Solved

script for Read Only Domain Controller to choose groups and users to authenticate to RODC

Posted on 2015-02-03
5
116 Views
Last Modified: 2015-02-10
IS there a script for Read Only Domain Controller to choose groups and users to authenticate to RODC?

Thank you
0
Comment
Question by:creative555
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40586893
no as computers/users will use any available dc, in a remote office the only available DC should be the RODC which they will get from the local dhcp server
0
 

Author Comment

by:creative555
ID: 40587084
oh. But we need to add the groups to allow and denied list for that RODC?? Correct? Otherwise, they wont be able to authenticate?
0
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40587116
No you don't have to it is a domain controller that does not update from the clients only updates from the primary domain controller. Where did you get the idea of adding groups and allow / deny lists?
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40587136
You would add users and computer accounts to allowed replication group only if you want its password to be cached on RODC
Otherwise they would get authenticated through RODC via R/W DC, what it means when RODC get the authentication request, it will forward it by default to R/W DC and get it authenticated unless you save credentials by adding it into allowed password replication group

You don't want to cache mobile users and computers password on RODC
If a location has some computers \ users and RODC, you can manually add those users in allowed password replication group so that their 1st logon will happen thru R/W DC and passwords will get cached on RODC and for next logons they will be logged on with cached credentials
This task need to be done manually

U may add user to deny password replication group if you do not want to cache user password.
High privileges accounts such as domain admins are always placed in deny password replication group by default
0
 

Author Closing Comment

by:creative555
ID: 40601081
thanks!
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Nano Server Image Builder helps you create a custom Nano Server image and bootable USB media with the aid of a graphical interface. Based on the inputs you provide, it generates images for deployment and creates reusable PowerShell scripts that …
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question