Chapter 10. Deploying Read-Only Domain Controllers
In the previous chapter you learned about installing domain controllers using a standard read/writeable installation. That chapter, however, did not discuss read-only domain controllers (RODCs) or describe the differences between read-only domain controllers and read/writeable domain controllers (RWDCs), which is exactly what this chapter is about. After you work with RODCs and RWDCs for a time, you’ll understand why it’s important to consider them as separate and distinct from each other.
When working with RODCs, keep in mind that they represent a paradigm shift. Although many enterprises continue to use writeable domain controllers at all office locations, enterprises will increasingly use RWDCs only in their data centers and on trusted networks—they will deploy only RODCs everywhere else. The primary reason for this paradigm shift is that RODCs offer improved security and reduced risk compared to their RWDC counterparts. RODCs also can have lower hardware requirements as they use fewer processor and memory resources than RWDCs.
That said, you should also understand that the infrastructure and techniques related to RODCs might change. For this reason, I discuss RODCs with a look to the future and also deviate from common terminology in my references to RODCs and RWDCs. My hope is that my many years’ experience with RODCs and RWDCs will help you successfully deploy both of them in your organization and that when you do so, you’ll do so by prefacing the installation plans with enough caveats to see you safely through the changes.
An RODC is an additional domain controller that hosts a read-only replica of a domain’s Active Directory data store. RODCs are designed to be placed in locations that require fast and reliable authentication services but that aren’t necessarily secure. This makes RODCs ideally suited to the needs of branch offices where a domain controller’s physical security can’t be guaranteed.
RODCs support the same features as RWDCs and can be used in both Core Server and Full Server installations. Except for passwords and designated, nonreplicated attributes, RODCs store the same objects and attributes as writeable domain controllers. These objects and attributes are replicated to RODCs using unidirectional replication from a writeable domain controller acting as a replication partner. Because no changes are written directly to RODCs, writeable domain controllers acting as replication partners do not have to pull changes from RODCs. This reduces the workload of bridgehead servers in the hub site and the scope of your replication monitoring efforts. The figure that follows provides a top-level overview of how the replication of data works.
Although Active Directory clients and applications can access the directory to read data, the clients are not able to write changes directly to an RODC. Instead, they are referred to a writeable domain controller in a hub site. This prevents changes made by malicious users at branch locations from corrupting the Active Directory forest.
NOTE Most enterprise applications that work with Active Directory are read-intensive and do not require write access. Some enterprise applications, however, update information that’s stored in Active Directory and expect this capability always to be available. If an application tries to write to an RODC, it’s referred to a writeable domain controller (DC). If the write operation succeeds, subsequent read operations might fail because the application will attempt to read from the RODC, which might not have received the updates through replication yet. To ensure proper operations, you should update applications that require write access to the directory to use binding calls to writeable domain controllers.
You can install the Domain Name System (DNS) Server service on an RODC. When you do this, the RODC receives a read-only replica of all application directory partitions that are used by DNS, including ForestDNSZones and DomainDNSZones. Clients can query DNS on the RODC for name resolution as they would query any other DNS server. As with Active Directory data, the DNS server on an RODC does not support client updates directly.
The RODC does not register name server (NS) resource records for any Active Directory–integrated zone that it hosts. When a client attempts to update its DNS records on an RODC, the RODC returns a referral to another DNS server and the client can then attempt the update with this DNS server. In the background, the DNS server on the RODC then attempts to pull the updated record from the DNS server that made the update. This replication request is only for the updated DNS record. The entire list of changed zone or domain data does not get replicated during this special replication request.
Because RODCs by default do not store passwords or credentials other than for their own computer accounts and the Kerberos Ticket Granting (krbtgt) accounts, RODCs pull user and computer credentials from a writeable domain controller and clients can, in turn, authenticate against an RODC. You must explicitly allow any other credentials to be cached on that RODC using Password Replication Policy. If it’s allowed by a Password Replication Policy that is enforced on the writeable domain controller, an RODC retrieves and then caches credentials as necessary until the credentials change. Because only a subset of credentials is stored on an RODC, the number of credentials that can possibly be compromised is limited.
The RODC is advertised as the Key Distribution Center (KDC) for the branch office. After an account is authenticated, the RODC attempts to contact and pull the user credentials or computer credentials from a writeable domain controller in the hub site. The hub site can be any Active Directory site with writeable domain controllers.
The writeable domain controller recognizes that the request is coming from an RODC because of the use of the special Kerberos Ticket Granting account of the RODC. The Password Replication Policy that is enforced at the writeable domain controller determines whether a user’s credentials or a computer’s credentials can be replicated to the RODC. If the Password Replication Policy allows it, the RODC pulls and then caches the credentials from the writeable domain controller. After the credentials are cached on the RODC, the RODC can directly service that user’s or computer’s logon requests until the credentials change. This limits the exposure of credentials if an RODC is compromised.
IMPORTANT The RODC uses a different Kerberos Ticket Granting account and password than the KDC on a writeable domain controller uses when it signs or encrypts Ticket-Granting Ticket (TGT) requests. This provides cryptographic isolation between KDCs in different branches and prevents a compromised RODC from issuing service tickets to resources in other branches or in a hub site.
RODCs reduce the administration burden on the enterprise by allowing any domain user to be delegated as a local administrator without granting any other rights in the domain. This creates a clear separation between domain administrators and delegated administrator users at branch offices. RODCs pull updates of the schema, configuration, and domain partitions from a writeable domain controller in the same domain and a partial attribute set of the other domain partitions in the forest (the global catalog). Although RODCs can host a global catalog, they can’t act as bridgehead servers or hold operations master roles.
Before you can deploy any RODCs in a domain, you must ensure that a bidirectional communications path is open between the RODC and the PDC emulator. To accommodate this requirement, you might need to modify router and firewall configurations.
RODCs are designed to be placed in sites that have no other domain controllers. Consider the example shown in the next figure. Here, the organization has one domain and two sites at the same physical location. Because the East Campus site is used for the organization’s primary operations and is more secure from a physical perspective, the administrative staff decided to configure this site with the writeable domain controllers and the operations masters for the domain. Because the West Campus site is less secure from a physical perspective, the administrative staff decided to remove all other domain controllers and place only a read-only domain controller in this site.
NOTE You can’t place RODCs from the same domain in the same site. However, you can place an RODC in a site with RWDCs from the same domain or different domains or RODCs from different domains. Doing so has a number of constraints and requires additional planning.
RODCs perform inbound replication by pulling data from a designated replication partner. RODCs can’t perform outbound replication and therefore can’t be a source domain controller for any other domain controller. An RODC can replicate data from any domain controller running Windows Server.
NOTE Only an RODC also configured as a DNS server can obtain the application partitions containing DNS data. In contrast, writeable domain controllers running Windows Server can perform inbound and outbound replication of all available partitions.
Generally speaking, you should place writeable domain controllers in hub sites and read-only domain controllers in spoke sites. This configuration can relieve the inbound replication load on bridgehead servers because RODCs never replicate any changes. Consider the example shown previously. In this example, Main Site is the hub site and there are four branch office sites: Site A, Site B, Site C, and Site D. In this example, sites are connected in several ways with redundant pathways. However, the site link with the lowest cost is always the link between Main Site and a particular branch site.
To put an RODC in any branch site, you should place a domain controller for the same domain in Main Site to replicate the domain partition to the RODC. Placing a domain controller in Main Site also permits the RODC in the branch site to replicate the schema, configuration, and application directory partitions.
The replication schedule for site links can cause delays in receiving directory updates when replicating to other sites across a wide area network (WAN). To improve replication performance, RODCs immediately refer many types of write operations to a writeable domain controller, and this can cause unscheduled network traffic over WAN links. Additionally, RODCs immediately attempt inbound replication of individual changes for these operations:
RODCs can cache passwords for accounts. After an RODC has cached the password for a user, it remains in the Active Directory database until the user changes the password or the Password Replication Policy for the RODC changes in such a way that the user’s password should no longer be cached. Accounts that will not have credentials cached on the RODC can still use the RODC for domain logon. The RODC retrieves the credentials from its RWDC replication partner. The credentials, however, will not be cached for subsequent logons using the RODC.
You can install an RODC only in an existing domain. Before you install RODCs in any domain, you must ensure that the following are true:
When you install an RODC, you can do the following:
You can install an RODC as an additional domain controller in a domain using a standard deployment with or without media. To install an RODC in a domain using a standard deployment without media, follow these steps:
267. Generally, the server you want to promote should be a member of a domain in the forest, as this will make the promotion process easier. If the server isn’t currently joined to a domain, you should add the server to the domain as discussed in “Joining Computers to a Domain” in Chapter 3 and then log on to the server using a domain account.
268. In Server Manager, click Manage and then click Add Roles And Features. This starts the Add Roles And Features Wizard. If the wizard displays the Before You Begin page, read the Welcome message and then click Next.
269. On the Select Installation Type page, select Role-Based Or Feature-Based Installation and then click Next.
270. On the Select Destination Server page, you can choose to install roles and features on running servers or virtual hard disks. Only servers that have been added for management are listed. Either select a server from the server pool or select a server from the server pool on which to mount a virtual hard disk (VHD). If you are adding roles and features to a VHD, click Browse and then use the Browse For Virtual Hard Disks dialog box to locate the VHD. When you are ready to continue, click Next.
271. On the Select Server Roles page, select Active Directory Domain Services. Click Next three times.
272. On the Confirm Installation Selections page, review your selections. As the server will need to be restarted to complete the second part of the installation, you may want to select the Restart The Destination Server checkbox. Then when prompted to confirm, click Yes to allow the necessary automatic restart. Click Install. This installs the Active Directory binaries.
273. When the initial installation task completes, you need to click Promote This Server To A Domain Controller to start the Active Directory Domain Services Configuration Wizard. If you closed the Add Roles And Features Wizard window, you need to click the Notifications icon in Server Manager and then click Promote This Server To A Domain Controller.
274. On the Select Server Roles page, select Active Directory Domain Services and then click Next twice. Click Install. This runs the Active Directory Domain Services Configuration Wizard.
275. When the initial installation task completes, you need to click Promote This Server To A Domain Controller to start the Active Directory Domain Services Configuration Wizard. If you closed the Add Roles And Features Wizard window, you need to click the Notifications icon and then click Promote This Server To A Domain Controller.
276. On the Deployment Configuration page, select Add A Domain Controller To An Existing Domain.
277. In the Domain box, type the full DNS name of the domain in the forest where you plan to install the RODC, such as imaginedlands.local. If you want to select a domain in the forest from a list of available domains, click Select. Next, in the Select A Domain dialog box, click the domain to use and then click OK.
278. If you are logged on to a domain in this forest and have the appropriate permissions, you can use your current logged-on credentials to perform the installation. Otherwise, you need to provide alternate credentials. Click Change. In the Windows Security dialog box, type the user name and password for an enterprise administrator account in the previously specified domain, and then click OK.
IMPORTANT When you click Next, the wizard performs several preliminary checks on the Deployment Configuration page. If the server doesn’t have appropriate TCP/IP settings, the wizard won’t be able to connect to a domain controller in the target domain. If the user name and password you entered are invalid, you’ll see an error. However, the wizard doesn’t verify that the account has appropriate permissions until the prerequisite checks, which occur just before installation. Finally, you’ll also see an error if the domain name you entered is invalid or if the domain can’t be contacted. In each case, before you can continue you need to correct the problem.
279. On the Domain Controller Options page, select the Read-Only Domain Controller (RODC) check box as an additional installation option for the domain controller. If you want the RODC to act as a read-only DNS server, select the Domain Name System (DNS) Server check box. If you want the RODC to act as a global catalog, select the Global Catalog (GC) check box.
280. Select the Active Directory site in which you want to locate the domain controller. By default, the wizard selects the site with the most correct subnet. If there is only one site, the wizard selects that site automatically. No automatic selection is made if the server does not belong to an Active Directory subnet and multiple sites are available.
281. Type and confirm the password that should be used when you want to start the computer in Directory Services Restore Mode. Be sure to track this password carefully. This special password is used only in Restore mode and is different from the Administrator account password. (It’s the local Administrator password, which is in the local database of domain controllers; this database normally is hidden.) Click Next.
282. You’ll next be able to specify a user or group who is delegated control of the RODC and will have local administrator privileges on the RODC. Click Select. In the Select Users Or Groups dialog box, type an account name and then click Check Names. If the account name is listed correctly, click OK.
283. Configure the Password Replication Policy for the RODC. Add or remove any users or groups for which you want to allow or deny password replication. For more information, see the section entitled ”Controlling Password Replication” later in this chapter. Click Next to continue.
IMPORTANT For ease of administration, you should delegate control to a group and then add or remove group members as necessary to manage who can manage the RODC.
284. On the Additional Options page, you can choose a replication partner for the installation or elect to replicate all the necessary data from any available domain controller. When you install an RODC and do not use backup or installation media, all directory data is replicated from the replication partner to the domain controller you’re installing. Because this can be a considerable amount of data, you typically want to ensure that both domain controllers are located in the same site or connected over reliable high-speed networks.
285. On the Paths page, select a location in which to store the Active Directory database folder, log folder, and SYSVOL. When configuring these locations, keep the following in mind:
The default location for the database and log folders is a subfolder of %SystemRoot%\NTDS. As discussed in the section entitled ”Selecting Your Hardware” in Chapter 8, you’ll get better performance if these folders are on two separate volumes, each on a separate disk.
The default location for the SYSVOL folder is %SystemRoot%\Sysvol. In most cases you’ll want to accept the default because the replication services store their database in a subfolder of the %SystemRoot% folder anyway. By keeping the folders on the same volume, you reduce the need to move files between drives.
286. On the Review Options page, review the installation options. Optionally, click View Script to export the settings to a Windows PowerShell script that you can use to perform automated installation of other domain controllers. When you click Next, the wizard performs preliminary checks to verify that the domain and forest are capable of supporting a new Windows Server 2016 domain controller. The wizard also displays information about security changes that could affect older operating systems.
IMPORTANT Before continuing, make sure you read through any warnings displayed after the preliminary checks. In several instances, when I was promoting domain controllers running Windows Server 2016, the promotion failed with a warning stating that the wizard could not move the computer object from the Computers container to the Domain Controllers container. A simple workaround was to rename the server and restart the Active Directory Domain Services Configuration Wizard.
287. When you click Install, the wizard uses the options you selected to install and configure Active Directory. This process can take several minutes. Keep the following in mind:
If you specified that the DNS Server service should be installed, the server will also be configured as a DNS server at this time.
Because you are installing an additional domain controller in an existing domain, the RODC needs to obtain updates of all the directory partitions from other domain controllers and will do this by initiating a full synchronization. The only way to avoid this is to make a media backup of Active Directory on an existing domain controller, start the Active Directory Domain Services Configuration Wizard in Advanced mode, and then specify the backup media to use during the installation of Active Directory.
288. When the wizard finishes configuring Active Directory, you are shown a prompt stating that the computer will be restarted. After the server restarts, Active Directory will be completely configured and the server can then act as an RODC.
Verify the installation by checking the Dcpromo.log file in the %SystemRoot%\Debug folder. Next, check for DNS updates in the DNS console. Because you added an RODC, DNS should be updated with SRV records for the server, and these are in the appropriate subfolders of the zone, such as _tcp and _udp. In Active Directory Users And Computers, you should see the RODC listed in the Domain Controllers OU.
You can create the necessary installation media by completing these steps:
289. Log on to a domain controller for the domain in which you are creating the RODC.
290. At an administrator command prompt, enter ntdsutil.
291. At the ntdsutil prompt, enter activate instance ntds.
292. At the ntdsutil prompt, enter ifm.
293. You can now create a copy of the directory data with or without the Sysvol.
NOTE The folder path doesn’t need to be created in advance, but must be empty if it exists. NTDS will create the necessary folder structures for you. The size of the backup will vary, depending on the number of objects stored in the directory and the contents of the Sysvol. Generallly, however, a backup for an RODC is considerably smaller than a backup for an RWDC.
294. Copy the save folder and its entire contents to a local folder on the RODC. The amount of data written to the save folder will vary depending on the number of objects and the properties those objects contain in the directory.
295. On the server you want to make an RODC, start the Active Directory Domain Services Configuration Wizard. Follow all the same steps as you would if you were adding an RODC to the domain without media. After you select additional domain controller options and the RODC options, you see the Additional Options page. On this page, select Install From Media, and then type the folder location of the backup media files or click the options button to find this location.
296. You can now complete the rest of the installation as discussed in the section entitled ”Installing an RODC” earlier in this chapter. Continue with the rest of the steps and perform the post-installation checks as well.
IMPORTANT Because you created installation media for an RODC, passwords are not included in the data. You can use this same technique to create installation media for writeable domain controllers. In step 5, instead of typing create rodc, type create full. Instead of typing create sysvol rodc, type create sysvol full. That’s it; it’s that easy. However, a full copy of the directory data contains passwords and other critically important security data that require additional safeguards.
You stage deployment to allow a person who might not otherwise have appropriate permissions to deploy an RODC. You do this by creating the RODC in two phases. First, an administrator prestages the RODC by creating an RODC account in the domain. Then the server you are promoting is attached to the account during the installation of Active Directory Domain Services. To perform either task, you need to use an account that is a member of the Domain Admins group. You also can delegate permission to a user or group that allows attaching the RODC.
NOTE The server that you want to promote as an RODC using staging must not be joined to the domain with the account name you will specify during the setup process. The server is attached to the domain during staging.
You can pre-create the RODC account by following these steps:
297. Start the Active Directory Domain Services Installation Wizard. Do one of the following:
In Active Directory Users And Computers, connect to the domain where the RODC will be added, right-click the related Domain Controllers node, and then select Pre-Create Read-Only Domain Controller Account.
In Active Directory Administrative Center, connect to the domain where the RODC will be added, select the related Domain Controllers node in the console tree, and then, under Tasks, select Pre-Create Read-Only Domain Controller Account.
298. By default, the wizard uses Basic Installation mode. Select Use Advanced Mode Installation before clicking Next to continue.
299. When you click Next, you will see the Network Credentials page. If you are logged on to a domain in this forest and have the appropriate permissions, you can use your current logged-on credentials to perform the installation. Otherwise, select Alternate Credentials, click Set, type the user name and password for an enterprise administrator account in the previously specified domain, and then click OK.
300. When you click Next, the wizard examines the Active Directory forest and domain configuration. On the Specify The Computer Name page, enter the single-label name of the computer that will be the RODC and confirm that the fully qualified domain name is the one you expected. If the fully qualified name isn’t the one you expected, you might have selected the wrong domain before starting the wizard.
301. When you click Next, the wizard verifies the source domain and that the server specified is not already a member of the domain. The wizard then loads a list of sites in the Active Directory forest. On the Select A Site page, select the site in which the domain controller should be located and then click Next.
302. When you click Next, the wizard validates the site name, examines the DNS configuration, and attempts to determine whether any authoritative DNS servers are available. If you want the RODC to act as a read-only DNS server, select the DNS Server check box. If you want the RODC to act as a global catalog, select the Global Catalog check box. When you are ready to continue, click Next.
NOTE If you are installing the DNS Server service as an additional option and the server doesn’t have static IP addresses for both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6), you’ll see a warning prompt regarding the server’s dynamic IP address or addresses. Click Yes only if you plan to use the dynamic IP address or addresses, despite the possibility that this could result in an unreliable DNS configuration. Click No if you plan to change the IP configuration before continuing.
303. Configure the Password Replication Policy for the RODC. Add or remove any users or groups for which you want to allow or deny password replication. For more information, see the section entitled “Controlling Password Replication” later in this chapter. Click Next to continue.
304. Configure delegation. The delegated user or group will be able to attach the RODC and also will have local administrative permissions on the RODC. Click Set, use the Select User Or Group dialog box to specify a delegated user or group, and then click OK.
305. Click Next. Review the installation options. Optionally, click Export Settings to save these settings to an answer file that you can use to perform unattended installations of other RODCs. When you click Next again, the wizard uses the options you selected to configure the account in Active Directory.
306. When the wizard finishes configuring Active Directory, click Finish. In the Domain Controllers container, an account is created for the RODC with the type set as Unoccupied DC Account. This indicates that the account is staged and ready for a server to be attached to it.
Any user who is a member of Domain Admins can attach a server to the RODC account, and so can any user or group that was delegated permission when setting up the RODC account. To attach a server to the account, do the following:
307. Logon to the server you want to promote as an RODC using staging. As the server should not be a member of the domain at this time, you’ll need to log on with a local user account.
308. Follow the steps for installing an RODC as listed in the section entitled ”Installing an RODC” earlier in the chapter. In step 3, when you select the destination server, select the server you are promoting to an RODC. In step 12, when you need to confirm permissions, enter the appropriate credentials.
309. In step 13, the Domain Controllers Options page will have a notification that states, ”A pre-created account that matches the name of the target server exists in the directory.” You’ll have options for using the existing RODC account (the default) or to reinstall the domain controller. Because you want to attach to the existing account, use the existing account.
310. You won’t be able to set the domain controller options for DNS or global catalogs because these options are set when the RODC account is prestaged. However, you will be able to install from media or replication. You also will be able to set the directory paths.
In PowerShell, you can use the Add-ADDSReadOnlyDomainControllerAccount cmdlet to pre-create an RODC account. Use the –DomainControllerAccountName parameter to specify the name of the account, the –DomainName parameter to specify the domain in which to create the account, and the –SiteName parameter to specify the Active Directory site for the account. Here is an example:
add-addsdomaincontrolleraccount -domaincontrolleraccountname corpserver15
-domainname tech.imaginedlands.com -sitename chicago-first-site
Once you stage the account, you can use the Install-ADDSDomainController cmdlet to promote the server that you want to be the RODC. Use the –ExistingAccount parameter to attach the server to the existing account, as shown in this example:
install-addsdomaincontroller -domainname tech.imaginedlands.com –useexistingaccount -credential (get-credential)
When you deploy an RODC, you must configure the Password Replication Policy on the writeable domain controller that will be its replication partner. The Password Replication Policy acts as an access control list (ACL) and determines whether an RODC should be permitted to cache a password for a particular user or group. After the RODC receives an authenticated user or computer logon request, it refers to the Password Replication Policy to determine whether it should cache the password for the account.
You can configure Password Replication Policy in several ways:
NOTE The fewer account passwords replicated to RODCs, the less risk that security could be breached if an RODC is compromised. The more account passwords replicated to RODCs, the greater the risk involved if an RODC is compromised.
Password Replication Policy is managed on a per-computer basis. The computer object for an RODC is updated to include the following multivalued directory attributes that contain security principals (users, computers, and groups):
The RODC uses these attributes together to determine whether an account password can be replicated and cached. The passwords for Denied Accounts are never replicated and cached. The passwords for Allowed Accounts can always be replicated and cached. Whether a password is cached or not doesn’t depend on whether a user or computer has logged on to the domain through the RODC. At any time, an RODC can replicate the passwords for Allowed Accounts and administrators can also prepopulate passwords for Allowed Accounts using Active Directory Users And Computers.
During an advanced installation of an RODC, you can configure the initial Password Replication Policy settings. To support RODCs, Windows Server uses several built-in groups:
By default, the Allowed RODC Password Replication Group has no members. Also by default, Allowed RODC Password Replication Group is the only Allowed Account defined in Password Replication Policy.
By default, the Denied RODC Password Replication Group contains the following members:
Also by default the Denied Accounts list contains the following security principals, all of which are built-in groups:
Each RODC has a separate Password Replication Policy. To manage the Password Replication Policy, you must be a member of the Domain Admins group. The easiest way to manage Password Replication Policy is to do the following:
You can also edit Password Replication Policy settings directly. To edit the Password Replication Policy for an RODC, follow these steps:
311. In Active Directory Users And Computers, right-click the Active Directory Users And Computers node and then select Change Domain Controller. The domain controller to which you are connected should be a writeable domain controller—that is, it should not list RODC under DC Type. If you are connected to an RODC, change to a writeable domain controller. Click Cancel or OK as appropriate.
312. In Active Directory Users And Computers, expand the domain node and then select Domain Controllers.
313. In the details pane, right-click the RODC computer account and then choose Properties.
314. In the Password Replication Policy tab, you’ll see the current settings for Password Replication Policy on the RODC.
315. You can now do the following:
Define an Allowed Account Click Add, select Allow Passwords For The Account To Replicate To This RODC, and then click OK. In the Select Users, Contacts, Computers, Or Groups dialog box, type an account name and then click Check Names. If the account name is listed correctly, click OK to add it to the Password Replication Policy as an Allowed Account.
Define a Denied Account Click Add, select Deny Passwords For The Account To Replicate To This RODC, and then click OK. In the Select Users, Contacts, Computers, Or Groups dialog box, type an account name and then click Check Names. If the account name is listed correctly, click OK to add it to the Password Replication Policy as a Denied Account.
Remove an account from Password Replication Policy Select the account name in the Groups, Users And Computers list, and then click Remove. When prompted to confirm, click Yes.
You can review cached credentials or prepopulate credentials using the Advanced Password Replication Policy dialog box. When you are prepopulating user accounts, you should also consider prepopulating the passwords of computer accounts that the users will be using.
To view and work with this dialog box, follow these steps:
316. In Active Directory Users And Computers, expand the domain node and then select Domain Controllers.
317. In the details pane, right-click the RODC computer account and then choose Properties.
318. In the Password Replication Policy tab, click Advanced to display the Advanced Password Replication Policy dialog box.
319. You now have the following options:
Accounts for which passwords are stored on the RODC are displayed by default. To view accounts that have been authenticated to this RODC, on the Display Users And Computers That Meet The Following Criteria list select Accounts That Have Been Authenticated To This Read-Only Domain Controller.
To prepopulate passwords for an account, click Prepopulate Passwords. In the Select Users Or Computers dialog box, type an account name and then click Check Names. If the account name is listed correctly, click OK to add a request that its password be replicated to the RODC. When prompted to confirm, click Yes. The password is then prepopulated. Click OK.
To determine whether an account is allowed or restricted, you can use Resultant Set of Policy (RSoP) to examine all related group memberships and determine exactly what rules apply. Follow these steps:
320. In Active Directory Users And Computers, expand the domain node and then select Domain Controllers.
321. In the details pane, right-click the RODC computer account and then choose Properties.
322. In the Password Replication Policy tab, click Advanced to display the Advanced Password Replication Policy dialog box.
323. In the Resultant Policy tab, click Add.
324. In the Select Users Or Computers dialog box, type an account name and then click Check Names. If the account name is listed correctly, click OK to display the RSoP.
If an RODC is compromised or stolen, you can reset the passwords for all accounts for which credentials were cached on the RODC by following these steps:
325. In Active Directory Users And Computers, right-click the Active Directory Users And Computers node and then select Change Domain Controller. The domain controller to which you are connected should be a writeable domain controller—that is, it should not list RODC under DC Type. If you are connected to an RODC, change to a writeable domain controller. Click Cancel or OK as appropriate.
326. In Active Directory Users And Computers, expand the domain node and then select Domain Controllers.
327. In the details pane, right-click the RODC computer account and then choose Delete.
328. When prompted to confirm, click Yes.
329. When prompted again, specify whether you want to reset all passwords for user accounts, computer accounts, or both, that were cached on this RODC. If you reset user account passwords, the affected users won’t be able to log on until they contact you or the help desk to obtain a new password. If you reset computer account passwords, the affected computers will be disjoined from the network and won’t be able to connect to the domain until they are rejoined.
330. You want to export the list of cached accounts to a file, and this is the default selection. Click Browse to select a save location and set a file name for the account list. The password for every user whose account is listed in this file has been reset.
331. Click Delete. When prompted, confirm that you really want to delete all metadata for the RODC by clicking OK.
During the configuration of an RODC, you have an opportunity to specify user or group accounts that should be delegated administrative permissions. After the initial configuration, you can add or remove administrative permissions using Dsmgmt.
To grant administrative permissions to an additional user, follow these steps:
332. At an administrator command prompt, enter dsmgmt.
333. At the dsmgmt prompt, enter local roles.
334. At the local roles prompt, enter show role administrators to list current administrators. In the default configuration, no users or groups are listed.
335. At the local roles prompt, enter add Domain\User administrators to grant administrative permissions, where Domain is the domain in which the user account is located and User is the account name, such as IMAGINEDLANDS\williams.
336. Confirm the addition by typing show role administrators.
337. Enter quit twice to exit Dsmgmt.
To remove administrative permissions, follow these steps:
338. At an administrator command prompt, enter dsmgmt.
339. At the dsmgmt prompt, enter local roles.
340. At the local roles prompt, enter show role administrators to list current administrators. In the default configuration, no users or groups are listed.
341. At the local roles prompt, enter remove Domain\User administrators to remove administrative permissions for a specified user, where Domain is the domain in which the user account is located and User is the account name, such as IMAGINEDLANDS\williams.
342. Confirm the removal by typing show role administrators.
343. Enter quit twice to exit Dsmgmt.