if required. If the authentication is validated at the writable Windows Server 2008 domain controller or the PDC emulator, the RODC will purge the currently stored password and replicate the new password by RSO operation."

    - When the link is down the users is not able to login with the new password

    - For the account deletion you have to wait until the intersite replication interval replicates this to the rodc

     

    More information about that:

    http://technet.microsoft.com/en-us/library/cc754956%28WS.10%29.aspx

     


    Martin Forch
    Saturday, October 8, 2011 6:55 AM
  • Password change originates a from any RWDC but authorized by PDC only.If password caching is enabled on RODC, user(psw cache enabled for the particular) can still login when WAN link is down. RODC needs to updates its password cache to allow user to login using new credentials for this RODC need to receive replication update from any writable DC.

    http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy%28WS.10%29.aspx

    http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2branchoffice/thread/b70f29c0-28ae-45e4-9e7e-dd9a466d8791/


    Regards  


    Awinish Vishwakarma

    MY BLOG:  http://awinish.wordpress.com 


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Saturday, October 8, 2011 8:25 AM

All replies

  • Hi Shah-

    To address one of your questions about what happens if a bad password is attempted before replication.  When a user attempts a bad password, the domain controller (in your case, the RODC) will communicate with the PDC Emulator to ensure that the password is current.  So, assuming that you have network connectivity, the situation you describe will not be a problem.

    See the following TechNet article about how domain controllers verify passwords.  It is a bit dated so it doesn't dive into RODCs but it provides good info for your situation.

    http://technet.microsoft.com/en-us/library/cc780271(WS.10).aspx

    I would recommend that you drop down your replication interval to 15 minutes unless there are other constraints preventing that.

    Brian

    Friday, October 7, 2011 11:04 PM
  • Hi,

     

    Now as DC01 & RODC01 are in separate sites, I guess they'll follow the inter-site replication interval which is once every 3 hours (180 minutes). 

    Yes, It is.

    If a user User1 changes password at the main site (ADSite1), drives over to site 2, and before the replication cycle has kicked in, when he logs in, if he enters the new password, will it RODC1 not authenticate him, because his password was prepopulated? What if the link between it & DC01 was down.

    RODC can only replicate from a writable Windows Server 2008 domain controller. There is no mechanism to erase passwords after they are cached on an RODC. If you want to clear a password that is stored on an RODC, an administrator should reset the password in the hub site. In the branch that contains the RODC on which the password may have been compromised, the password will still be valid for authentication purposes until the next replication cycle.

    Same thing is applicable for account deletion, single object or bulk objects changes, If you have deleted account on RWDC and WAN is offline then that deleted account will still be valid for log in attempt until the next replication cycle.

     RODC uses unidirectional replication:

    Because no changes are written directly to the RODC, no changes originate at the RODC. Accordingly, writable domain controllers that are replication partners do not have to pull changes from the RODC. This means that any changes that user might make at branch locations cannot replicate from the RODC to the rest of the forest. This also reduces the workload of bridgehead servers in the hub and the effort required to monitor replication.

     

    RODC unidirectional replication applies to both AD DS and Distributed File System (DFS) Replication of SYSVOL. The RODC performs normal inbound replication for AD DS and SYSVOL changes. 

     

    RODC Frequently Asked Questions http://technet.microsoft.com/en-us/library/cc754956(WS.10).aspx

    AD DS: Read-Only Domain Controllers: http://technet.microsoft.com/en-us/library/cc732801(WS.10).aspx

    Regards,
    Abhijit Waikar.
    -------------------------------
    MCSA|MCSA:Messaging|MCTS|MCITP:SA 
    My Blog: http://abhijitw.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Saturday, October 8, 2011 2:47 AM
  • Hi,

    Florian wrote an excellent article about the user authentication in a site with a rodc.

    Please also check out:

    http://www.frickelsoft.net/blog/?p=232

    The answers to your questions are:

    - Yes, they follow the normal intersite replication interval

    - When he enters the new password and this is not replicated to the rodc yet, it will check it on the pdc emulator when the wan is up

    "Does an RODC perform password validation forwarding even when it has a password for a user?

    Yes, in the case where a user presents a password that does not match what the RODC has stored locally, the RODC will forward the authentication request. The RODC forwards the request to the writable Windows Server 2008 domain controller that is its replication partner, which in turn forwards the request to the PDC emulator if required. If the authentication is validated at the writable Windows Server 2008 domain controller or the PDC emulator, the RODC will purge the currently stored password and replicate the new password by RSO operation."

    - When the link is down the users is not able to login with the new password

    - For the account deletion you have to wait until the intersite replication interval replicates this to the rodc

     

    More information about that:

    http://technet.microsoft.com/en-us/library/cc754956%28WS.10%29.aspx

     


    Martin Forch
    Saturday, October 8, 2011 6:55 AM
  • Password change originates a from any RWDC but authorized by PDC only.If password caching is enabled on RODC, user(psw cache enabled for the particular) can still login when WAN link is down. RODC needs to updates its password cache to allow user to login using new credentials for this RODC need to receive replication update from any writable DC.

    http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy%28WS.10%29.aspx

    http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2branchoffice/thread/b70f29c0-28ae-45e4-9e7e-dd9a466d8791/


    Regards  


    Awinish Vishwakarma

    MY BLOG:  http://awinish.wordpress.com 


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Saturday, October 8, 2011 8:25 AM
  • Hi,

     

    I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

     

    Regards,

     

    Arthur Li

    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
    tnmff@microsoft.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, October 10, 2011 5:37 AM
  • passwords do not replicate the same way and other data in the directory, especially between an RWDC and an RODC.
     
    Between RWDCs, passwords replicate like any other piece of data in the directory. In addition to that, the following ALSO applies:
    * when a password is changed/reset on some RWDC, that RWDC will forward the password automatically to the RWDC with the PDC FSMO. This occurs over the NetLogon secure channel the RWDC has with the RWDC hosting the PDC FSMO. The exception to this behavior (in other words, it will not be forwarded) is if the AvoidPdcOnWan registry option has been configured on the initial RWDC (see: http://support.microsoft.com/kb/225511).
    * when a user tries to authenticate against a specific RWDC and the password provided does not match the password on that specific RWDC, then that RWDC will automatically retry authentication of that same user against the RWDC hosting the PDC FSMO. If authentication against the RWDC with the PDC FSMO succeeds, then the user can log on and the forwarding RWDC (the initial RWDC against which authentication was tried) will instantly inbound replicate the password.The exception to this behavior (in other words, it will not be forwarded) is if the AvoidPdcOnWan registry option has been configured on the initial RWDC (see: http://support.microsoft.com/kb/225511). If authentication against the RWDC with the PDC FSMO fails, the user is presented with an error stating the username or password is incorrect.
    * the new password on both the initial RWDC and RWDC with the PDC FSMO role with replicate that new password in the normal way using AD replication to other RWDCs in the same AD domain, with or without change notification depending on the location of the RWDC (from an AD site perspective) and whether or not change notification has been enabled on one or more AD site links
     
     
    Between an RWDC and an RODC, that�??s a different story.
    A password NEVER replicates automatically from an RWDC to an RODC, no matter what happens!. Remember though that this does not apply to password related metadata, such as pwdLastSet attribute. The password related metadata does replicate automatically from an RWDC to an RODC. So, how does a password replicate from an RWDC to an RODC? On thing is for sure and that is that it will always occur on demand/request. Two on demand/request scenarios exist, being:
    [1] the user authenticates against the RODC while the (new) password is not cached yet �??> the RODC forwards authentication to the RWDC which the RODC has setup a secure channel with and after authentication the RODC uses the �??replicate single object�?� method to get the latest password of that user account. The RWDC will only allow on demand/request replication to the RODC when that account is explicitly listed in the �??Allowed To Cache List�?� of that RODC and not explicitly listed in the �??Denied To Cache List�?� of that RODC. This of course will only work when the RODC can reach any RWDC. If the RODC cannot reach the RWDC, the authentication forwarding will not work and the inbound replication of the (new) password will also not work
    [2] the admin pre-populates the password of the user/computer account in question on the RODC using ADUC, scripting (e.g. PowerShell) or REPADMIN
    Remember that an RODC will ALWAYS try to inbound replicate the password using the �??Replicate Single Object�?� method, whether or not the user/computer is listed in the �??Allowed To Cache List�?�. It is the task of the RWDC to enforce the configuration of the �??Allowed To Cache List�?� and the �??Denied To Cache List�?�. That�??s WHY an RODC can only replicate the default domain NC from a W2K8 or higher RWDC and not from a W2K/W2K3 RWDC. The W2K/W2K3 RWDC do not understand the password replication policy configuration of an RODC and will therefore not enforce it.
    When a password is changed/reset on an RWDC, the password related metadata (e.g. pwdLastSet attribute) is replicated to the RODC. Based upon that information the RODC knows the locally stored password (if any) is not valid anymore in the AD domain and will therefore invalidate it. After that it will try to inbound replicate the (new) password using the �??replicate single object�?� method.
     
     
    Also see the following posts:
     

    <o:p></o:p>

    Account deletion replicates using regular AD replication to both RWDCs and RODCs.

     

    Cheers,<o:p></o:p>


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <o:p></o:p>

    "_Shah_" wrote in message news:6bd5db37-a2f7-4534-bd63-18544035475a@communitybridge.codeplex.com...

    Hi all,

    I'm having a challenging time finding documentation on actual timelines.

    AD Site 1
    DC01

    AD Site 2
    RODC01

    User1, User2, User3 & User4 & Computer1 & Computer2 are all allowed to cache password on RODC & their passwords are prepopulated on RODC.

    Now as DC01 & RODC01 are in separate sites, I guess they'll follow the inter-site replication interval which is once every 3 hours (180 minutes).

    So, if a user User1 changes password at the main site (ADSite1), drives over to site 2, and before the replication cycle has kicked in, when he logs in, if he enters the new password, will it RODC1 not authenticate him, because his password was prepopulated? What if the link between it & DC01 was down.

    Same with account deletion.

    I looked at technet articles, it explains authentication in great detail, and talks about single object replication that RODC performs, however it does not talk about scenarios like above.

    Any help or a link to the right resource would be very helpful.

    Cheers

    Shah

     


    Jorge de Almeida Pinto [MVP-DS] (http://jorgequestforknowledge.wordpress.com/)
    Tuesday, October 11, 2011 3:37 PM