Password Replication Policy

In the previous lesson we installed an RODC, to continue we will create a branchofficeusers security group and populate it with users. We will then create a password replication policy, monitor credential caching, and prepopulate credentials on the RODC.

Use the buttons below to navigate through the lesson

In this scenario we will create 3 users Jim Bean, Paul Gray and Mike Stand.

Jim and Paul will become members of the branchofficeusers group, Mike Stand will not be added to the group;his credentials will be prepopulated later. All three users will be added to the print operators group in order to allow them to logon to the Domain controller locally. This action is not recommended in production environments and is only used for testing purposes.

On DC1 open Active directory Users and computers. Right click Builtin and select New>Group. Group name branchofficeusers, click OK. On DC1 open Active directory Users and computers. Right click Users and select New>User. Fill in User’s details and click Next. Type in password and confirm password and click Next. Repeat process for other users, Paul Gray and Mike Stand. Click finish to complete.

Select users Jim Bean and Paul Gray – Right click and select add to a group. Specify branchofficeusers and click OK.

Add to group

All three users will be added to the print operators group in order to allow them to logon to the Domain controller locally. This action is not recommended in production environments and is only used for testing purposes.

Right click branchofficeusers group and select Add to a group. Specify the Print Operators group and click OK.

Configure RODC-Specific Password Replication Policy

To facilitate the management of PRP, Windows Server 2008 creates two domain local security groups in the Users container of Active Directory. The first, named Allowed RODC Password Replication Group, is added to the Allowed List of each new RODC. By default, the group has no members. Therefore, by default, a new RODC will not cache any user’s credentials. If there are users whose credentials you want to be cached by all domain RODCs, add those users to the Allowed RODC Password Replication Group.

The second group is named Denied RODC Password Replication Group. It is added to the Denied List of each new RODC. If there are users whose credentials you want to ensure are never cached by domain RODCs, add those users to the Denied RODC Password Replication Group. By default, this group contains security-sensitive accounts that are members of groups including Domain Admins, Enterprise Admins, and Group Policy Creator Owners.

The two groups described in the previous section provide a method to manage PRP on all RODCs. However, to support a branch office scenario most efficiently, you need to allow the RODC in each branch office to cache user and computer credentials in that specific location. Therefore, you need to configure the Allowed List and the Denied List of each RODC.

In the Domain Controllers OU, right click branchrodc, Select Properties. Select Password Replication Policy. Click Allowed RODC Password Replication Group. Select Members. By Default the group is empty. Click Denied RODC Password Replication Group. Select Members. By default, this group contains security sensitive accounts that are members of groups including Domain Admins, Enterprise Admins, and Group Policy Creator Owners. In the Allowed Password Replication Group Properties Members Tab click Add. Specify branchofficeusers and click OK. Branch office user’s credentials will be cached by the server.

Monitor Credential Caching

The 3 users we created previously will logon to the RODC so we can monitor the caching. Remember Mike Stand was not a member of the branchofficeusers group, his credentials should not be cached by the RODC. We will use his account to prepopulate his password to the RODC.

After the users have logged on and off, on DC1 open the Domain controllers OU. Right click the RODC and select Properties. Select Password Replication Policy. Click Advanced. Note the two members of the branchofficeusers group, passwords are stored in Accounts whose passwords are stored on this read-only domain controller. Mike Stand’s password has not been stored. Mike Stand’s password  is in the Accounts that have been authenticated to this read-only domain controller. Mike Stand’s password can be prepopulated to this RODC. Click Prepopulate Passwords. Specify Mike Stand’s account and click OK. Click Yes. Mike Stand’s password cannot be prepopulated because we did not add him to the allowed list. Return to the Password Replication Policy box and select Add. . Then select Allow passwords for the account to replicate to the RODC. Click OK. Specify Mike Stand’s account and click OK. Mike Stand’s password can be prepopulated to this RODC. Click Prepopulate Passwords. Specify Mike Stand’s account and click OK. Click Yes. Click OK. Mike Stand’s password is now stored on the RODC. Click Close. Click OK.

Remember in order for a user to logon when no Writeable domain controller is available, both the User’s and the Computer’s passwords must be stored on the RODC.