Solved

script for Read Only Domain Controller to choose groups and users to authenticate to RODC

Posted on 2015-02-03
5
118 Views
Last Modified: 2015-02-10
IS there a script for Read Only Domain Controller to choose groups and users to authenticate to RODC?

Thank you
0
Comment
Question by:creative555
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 40586893
no as computers/users will use any available dc, in a remote office the only available DC should be the RODC which they will get from the local dhcp server
0
 

Author Comment

by:creative555
ID: 40587084
oh. But we need to add the groups to allow and denied list for that RODC?? Correct? Otherwise, they wont be able to authenticate?
0
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 40587116
No you don't have to it is a domain controller that does not update from the clients only updates from the primary domain controller. Where did you get the idea of adding groups and allow / deny lists?
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40587136
You would add users and computer accounts to allowed replication group only if you want its password to be cached on RODC
Otherwise they would get authenticated through RODC via R/W DC, what it means when RODC get the authentication request, it will forward it by default to R/W DC and get it authenticated unless you save credentials by adding it into allowed password replication group

You don't want to cache mobile users and computers password on RODC
If a location has some computers \ users and RODC, you can manually add those users in allowed password replication group so that their 1st logon will happen thru R/W DC and passwords will get cached on RODC and for next logons they will be logged on with cached credentials
This task need to be done manually

U may add user to deny password replication group if you do not want to cache user password.
High privileges accounts such as domain admins are always placed in deny password replication group by default
0
 

Author Closing Comment

by:creative555
ID: 40601081
thanks!
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question