Forum
http://technet.microsoft.com/en-us/library/cc730883.aspx
When you initially deploy
an RODC, you must configure the Password Replication Policy on the
writable domain controller that will be its replication partner.
The
Password Replication Policy acts as an access control list (ACL). It
determines if an RODC should be permitted to cache a password. After
the RODC receives an authenticated user or computer logon request, it
refers to the Password Replication Policy to determine if the password
for the account should be cached. The same account can then perform
subsequent logons more efficiently.
The Password Replication
Policy lists the accounts that are permitted to be cached, and accounts
that are explicitly denied from being cached. The list of user and
computer accounts that are permitted to be cached does not imply that
the RODC has necessarily cached the passwords for those accounts. An
administrator can, for example, specify in advance any accounts that an
RODC will cache. This way, the RODC can authenticate those accounts,
even if the WAN link to the hub site is offline.
Note |
---|
You must include the appropriate user, computer, and service accounts in the Password Replication Policy in order to allow the RODC to satisfy authentication and service ticket requests locally. |
When
only users from the branch are encompassed by the allow list, the RODC
is not able to satisfy requests for service tickets locally and it
relies on access to a writable Windows Server 2008 domain controller to
do so. In the WAN offline scenario, this is likely to lead to a service
outage.
Initially, you should define an administrative model for
the Password Replication Policy. Then, review or manually update that
Password Replication Policy periodically. If the RODC is stolen, you
must reset the passwords for all users and computers whose passwords
are cached on it.
Choosing an administrative model for RODC password replication
Business,
organizational, and administrative requirements affect how you choose
an appropriate administrative model for RODC Password Replication
Policy. These requirements include security, ease of management, and
the reliability and availability of the WAN connections.
The RODC
Password Replication Policy is determined by four multivalued AD DS
attributes that contain security principals—users, computers, and
groups. Each RODC computer account has these four attributes:
- msDS-Reveal-OnDemandGroup, also commonly known as the Allowed List
- msDS-NeverRevealGroup, also commonly known as the Denied List
- msDS-RevealedList, also commonly known as the Revealed List
- msDS-AuthenticatedToAccountList, also commonly known as the Authenticated to List
At
any time, the RODC can replicate the passwords for accounts in the
Allowed List, regardless of whether the account has attempted to log on
against the RODC. The operation is triggered by user logon merely for
administrative convenience.
This means that the Password
Replication Policy is the security boundary for the RODC. The Password
Replication Policy can differ for each RODC. However, if no Password
Replication Policy is modified, the effective policy for all RODCs in a
domain the same.
Password Replication Policy Allowed and Denied lists
Two
new built-in groups are introduced in Windows Server 2008 Active
Directory domains to support RODC operations. These are the Allowed
RODC Password Replication Group and Denied RODC Password Replication
Group.
These groups help implement a default Allowed List and
Denied List for the RODC Password Replication Policy. By default, the
two groups are respectively added to the msDS-Reveal-OnDemandGroup and msDS-NeverRevealGroup Active Directory attributes mentioned earlier.
By
default, the Allowed RODC Password Replication Group has no members.
Also by default, the Allowed List attribute contains only the Allowed
RODC Password Replication Group.
By default, the Denied RODC Password Replication Group contains the following members:
- Enterprise Domain Controllers
- Enterprise Read-Only Domain Controllers
- Group Policy Creator Owners
- Domain Admins
- Cert Publishers
- Enterprise Admins
- Schema Admins
- Domain-wide krbtgt account
By default, the Denied List attribute contains the following security principals, all of which are built-in groups:
- Denied RODC Password Replication Group
- Account Operators
- Server Operators
- Backup Operators
- Administrators
The combination of the Allowed List and Denied List
attributes for each RODC and the domain-wide Denied RODC Password
Replication Group and Allowed RODC Password Replication Group give
administrators great flexibility. They can decide precisely which
accounts can be cached on specific RODCs.
The following table summarizes the three possible administrative models for the Password Replication Policy.
Model | Pros | Cons |
---|---|---|
No accounts cached (default) |
Most secure, still provides fast authentication and policy processing |
No offline access for anyone; WAN required for logon |
Most accounts cached |
Ease of password management; intended for customers who care most about manageability improvements of RODC and not security |
More passwords potentially exposed to RODC |
Few accounts (branch-specific accounts) cached |
Enables offline access for those that need it, and maximizes security |
Fine-grained |
The following sections explain each model in more detail.
No accounts cached
This
model provides the most secure option. No passwords are replicated to
the RODC, except for the RODC computer account and its special krbtgt
account. However, transparent user and computer authentication relies
on WAN availability. This model has the advantage of requiring little
or no additional administrative configuration from the default
settings. Customers might choose to add their own security-sensitive
user groups to the default list of denied users. This can protect those
user groups against accidental inclusion in the list of allowed users
and subsequent caching of their passwords on the RODC.
Most accounts cached
This
model provides the simplest administrative mode and permits offline
operation. The Allowed List for all RODCs is populated with groups that
represent a significant portion of the user population. The Denied List
does not allow security-sensitive user groups, such as Domain Admins.
Most other users, however, can have their passwords cached on demand.
This configuration is most appropriate in environments where the
physical security of the RODC will not be at risk.
Few accounts cached
This
model restricts the accounts that can be cached. Typically,
administrators define this distinctly for each RODC—each RODC has a
different set of user and computer accounts that it is permitted to
cache. Typically, this is based on a set of users who work at a
particular physical location.
The advantage to this model is that
a set of users will benefit from offline authentication, should WAN
failure occur. At the same time, the scope of exposure for passwords is
limited by the reduced number of users whose passwords can be cached.
There
is an administrative overhead associated with populating the Allowed
List and Denied List in this model. There is no default automated
method for reading accounts from the known list of security principals
who have authenticated against a given RODC. Nor is there a default
method for populating the Allowed List with those accounts.
Administrators might be able to use scripting or applications such as
MIIS to build a process for adding these accounts directly to the
Allowed List.
There are two ways to add these accounts.
Administrators can either add the user directly to the Allowed List or,
preferably, they can add them to a group that is already defined in the
Allowed List for that RODC. Administrators can create "RODC-specific"
groups to enable this. Or they can use existing groups in AD DS whose
member scope is appropriate.
Password Replication Policy in operation
This section explains how the Allowed List, Denied List, Authenticated to List, and Revealed List attributes are used.
When
an RODC makes a request to replicate a user's password, the writable
Windows Server 2008 domain controller that the RODC contacts allows or
denies the request. To allow it or deny the request, the writable
domain controller examines the values of the Allowed List and Denied
List for the RODC that presents the request.
If the account whose
password is being requested by the RODC is in the Allowed List rather
than the Denied List set for that RODC, the request is allowed.
The following flowchart shows how this operation proceeds.
The Denied List takes precedence over the Allowed List.
Clearing cached passwords
There
is no mechanism to erase passwords after they are cached on an RODC. If
you want to clear a password that is stored on an RODC, an
administrator should reset the password in the hub site. This way, the
password that is cached in the branch will no longer be valid for
accessing any resources in the hub site or other branches. In the
branch that contains the RODC on which the password may have been
compromised, the password will still be valid for authentication
purposes until the next replication cycle, at which time its value that
is stored on the RODC will be changed to Null. The new password will be
cached only after the user authenticates with it—or the new password is
prepopulated on the RODC—and if the PRP has not been changed.
http://technet.microsoft.com/en-us/library/cc753470.aspx
Updated: April 25, 2007
This
section provides procedures for the following administrative tasks that
are related to Password Replication Policy for an RODC:
- Configure the Password Replication Policy for an RODC
- View Current Credentials That Are Cached on an RODC
- Review Whose Accounts Have Been Authenticated to an RODC
- Prepopulate the password cache for an RODC
- Reset the Current Credentials That Are Cached on an RODC If It Is Stolen
Configure the Password Replication Policy for an RODC
Administrative credentials
To configure the Password Replication Policy for an RODC, you must be a member of the Domain Admins group.
To configure the Password Replication Policy for an RODC
-
Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
-
Ensure
that Active Directory Users and Computers points to the writable domain
controller that is running Windows Server 2008, and then click Domain Controllers. -
In the details pane, right-click the RODC computer account, and then click Properties.
-
Click the Password Replication Policy tab, as shown in the following figure.
-
The Password Replication Policy
tab lists the accounts that, by default, are defined in the Allowed
List and the Denied List on the RODC. To add other groups that should
be included in either the Allowed List or the Denied List, click Add. To add other accounts that will not have credentials cached on the RODC, click Deny. To add other accounts that will have credentials cached on the RODC, click Allow.Accounts
that will not have credentials cached on the RODC can still use the
RODC for domain logon. The credentials, however, will not be cached for
subsequent logon using the RODC.
View current credentials that are cached on an RODC
By
default, the only credentials that are cached on an RODC are for the
computer account of the RODC itself and a krbtgt account.
Administrative credentials
Any domain user can view current credentials that are cached on an RODC.
To view current credentials that are cached on an RODC
-
Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
-
Ensure
that Active Directory Users and Computers points to the writable domain
controller that is running Windows Server 2008, and then click Domain Controllers. -
In the details pane, right-click the RODC computer account, and then click Properties.
-
Click the Password Replication Policy tab.
-
Click Advanced.
-
In the drop-down list, click Accounts whose passwords are stored on this Read-only Domain Controller, as shown in the following illustration.
Review whose accounts have been authenticated to an RODC
Periodically,
you should review whose accounts have been authenticated to an RODC.
This information can help you plan updates that you intend to make to
the existing Password Replication Policy. For example, look at which
user and computer accounts have authenticated to an RODC so that you
can add those accounts to the Allowed List. After their credentials are
cached on the RODC, the accounts can be authenticated by the RODC in
the branch office when the wide area network (WAN) to the hub site is
offline.
You can use the repadmin /prp move
command to automatically move accounts that have been authenticated to
the Allowed List. For more information, see Repadmin /prp ( http://go.microsoft.com/fwlink/?LinkId=112118 ).
Administrative credentials
Any domain user can view which user and computer accounts have authenticated to an RODC.
To review the accounts that have been authenticated to an RODC
-
Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
-
Ensure
that Active Directory Users and Computers points to the writable domain
controller that is running Windows Server 2008, and then click Domain Controllers. -
In the details pane, right-click the RODC computer account, and then click Properties.
-
Click the Password Replication Policy tab.
-
Click Advanced.
-
In the drop-down list, click Accounts that have been authenticated to this Read-only Domain Controller, as shown in the following illustration.
Prepopulate the password cache for an RODC
You
can prepopulate the password cache for an RODC with the passwords of
user and computer accounts that you plan to authenticate to it. When
you prepopulate the RODC password cache, you trigger the RODC to
replicate and cache the passwords for users and computers before the
accounts try to log on in the branch office.
Prepopulating the
password cache helps ensure that a user can log on to the network in
the branch office, even if the WAN link to the data center is offline.
For example, suppose that a user who normally works in the data center
travels to a branch office and attempts to log on there with a laptop.
The RODC contacts the writable domain controller in the data center. If
the Password Replication Policy allows it, the RODC caches the
password. However, if the WAN link is offline when the user attempts to
log on, then the logon attempt fails because the RODC has not yet
replicated the password for the account.
To avoid this problem,
you can prepopulate the password cache of the RODC in the branch office
with the password of the user and the laptop. This eliminates the need
for the RODC to replicate the password from the Windows Server 2008
domain controller over the WAN link.
In addition, prepopulating
the password cache is a good idea if you build an RODC in a central
location, such as in a data center, before you transport the RODC to
the branch office. By prepopulating the password cache with the users
and computers who will log on in the branch office, the RODC can
authenticate those accounts without contacting the Windows Server 2008
domain controller over the WAN link.
You can prepopulate the
cache only for accounts that the Password Replication Policy allows to
be cached. If you try to prepopulate a password of an account that the
Password Replication Policy does not allow to be cached, the operation
fails.
You can prepopulate the password cache for an RODC by
using Active Directory Users and Computers or by using the Repadmin
command-line tool.
Administrative credentials
To prepopulate the password cache for an RODC, you must be a member of the Domain Admins group.
To prepopulate the password cache for an RODC by using Active Directory Users and Computers
-
Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
-
Ensure
that Active Directory Users and Computers points to the writable domain
controller that is running Windows Server 2008, and then click Domain Controllers. -
In the details pane, right-click the RODC computer account, and then click Properties.
-
Click the Password Replication Policy tab.
-
Click Advanced.
-
Click Prepopulate Passwords.
-
Type the name of the accounts whose passwords you want to prepopulate in the cache for the RODC, and then click OK.
-
When you are asked if you want to send the passwords for the accounts to the RODC, click Yes.
To prepopulate the password cache for an RODC by using the Repadmin command-line tool
-
Log on to a writable domain controller that is running Windows Server 2008.
-
Click Start, right-click Command Prompt, and then click Run as administrator.
-
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
-
Type the following command. and then press ENTER:
repadmin
/rodcpwdrepl [DSA_List] <Hub DC> <User1 Distinguished Name>
[<Computer1 Distinguished Name> <User2 Distinguished Name>
…]In the command, use the values from the following table.
Placeholder Value DSA_List
The name of the RODC whose password cache you want to prepopulate.
Hub DC
The name of the writable Windows Server 2008 domain controller that is the replication partner of the RODC.
User1, Computer1, ….
The
names of the user and computers whose passwords you want to cache on
the RODC. You must add the computer accounts of the users or they
cannot log on.For example, the
following command prepopulates the password cache for RODC15 with the
passwords for Mike Danseglio and his computer, MikeDanLaptop. The hub
domain controller is named HUBDC12.Repadmin /rodcpwdrepl
RODC15 HUBDC12 CN=MikeDan,OU=DatacenterUsers,DC=contoso,DC=com CN=
MikeDanLaptop,OU=DatacenterComputers,DC=contoso,DC=com
Reset the current credentials that are cached on an RODC if it is stolen
Administrative credentials
To reset the current credentials that are cached on an RODC, you must be a member of the Domain Admins group.
To reset the current credentials that are cached on an RODC if it is stolen
-
Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
-
Ensure
that Active Directory Users and Computers points to the writable domain
controller that is running Windows Server 2008, and then click Domain Controllers. -
In the details pane, right-click the RODC computer account, and then click Delete.
-
To confirm the deletion, click Yes.
-
In the Deleting Active Directory Domain Controller dialog box, select the Reset all passwords for user accounts that were cached on this read-only domain controller check box, as shown in the following figure. As an option, you can also select the Export the list of accounts that were cached on this read-only domain controller to this file
check box to create a list of user accounts whose passwords must be
reset after the RODC account is deleted. That list of accounts is not
available after the RODC account is deleted.