{"id":2241,"date":"2017-06-21T22:27:03","date_gmt":"2017-06-21T22:27:03","guid":{"rendered":"http:\/\/microsoftgeek.com\/?p=2241"},"modified":"2018-09-06T23:15:06","modified_gmt":"2018-09-06T23:15:06","slug":"configuring-password-replication-policy-for-read-only-domain-controllers","status":"publish","type":"post","link":"https:\/\/microsoftgeek.com\/?p=2241","title":{"rendered":"Configuring Password Replication Policy for Read Only Domain Controllers"},"content":{"rendered":"<h4>What is Password Replication Policy?<\/h4>\n<div class=\"googlepublisherpluginad\"><\/div>\n<p>Password Replication Policy (PRP) determines which users\u2019 credentials can be cached on a specific RODC.<\/p>\n<p>If PRP allows an RODC to cache a user\u2019s credentials, authentication and service ticket activities of that user can be processed by the RODC.<\/p>\n<p>If a user\u2019s credentials cannot be cached on an RODC, authentication and service ticket activities are referred by the RODC to a writable domain controller.<\/p>\n<p>An RODC\u2019s PRP is determined by two multivalued attributes of the RODC\u2019s computer account. These attributes are commonly known as the Allowed List and the Denied List.<\/p>\n<p>If a user\u2019s account is on the Allowed List, the user\u2019s credentials are cached.<\/p>\n<h4>Configuring Domain-Wide Password Replication Policy<\/h4>\n<p>To facilitate the management of PRP, Windows Server 2008 R2 creates two domain local security groups in the Users container of Active Directory.<\/p>\n<p>The first group, Allowed RODC Password Replication Group, is added to the Allowed List of each new RODC. By default, the group has no members. Therefore, by default, a new RODC will not cache any user\u2019s credentials.<\/p>\n<p>The second group is named Denied RODC Password Replication Group. It is added to the Denied List of each new RODC.<\/p>\n<h4>Configuring RODC-Specific Password Replication Policy<\/h4>\n<p>The two groups described in the previous section provide a method to manage PRP on all RODCs. However, to best support a branch office scenario, you must allow the RODC in each branch office to cache credentials of users and computers in that specific location. Therefore, you must configure the Allowed List and the Denied List of each RODC.<\/p>\n<p>To configure an RODC\u2019s PRP, open the properties of the RODC\u2019s computer account in the Domain Controllers OU. On the Password Replication Policy tab, shown in Figure, you can view the current PRP settings and add or remove users or groups from the PRP.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-323 size-full no-display appear\" src=\"http:\/\/www.enterprisedaddy.com\/wp-content\/uploads\/2015\/01\/Picture2.png\" alt=\"Configuring Password Replication Policy for Read Only Domain Controllers\" width=\"415\" height=\"513\" \/><\/p>\n<h4>Administering RODC Credentials Caching<\/h4>\n<p>When you click the Advanced button on the Password Replication Policy tab, an Advanced Password Replication Policy dialog box appears.<\/p>\n<p>In the drop-down list at the top of the Policy Usage tab, you can select one of two reports for the RODC:<\/p>\n<p><strong>Accounts Whose Passwords Are Stored On This Read-Only Domain Controller<\/strong><\/p>\n<p>Displays the list of user and computer credentials that are currently cached on the RODC. Use this list to determine whether credentials are being cached that you do not want cached on the RODC. Then modify the PRP accordingly.<\/p>\n<p><strong>Accounts That Have Been Authenticated To This Read-Only Domain Controller<\/strong><\/p>\n<p>Displays the list of user and computer credentials that have been referred to a writable domain controller for authentication. Use this list to identify users or computers that are attempting to authenticate with the RODC. If any of these accounts are not being cached, consider adding them to the PRP.<\/p>\n<p><strong>Note<\/strong>: It is not possible for replication to take place between two RODC\u2019s. The changes that are written on a RODC have to come from a writeable DC.<\/p>\n<p>Now let us look at some Active Directory Powershell cmdlets that will help us analyze the same using Powershell.<\/p>\n<p><strong>Add-ADDomainControllerPasswordReplicationPolicy<\/strong>: adds users, computers, and groups to the Allowed List or the Denied List of the RODC Password Replication Policy (PRP).<\/p>\n<p><strong>Get-ADDomainControllerPasswordReplicationPolicy<\/strong>: displays the members of the Allowed List or the Denied List of the RODC PRP.<\/p>\n<p><strong>Remove-ADDomainControllerPasswordReplicationPolicy<\/strong>: removes users, computers, and groups from the Allowed List or the Denied List of the RODC PRP.<\/p>\n<p><strong>Get-ADDomainControllerPasswordReplicationPolicyUsage<\/strong>: displays the resultant password policy of the specified ADAccount on the specified RODC.<\/p>\n<p><strong>Get-ADAccountResultantPasswordReplicationPolicy<\/strong>: displays the resultant password replication policy for an Active Directory account.<\/p>\n<p>&nbsp;<\/p>\n<p>I hope this was informative and thank you for reading!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>What is Password Replication Policy? Password Replication Policy (PRP) determines which users\u2019 credentials can be cached on a specific RODC. If PRP allows an RODC to cache a user\u2019s credentials, authentication and service ticket activities of that user can be processed by the RODC. If a user\u2019s credentials cannot be cached on an RODC, authentication [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[42,6],"tags":[],"class_list":["post-2241","post","type-post","status-publish","format-standard","hentry","category-ad","category-general-2008"],"_links":{"self":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/2241","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2241"}],"version-history":[{"count":1,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/2241\/revisions"}],"predecessor-version":[{"id":2242,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/2241\/revisions\/2242"}],"wp:attachment":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2241"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2241"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2241"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}