Solved

script for Read Only Domain Controller to choose groups and users to authenticate to RODC

Posted on 2015-02-03
5
107 Views
Last Modified: 2015-02-10
IS there a script for Read Only Domain Controller to choose groups and users to authenticate to RODC?

Thank you
0
Comment
Question by:creative555
  • 2
  • 2
5 Comments
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 40586893
no as computers/users will use any available dc, in a remote office the only available DC should be the RODC which they will get from the local dhcp server
0
 

Author Comment

by:creative555
ID: 40587084
oh. But we need to add the groups to allow and denied list for that RODC?? Correct? Otherwise, they wont be able to authenticate?
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 40587116
No you don't have to it is a domain controller that does not update from the clients only updates from the primary domain controller. Where did you get the idea of adding groups and allow / deny lists?
0
 
LVL 36

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40587136
You would add users and computer accounts to allowed replication group only if you want its password to be cached on RODC
Otherwise they would get authenticated through RODC via R/W DC, what it means when RODC get the authentication request, it will forward it by default to R/W DC and get it authenticated unless you save credentials by adding it into allowed password replication group

You don't want to cache mobile users and computers password on RODC
If a location has some computers \ users and RODC, you can manually add those users in allowed password replication group so that their 1st logon will happen thru R/W DC and passwords will get cached on RODC and for next logons they will be logged on with cached credentials
This task need to be done manually

U may add user to deny password replication group if you do not want to cache user password.
High privileges accounts such as domain admins are always placed in deny password replication group by default
0
 

Author Closing Comment

by:creative555
ID: 40601081
thanks!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
The following article is intended as a guide to using PowerShell as a more versatile and reliable form of application detection in SCCM.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question